Guardian by Sprout Social Features Terms

These Guardian by Sprout Social Features Terms (“Guardian Terms”) govern the use of and access to our Guardian by Sprout Social features described herein (“Guardian Features”) as part of the Services and are incorporated into, and become part of, the applicable agreement in place between Subscriber and Sprout Social governing access to and use of the Services (“Agreement”). Capitalized terms used but not defined in these Guardian Terms have the meanings given in the Agreement. In the event of any conflict or inconsistency between the Guardian Terms and the Agreement, the Guardian Terms prevail and control solely with respect to the use of and access to any Guardian Features.

General Terms

1. Compliance. By enabling or using the Guardian Features, Subscriber acknowledges and agrees that it is solely responsible for: (a) ensuring that any data provided to Sprout Social through these features complies with all applicable laws, including Applicable Data Protection Laws (as defined in the DPA); (b) determining if the Guardian Features are sufficient for Subscriber’s compliance needs; and (c) establishing and maintaining its own comprehensive data protection and compliance programs. Subscriber agrees that it will not use or configure the Guardian Features to engage in unlawful activities or otherwise violate the Agreement, Sprout Social’s Usage Policy, or any third-party rights. Sprout Social shall not be liable for any damages arising from Subscriber’s misuse of the Guardian Features or violation of these Guardian Terms or the Agreement.

2. End Users. For purposes of these Guardian Terms, an “End User” is an individual who interacts with Subscriber's social media accounts, presence or brand, including by sending inbound messages or completing forms, facilitated by the Services. An End User does not include Subscriber or its Authorized Users.

3. Indemnification. Subscriber will defend Sprout Social and its Affiliates, and each of its and their respective officers, directors, employees, agents, successors and assigns from any actual or threatened third party Claim arising out of or based upon: (a) Subscriber's use of the Guardian Features in violation of these Guardian Terms; or (b) Subscriber's failure to comply with applicable laws and regulations (including Applicable Data Protection Laws and standards such as PCI DSS), its data retention policies, or its obligations to End Users; and indemnify Sprout Social and its Affiliates from all damages, costs, and expenses (including reasonable attorneys’ fees) incurred by Sprout Social and its Affiliates, to the extent finally awarded in any such Claim or all amounts paid to any third party to settle any such Claim.

4. Disclaimer. EXCEPT AS EXPRESSLY STATED IN THESE GUARDIAN TERMS, THE GUARDIAN FEATURES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT ANY WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.  SPROUT SOCIAL DOES NOT WARRANT THAT THE GUARDIAN FEATURES WILL BE ERROR-FREE, UNINTERRUPTED, OR COMPLETELY SECURE. SPROUT SOCIAL: (A) DOES NOT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE GUARDIAN FEATURES, INCLUDING WITHOUT LIMITATION, THAT THE USE OF GUARDIAN FEATURES WILL ENSURE SUBSCRIBER’S COMPLIANCE WITH ANY SPECIFIC LAW, REGULATION, OR INDUSTRY STANDARD,  EXAMPLES OF WHICH INCLUDE, BUT ARE NOT LIMITED, TO, PCI DSS (FOR SUBSCRIBER'S OWN SYSTEMS AND PROCESSES), HIPAA, GDPR, CCPA/CPRA, OR ANY OTHER DATA PROTECTION OR PRIVACY LAWS AND REGULATIONS, WHETHER OR NOT SPROUT SOCIAL HAS BEEN APPRISED OF SUCH USE; AND (B)  DOES NOT GUARANTEE PROTECTION OF SUBSCRIBER’S REPUTATION, BRAND, OR GOODWILL. SPROUT SOCIAL EXPRESSLY DISCLAIMS ALL LIABILITY AND RESPONSIBILITY FOR ANY ISSUES ARISING FROM SUBSCRIBER’S (INCLUDING ITS AUTHORIZED USERS) OR AN END USER'S DEVICE, INTERNET CONNECTION, OR OPERATING ENVIRONMENT AND ANY MISCONFIGURATION OF THE GUARDIAN FEATURES BY SUBSCRIBER (INCLUDING ITS AUTHORIZED USERS). ANY RECOMMENDATIONS MADE BY SPROUT SOCIAL RELATED TO THE USE OF THE GUARDIAN FEATURES OR THE CONFIGURATION THEREOF ARE MERELY SUGGESTIONS AND NOT LEGAL, COMPLIANCE OR OTHER EXPERT ADVICE.

