Directly Terms & Policies
1.1. Directly Services. Directly.com and the related platform, software and services (collectively the “Services”) are operated by Directly, Inc. (“Directly,” “we,” “our,” “us” dba “Directly Software, Inc.”). Directly provides the Services to deliver better customer service for our corporate enterprise customers (“Customer(s)”). The Services are comprised of two primary offerings: 1) “Answers,” which uses the Answers technology platform and product experts (“Expert(s)”) to provide best in class support to each Customer’s end users (“Customer End User(s)”); and 2) “Crowdsource Virtual Agent” or “CVA,” which uses the CVA technology platform to enable each Customer to deploy, continuously train and manage a virtual agent (“VA”) through the digital customer care channels (“Channels”) using specialist contributors (“Specialists”).
1.3. Minors. Our Services (including directly.com) are intended for adults and not for minors: Anyone under the age of 18 is not permitted to access or use the Services, except with Directly’s prior written permission. You also must not permit any person under the age of 18 to access our Services. We do not intentionally gather personal data from minors under applicable legal age requirements. If a minor submits Personal Data to Directly and we learn that the Personal Data is of a child under the applicable age requirement, we will attempt to delete the Personal Data as soon as possible. If you believe that we may have any Personal Data of a child under the applicable age requirement, please contact Directly at firstname.lastname@example.org.
2. Data Collected
2.1. Expert Users and Registration for a Directly Account. We collect Personal Data in different ways depending on the circumstances of your use of our Services and the choices you make about the Personal Data you submit to us. You can visit directly.com and certain subdomains without registering, but to become an authorized Expert User eligible to submit Services Content, you will need to create an account with Directly (“Directly Account”) and submit the following types of Personal Data: legal name, email address and/or mobile phone number, a personal headshot photo, physical mailing address, legal residence information and regional location of access, birthdate, verification phone number and government identification (“Expert Registration Information”). We also automatically collect Data such as device information and internet protocol address (“IP Address”). As an Expert User, you must also select your username, sometimes referred to on our platform as your “alter ego.” Please select your username carefully consistent with our Terms and your privacy preferences. Please read our current guidelines on the Expert User Hub as there are rules and privacy consequences for your username selection. Generally, we recommend that Expert Users do not use their full legal name, which could be used to identify them, or use a fanciful, misleading or inappropriate username. Expert Users also have the option to create user profiles describing why they should be considered Expert Users, as well as their top skills and language abilities. We use elements of the Expert User Registration Information to verify your identity, combat fraud and abuse and keep our Services, Expert Users, Customers and partners secure. By registering for a Directly account, you authorize us and/or our Third-Party Providers (as described below) to verify Expert User Registration Information, including your identity and background. As described in our Terms, Directly or Customers may impose additional terms and duties for your eligibility (“Supplemental Terms”). You will be given an opportunity to review and consent to such Supplemental Terms. For example, where a Customer or applicable data protection or other law requires special expert certification measures or other protocols, and subject to your consent, Expert Users may be asked to provide additional Personal Data relating to background, location of access or legal residence.
2.2. Log and Usage Information. We also collect other types of Data, which may be construed as Personal Data in certain jurisdictions and under certain contexts, including the following: usage information such as how you have used our Services, IP address and other technical data such as browser type, unique device identifiers and information, language preference, referring site and the date and time of access, operating system and mobile network information; approximate location data (from IP address); information regarding interactions with our Services, such as votes on Services Content, feedback, comments, poll and survey responses and other information you may provide us.
2.4. Data Collected by Third Parties. We also may process Data, including Personal Data, from certain third-party providers (each a “Third-Party Provider”) who collect Data from you to verify, update or supplement the Data you provide, or we collect automatically. We use Third-Party Providers for functionalities and information needed to deliver the Services. For example, if you access our Services from the independent services of Third-Party Providers in connection such as the Apple App Store, Google Play, Salesforce App Store or another third-party app platform, you are subject to the privacy policies of the respective provider. Our Services and associated technology also enable one or more Third-Party Provider services (e.g., Google Analytics) to collect certain types of Data (such as device identifiers) so we can analyze how our Services are used. We may also link or integrate with certain Third-Party Providers, such as Jumio or ThreatMetrix, who collect personal data subject to separate terms and privacy policies for identity verification and fraud protection. Please remember that all Data collected by Third-Party Providers are governed by the respective provider’s terms of service, privacy and other policies.
3. Use and Retention
3.1. Use. We and our Third-Party Providers use Data, including Personal Data to: (i) provide our Services; (ii) promote, analyze and improve our Services; (iii) comply with applicable law and enforce our Terms, and (iv) detect and prevent fraud, harmful or abusive conduct, or other injury to Expert Users, Customers, Directly or third parties. Some examples of how we may use Personal Data include:
- Creating your Directly Account;
- Identifying you on our system, and verifying your actual identity and Registration Information, to ensure the security and integrity of our Services and enable you to send or respond to certain routed Tasks;
- Responding to your inquiries to administer and improve our Services;
- Informing the applicable Customer of your relevant activity on the Services;
- Providing technical support and respond to inquiries by Expert Users and Customers;
- Soliciting input and feedback to improve and customize your Expert User experience;
- Informing you about new features, services and programs on the Services;
- Customizing your use of the Services and content or other material that we may send to you from time to time;
- Conducting aggregate analysis and business intelligence to enable us to better operate, protect, make informed decisions and improve and report on the performance of our Services and business performance;
- For audits, legal and regulatory purposes or compliance with industry and other standards;
- For any other purpose, provided we disclose this to you at the relevant time, and where required, obtain consent to the proposed use of your Personal Data.
3.2. Retention. Where Directly is processing and using your Personal Data, we will store your Personal Data only for as long as required to fulfil the purposes set out herein and permitted to do so by applicable law. For example, where Directly is required by law to retain your Personal Data longer, or where your Personal Data is required for Directly to assert its legal rights or protect our Services, Directly, or third-party rights, we will retain your Personal Data until the end of the relevant retention period or until there is no longer a necessity. Please note that we have a variety of obligations to retain Personal Data you provide to us, including to ensure that rewards and associated payments can be appropriately processed and to protect our Services, Directly and third-party rights, consistent with applicable law and our legal obligations. Accordingly, even if you close your Directly Account, we may retain certain data to protect these rights and interests or meet these obligations.
4. Sharing and Disclosure
4.1. General. Directly does not sell or rent your Personal Data. We share Personal Data collected by Directly with Third-Party Providers only in defined circumstances, including: (i) with your consent; (ii) to an authorized Third-Party Provider who meets required privacy, security and data protection standards; or (iii) when we have a good faith belief it is required or permitted by law, such as pursuant to a subpoena or other legal process, or to enforce our Terms or legal rights.
4.4. Expert Users. We disclose certain limited content of each request for Answers (e.g., non-personally identifiable usernames or first names of Expert Users). We also share Other Data with Expert Users about their responses to Answers and the generation of Services Content.
4.5. Customers and Customer End Users. We disclose the content of the responses (including the first name of the Expert User who responded) to the Customer who generated the request (and to any subsequent Customer End User that pose similar requests). When an Expert User responds to requests from Customer End Users, certain limited and filtered Data contained in the response, such as a username, the text of the response and other Personal Data (such as an Expert User’s personal headshot or picture) will be accessible to Customers and Customer End Users. You understand and agree to the sharing of such Data.
4.6. Usage Data. Directly may use or disclose (except as expressly provided herein) the personal data of Expert Users, except where prohibited by applicable law or otherwise required by legal duty. Notwithstanding the foregoing and for the avoidance of doubt, Directly may use and disclose data about usage of the Services that does not identify or reasonably could be anticipated to be used to identify any individual user of the Services or otherwise constitute Personal Data (“Usage Data”). We share Usage Data about our website and Services with our business partners. We reserve the right to use and disclose Usage Data for any purpose and to any third parties subject to the terms herein.
4.8. Legal Disclosures. We reserve the right to disclose your Other Data and Personal Data as required by law, in connection with any legal investigation, when we believe that disclosure is necessary to protect our rights (or those of other Users or third parties) and/or to comply with a judicial proceeding, or valid court order, warrant, subpoena or legal process served on us.