Feature-Specific Terms

5. DATA MASKING

1. a. Definitions

   1. i. Data Masking Feature: the feature within the Sprout Social Subscription Services that enable Subscribers to automatically identify and mask certain data elements received through inbound messages. 

   2. ii. Data Entities: categories of data elements that the Data Masking Feature is designed to automatically identify and mask. 

2. b. Description of Data Masking Feature. The Data Masking Feature enables Subscriber to mask certain Data Entities within inbound messages received by Subscriber through the Sprout Social Subscription Services. The current supported Data Entities are set forth in the documentation generally available on Data Masking. 

3. c. Subscriber Responsibilities.

   1. i. Configuration. Subscriber is solely responsible for the configuration of the Data Masking Feature, including but not limited to determining which Data Entities to enable as part of the administrative settings, regularly reviewing such settings to ensure they align with Subscriber’s business policies and/or compliance obligations, and training its personnel on the limitations and appropriate use of such feature. 

   2. ii. Reliance. Subscriber acknowledges that its use of the Data Masking Feature is at Subscriber’s own risk with respect to accuracy and completeness. 

4. d. Limitations. 

   1. i. No modification of original data. The Data Masking Feature does not alter the underlying Subscriber Data received by Sprout Social from Third-Party Services, and such feature is intended to solely visually obscure Data Entities within the interface of the Sprout Social Subscription Services.  

   2. ii. Reporting of unmasked data. While Sprout Social may provide Subscriber with the ability to submit reports to Sprout Social on any errors in the Data Masking Features (e.g., false negatives or false positives), Sprout Social shall have no obligation to act on any specific report or to ensure the reported data is subsequently masked in all instances. 

   3. iii. Data Masking Disclaimer. SPROUT SOCIAL DOES NOT GUARANTEE THAT THE DATA MASKING FEATURE WILL IDENTIFY OR MASK ALL INSTANCES OF DATA ENTITIES, OR THAT IT WILL BE ERROR-FREE. SPROUT SOCIAL EXPRESSLY DISCLAIMS ANY LIABILITY FOR ANY FAILURE OF THE DATA MASKING FEATURE TO ACCURATELY IDENTIFY OR MASK DATA ENTITIES, INCLUDING BUT NOT LIMITED TO ANY FALSE NEGATIVES (DATA ENTITIES NOT IDENTIFIED OR MASKED) OR FALSE POSITIVES (DATA ENTITIES INCORRECTLY IDENTIFIED AND MASKED). SUBSCRIBER ACKNOWLEDGES THAT VARIOUS FACTORS MAY IMPACT THE EFFECTIVENESS OF THE DATA MASKING FEATURE, INCLUDING BUT NOT LIMITED TO THE FORMATTING OF INBOUND DATA, THE SELECTED LANGUAGE, ISSUES WITH OR TYPOGRAPHICAL ERRORS IN THE DATA, AND ATTEMPTS TO CIRCUMVENT MASKING TECHNOLOGY. 

6. BLOCKED WORDS

1. a. Definitions

   1. i. Blocked Words Feature: the features within the Sprout Social Subscription Services that enable Subscriber to block the use of certain words or phrases in outbound workflows within the Sprout Social Subscription Services. 

   2. ii. Blocked Terms: specific words or phrases that Subscriber’s Authorized Users are prohibited from using in content intended to be published through the Sprout Social Subscription Services.

2. b. Description of Blocked Words Feature. The Blocked Words feature enables Subscriber to identify exact matches of Blocked Terms to prevent Subscriber’s Authorized Users from posting or sending messages with such terms. Sprout Social provides predefined lists for convenience, and may, depending on subscription plan, provide an option for Subscriber to create its own custom lists for Blocked Terms.

3. c. Subscriber’s Responsibilities

   1. i. Configuration and suitability. Subscriber is solely responsible for the configuration of the Blocked Words Feature, activating/deactivating the relevant lists of Blocked Terms, the creation and implementation of any custom lists, and for determining whether the Blocked Words Feature and any selected predefined lists meet Subscriber’s specific legal, regulatory, operational, or brand safety requirements. 