4.9. Communications. We will send you service-related announcements when it is necessary or beneficial to do so. For instance, if our Services are temporarily suspended for maintenance, we might send you an email or other communications. We also may send you notifications on your mobile device and you may disable these notifications in the settings of your device. Based upon the Personal Data you provide us, we will send you a welcome email to verify your username and password. We will also communicate with you in response to your inquiries to provide the services you request, manage your Directly Account, solicit your feedback or update you on new policies. We will communicate with you by email or mobile phone in accordance with your indicated preferences. Please refer to Choices and Rights below.
5. Choices and Rights
5.2. Access Rights. Individuals located in certain countries, such as the European Union or EEA, have certain statutory rights in relation to their Personal Data. Please read Section 7.5 below carefully so you understand all of your rights and how to exercise all of your rights.
The security and protection of your Personal Data is important to us. We follow generally accepted industry standards to protect the Data submitted to us, both during transmission and once we receive such Data. No method of transmission over the Internet, or method of electronic storage, is 100% secure however. Therefore, while we strive to use commercially acceptable means to protect your Data, we cannot guarantee its absolute security. You use our Website and Services at your own risk, and you are responsible for taking reasonable measures to secure your account (like using a strong password). We urge you to take steps to keep your Personal Data safe (including your account password) and log out of your account after use. If your Directly Account is hacked, this may lead to unauthorized access, so be careful to keep your account data secure. We strongly recommend our Expert Users to use two factor authentication (“2FA”) options. If you have any questions about 2FA options, contact email@example.com.
7. Important Information for European Users
7.2. Safeguards for Exports from EEA. If you are located in the EEA or Switzerland, we comply with applicable laws requiring adequate levels of data protection for the transfer of Personal Data. You agree that Directly may transfer your Personal Data to countries other than the one in which you live.
7.3. Legal Basis for Processing. If you are an individual residing in the EEA, we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the specifics of the Services you use and how you use those Services. This means we collect and use your information only where:
- We need it to provide you with or operate the Services, including to provide customer support using Expert Users, personalize features, fulfill the contract you have with Directly (or Directly has with each Customer or third party), or protect the integrity and security of the Services;
- It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for anti-fraud protection or to protect our legal rights and interests;
- You give us consent to do so for a specific purpose; or
- We need to process your data to comply with a legal obligation.
If you have consented to our use of your Personal Data for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your Personal Data because we or a third party have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services or associated services.
7.4. Identifying Data Controller and Data Processor and Different GDPR Roles. Data protection laws in certain jurisdictions differentiates between the “controller” and “processor” of data. It is important to note that Directly acts as both as a Data Controller and as a Data Processor within the scope of the GDPR (as described below): (a) As a Data Controller, Directly is responsible for safeguarding the Personal Data of our Users and visitors to directly.com; and (b) As a Data Processor, Directly is responsible for processing personal data in accordance with our Customer contracts and applicable law and safeguarding the data of Customer End Users. Directly’s Customers generally serve as the controller of its Customer End Users’ personal data. In this context, Directly serves as the processor of such personal data under instructions from each controller. Each Customer is also responsible for making sure that their respective Customer end user’s privacy rights are protected, including responding to data subject requests. Directly will respond to such data subject requests from Customers and Customer End Users as a Data Processor; this means with respect to Personal Data of Customer End Users we must respond as a matter of law and contract through our Customer. On the other hand, with respect to Expert Users, Directly serves as the controller of Expert User Personal Data and will directly respond to data subject request rights from Expert Users.
7.5. Access Rights. Individuals located in certain countries, including the EEA or European Economic Area, have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, such individuals may have the right to request access to their Personal Data, as well as to seek to update, delete or correct this information. They also have a right to restrict or object to processing and to data portability, where applicable. We may be legally required or permitted to deny or part of your request and, if we do deny your request, we will endeavor to explain the reasons underlying our decision.
7.6. Data Protection Authority and Representative. Subject to applicable law, you may also have the right to (i) restrict Directly’s use of certain data elements that constitute your Personal Data; and (ii) lodge a complaint with your local data protection authority or the Irish Data Protection Commissioner, which is Directly’s lead supervisory authority in the European Union. If you are a resident of the European Economic Area and believe we maintain your Personal Data within the scope of the General Data Protection Regulation (“GDPR”), you may direct questions or complaints to our European GDPR representative. To find the data protection authority in your country, please refer to this contact list. Our GDPR Data Protection Representative is DataRep and can be contacted by sending an email to firstname.lastname@example.org quoting “Directly, Inc.” in the subject line.
8. California Users
Do Not Track Signals. As there is no accepted standard on how to respond to “Do Not Track Signals,” we respond to such signals.
California Consumer Privacy Act. Notice for California Consumers. The California Consumer Privacy Act of 2018 (“CCPA”) created specific privacy rights for California consumers. We share the same information about our practices with everyone, but use this notice to make disclosures required by the CCPA. This notice includes the following parts:
- Transparency: We are transparent about how your personal information is collected, used, shared and sold.
- Control: We put you in control of your personal information, including accessing and deleting your personal information.
- Benefits to You: We use your personal information to benefit you and to make your experiences better.
We Do Not Sell Your Personal Information. You have the right to know whether your personal information is being sold. Your personal information is sold when it is shared with a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA. Directly does not sell your personal information.
Control: Right to Know, Right to Receive, Right to Delete. You have the right to:
- Know what specific pieces of personal information Directly has collected and retained about you over the previous 12 months.
- Receive a copy of your personal information.
- Delete your personal information.
Directly aims to make it easy for you to exercise your rights by using our secure data request web form.
Right to “Opt Out” of “Sale.” Directly does not sell your personal information, so we do not offer an opt out.
Benefits to You/Financial Incentives. The CCPA allows businesses to offer consumers financial incentives for sharing personal information. For example, a business can offer a rewards program or provide a premium service to consumers as compensation for their personal information. Where Directly offers these programs, your participation is optional. If you choose to participate, your participation will be subject to any applicable terms, and you may withdraw at any time.
Non-Discrimination. The CCPA prohibits businesses from discriminating against you for exercising your rights under the law. Such discrimination may include denying a good or service, providing a different level or quality of service or charging different prices. The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.
10. Contact Us
11. Data Privacy FAQs
How do I request information about the data you process, request deletion, make a data request or ask a question? If you wish to delete Personal Data you believe we hold about you, have another data rights request, or have a privacy or data protection related question, please use our secure data request web form and submit it to us as instructed. This form allows us to securely verify your identity so we can protect your privacy and fulfill your request in a timely manner.
How does Directly and its Services operate? As detailed in our Terms, Directly has entered into separate agreements with each Customer to govern the delivery, access and use of the Services including instructions for the processing of the personal data of their respective Customer End Users. Each Customer licenses Directly technology and configures their help desks to enable its Customer End Users to post Tasks to the Services for routing to Expert Users. It is important to note that Directly acts as both as a Data Controller and as a Data Processor within the realm of GDPR compliance: As a Data Controller, Directly is responsible for safeguarding the data of our Expert Users as they interact directly with our marketplace platform and our visitors to directly.com. As a Data Processor, Directly is responsible for safeguarding the data of our Customers Users as it flows through our marketplace platform.
Who is my Data Controller? If you are a visitor to directly.com or an Expert User of the Services, your Data Controller is Directly, Inc. If you are a Customer End User (i.e., an individual that posted a support request via a Customer’s website or digital property), then the Data Controller of your personal data is your respective Customer and you should direct all questions about your Personal Data to that Customer.
Duration of processing of Personal Data. Where Directly is processing and using your Personal Data as permitted by law or under your consent, we will store your Personal Data (i) only for as long as is required to fulfill the purposes set out below; (ii) until you object to Directly’s use of your Personal Data (where Directly has a legitimate interest in using your Personal Data); or (iii) until you withdraw your consent (where you consented to Directly using your Personal Data). However, where Directly is required by mandatory law to retain your Personal Data longer or where your Personal Data is required for Directly to assert or defend against legal claims, we will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. See Section 3.2, “Retention,” for details.
Why am I required to provide Personal Data? As a general principle, your granting of any consent and your provision of any Personal Data hereunder is entirely voluntary; there are generally no detrimental effects on you if you choose not to consent or to provide Personal Data. However, there are circumstances in which we cannot take action without certain Personal Data, for example, because this Personal Data is required to process your registration or provide you with access to our Services. In these cases, we cannot provide you with what you request without the relevant Personal Data.
How do I determine which company is the “controller” of my personal information? Privacy and data protection law in certain jurisdictions differentiates between the “controller” and “processor” of data. Each Customer is the controller of its Customer End User’s Personal Data, and in this context Directly serves as the processor of such personal data under instructions from each controller. Each Customer is also responsible for making sure that their respective customers or end user’s privacy rights are protected, including responding to data subject requests. Directly will respond to such data subject requests from Customer End Users as a processor which means that it will contact and follow the advice of the controller Customer with respect to such requests. With respect to Personal Data of Expert Users, Directly serves as the controller of such data and will respond to data subject request rights. Please refer to Section 5, “Choices and Rights,” above, for additional information on your rights. Expert Users can request information about the Personal Data Directly stores about you, and the correction or deletion of such Personal Data. Please note, however, that we can delete your Personal Data only if there is no statutory obligation or prevailing right of Directly to retain your Personal Data. If you request that Directly delete your Personal Data, you will not be able to continue to use the Services that requires Directly’s use of your Personal Data. See Section 5, “Choices and Rights,” above. If you believe that Directly is not processing your Personal Data in accordance with the requirements set out herein or applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country in which you live or our GDPR Data Protection Representative. See Section 11 for details.
Privacy Shield Principles
2. Data Integrity and Purpose Limitation. We only collect Personal Data that is relevant to providing our website and associated Services. We process Personal Data in a way that is compatible with us providing the Services to you, or in other ways, for which we will provide you with notification. We take reasonable steps to ensure that the Personal Data received under the Privacy Shield is needed for Directly to provide its Services, and to ensure data is accurate, complete and current.
4. Data Security. We use reasonable and appropriate physical, electronic and administrative safeguards to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and the risks involved in processing that information.
6. Recourse, Enforcement and Dispute Resolution. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the Privacy Shield Principles. In compliance with the Privacy Shield Principles, Directly, Inc. commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Directly, Inc. using our secure data request web form here. Directly has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit JAMS Privacy Shield Dispute Resolution webpage for more information to file a complaint. The services of JAMS are provided at no cost to you.
7. Contact Information. If you have any questions regarding this Privacy Shield Policy, please contact us by submitting a secure data request web form.
This Directly Data Processing Addendum (the “DPA”) supplements, and is incorporated into, the Terms of Service (the “Terms”) between Directly and you as an Expert User. The parties agree as follows:
1. Purpose and Scope.
1.1 Except as modified below, the Terms shall remain in full force and effect; if there is any conflict between this DPA and the Terms or any other agreement between the parties, the provisions of this DPA shall take precedence.
1.2 The European Union General Data Protection Regulation 2016/679 (“GDPR”) requires all Expert Users to contractually undertake certain data protection commitments with respect to Personal Data (as described below) they may Process on Directly’s behalf. To ensure compliance with the GDPR, Expert Users must agree to the terms of this DPA.
All capitalized terms used but not defined in this DPA shall have the meaning given to them in the Terms.
2.1 “Confidential Information” means the definition ascribed in the Terms (see Terms, Section 7, Confidential Information).
2.2 “Data Protection Laws” means (a) any applicable law with respect to any Personal Data to which Directly is subject and (b) European Data Protection Laws.
2.3 “Data Subject Request” means a data subject’s request to exercise that person’s rights under Data Protection Laws in respect of that person’s Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of, object to the Processing of, restrict the Processing of or delete such Personal Data.
2.4 “European Data Protection Laws” means the GDPR, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Directives, any applicable legislation of European Union Member States passed to implement the foregoing and any other applicable data protection, privacy or data security laws or regulations in the European Economic Area, United Kingdom, Switzerland or any other applicable European jurisdiction, in each case, as they may be amended, replaced or supplemented from time to time.
2.5 “Expert User(s)” means a natural person who is a party to this DPA.
2.6 “Personal Data” means any information about an identified or identifiable natural person and any other “personal data” governed by applicable Data Protection Laws that Expert User processes in connection with the Expert User’s performance of the Services.
2.7 “Privacy Shield” means the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks established respectively by the European Commission and the United States Department of Commerce and the Swiss Administration and the United States Department of Commerce.
2.8 “Process” means any operation or set of operations which is performed on Restricted Information (as described below) or sets of Restricted Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.9 “Restricted Information” refers collectively to “Confidential Information” and “Personal Data” of any source and includes any information Processed by Expert User in connection with the Expert User’s performance of the Services.
2.10 “Security Incident” means a reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
2.11 “Services” means Expert’s authorized participation, activity and content on and through the platform Directly provides to its customers, including but not limited to, responses relating to tasks and questions about specific products and services for which the Expert is approved.
3. Your Data Protection Duties.
You acknowledge and agree to the following:
3.1 You will Process Personal Data only in accordance with the Terms, Data Protection Laws and Directly’s written instructions communicated by Directly to you from time to time in writing.
3.2 Without limiting the generality of sub-section 3.1, you agree as follows:
3.2.1 You will keep all Restricted Information in strictest confidence and will not copy, use, store, disclose or otherwise Process any Restricted Information except to perform the Services;
3.2.2 You will take appropriate technical and organizational measures (including but not limited to the Expert Standards (which are incorporated herein and may be updated by Directly from time to time)) to ensure the confidentiality, integrity and availability of any computers or other systems that you use to perform the Services and protect against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Restricted Information transmitted, stored or otherwise Processed;
3.2.3 You will only subcontract, delegate or engage any other individual or entity to assist with performance of the Services with the prior written approval of Directly, and pursuant to the completion of a prior data protection and security audit, the implementation of additional data protection and security safeguards and other such measures as Directly reasonably determines is necessary under applicable law.
3.2.4 You will only subcontract, delegate or engage any other individual or entity to assist with performance of the Services with the prior written approval of Directly, and pursuant to the completion of a prior data protection and security audit, the implementation of additional data protection and security safeguards and other such measures as Directly reasonably determines is necessary under applicable law.
3.2.5 You will make available to Directly all information necessary to demonstrate compliance with the obligations set forth in this DPA and the Data Protection Laws and to allow Directly to conduct audits, including inspections, of your compliance with the obligations set forth in this DPA;
3.2.6 If instructed by Directly, you agree to promptly notify Directly and cooperate to provide the circumstances underlying any receipt or access of Personal Data and to confirm you have promptly and permanently deleted any such Personal Data in your possession, together with any existing copies, unless directed otherwise;
3.2.7 If you receive any request, demand or inquiry regarding Personal Data (“Personal Data Request”) other than from Directly, including, without limitation, any Data Subject Request or other request received from a regulator or other governmental body, you agree to NOT respond to any such Personal Data Request except in accordance with Directly’s written instructions or as otherwise required by the Data Protection Laws;
3.2.8 You will promptly and without undue delay cooperate, assist and take such action as Directly may reasonably request to allow Directly to fulfil its obligations to Customers and their Data Subjects or under Data Protection Laws in respect of such a Personal Data Request, including, without limitation, meeting any deadlines imposed by such obligations; you will notify Directly without undue delay and in no event later than 48 hours upon your becoming aware of a Security Incident, and provide Directly with sufficient information to allow it to meet any legal or contractual obligations to report the Security Incident;
3.2.9 You will cooperate with Directly and its authorized agents and representatives to take such reasonable steps as are directed by Directly to assist in the investigation, mitigation and remediation of any Security Incident;
3.2.10 You will provide reasonable assistance to Directly and its Customers with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Directly or its Customer reasonably considers to be required by the Data Protection Laws;
3.2.11 You will immediately inform Directly, in writing, if in your opinion, an instruction violates Data Protection Laws;
4. General Terms.
4.1 The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims however arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
4.2 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in Terms, or if different, the laws required to govern under European Data Protection Laws.
4.3 Directly may amend this DPA from time to time as is reasonably necessary to comply with Data Protection Laws, and such amendments shall become binding upon giving Expert notice of such changes.