4. d. Limitations

   1. i. Predefined lists. While Sprout Social will use commercially reasonable efforts to provide and maintain predefined lists of Blocked Terms (e.g., profanity, investment terms, etc.), Subscriber acknowledges that: (i) such predefined lists may not be exhaustive or cover every term that Subscriber wishes to block; and (ii) the inclusion or exclusion of certain terms in the predefined lists do not constitute legal or compliance advice. Sprout Social may update, modify, or remove predefined lists at any time in its sole discretion, with or without notice. Subscriber acknowledges that Sprout Social has no obligation to monitor content generated or published by Subscriber’s Authorized Users, or to proactively identify or suggest terms that Subscriber should include in its Blocked Terms list. 

   2. ii. Blocking mechanism. Subscriber acknowledges that the Blocked Words Feature may not detect or block: (i) Blocked Terms that have been previously scheduled to be posted prior to the enabling the Blocked Words Feature; (ii) misspellings or deliberate alterations of Blocked Terms intended to bypass the filter; (iii) Blocked Terms that are embedded within images, videos, RSS, or other non-text content; (iv) terms that are contextually inappropriate but not included in a Blocked Terms list; and (v) subtle variations or inflections of Blocked Terms.

   3. iii. Blocked Words Disclaimer. WHERE SPROUT SOCIAL PROVIDES PREDEFINED LISTS FOR THE BLOCKED WORDS FEATURE, SPROUT SOCIAL PROVIDES SUCH PREDEFINED LISTS “AS IS” AND WITHOUT WARRANTY OF ANY KIND AND SPROUT SOCIAL DISCLAIMS ANY AND ALL LIABILITY FOR THE CONTENT, COMPLETENESS, ACCURACY, OR EFFECTIVENESS OF ANY PREDEFINED LISTS. SUBSCRIBER’S USE OF SUCH PREDEFINED LISTS IS AT ITS OWN RISK.

7. SECURE FORMS

1. a. Definitions

   1. i. Secure Forms Data: Any data, information, or material provided, uploaded, or submitted by Subscriber, Subscriber’s Authorized Users or any End Users through the Secure Forms feature.

   2. ii. Secure Forms Feature: the features within the Sprout Social Subscription Services that enable Subscriber to securely collect Secure Forms Data, including PCI Data, from its End Users for customer care workflows.

   3. iii. PCI Data: Refers to Cardholder Data and Sensitive Authentication Data as defined by the Payment Card Industry Data Security Standard (PCI DSS).

   4. iv. Protected Health Information (PHI): Has the meaning given to it under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, "HIPAA").  

   5. v. Tokenization: The process by which sensitive or original data is replaced with a non-sensitive, unique identifier (a "token"). This token is used in place of the original data and cannot be used to reverse-engineer or reconstruct the original data, thereby enhancing data security.

   6. vi. VGS: The third-party vendor utilized by Sprout Social as a sub-processor in connection with the Secure Forms Feature for the Tokenization, secure handling and storage of Secure Forms Data.

2. b. Description of Secure Forms Feature. The Secure Forms Feature consists of a form builder for creating customized forms and a data collection experience for End Users. Sprout Social maintains PCI compliance certification specifically for the provision of the Secure Forms Feature.

3. c. Subscriber Responsibilities.

   1. i. Secure Forms Data Ownership and Handling. As between Subscriber and Sprout Social, Subscriber retains all right, title, and interest in and to the Secure Forms Data collected through the Secure Forms Feature. Subscriber acknowledges and agrees that Sprout Social does not process or store any Secure Forms Data, including PCI Data, on its own infrastructure in non-tokenized form and has no direct obligation for the long-term storage or control of such data. Subscriber grants a limited, non-exclusive right and license to: (i) VGS, as Sprout Social’s authorized sub-processor utilized to deliver the Secure Forms Feature, to process, store, and display the Secure Forms Data; and (ii) to Sprout Social, to display the Secure Forms Data, and process and store Tokenized Secure Forms Data; in each case, solely as necessary to provide the Secure Forms Feature and related services to Subscriber in accordance with these Guardian Terms and the Agreement. 

   2. ii. Secure Forms Compliance. Subscriber is solely responsible for: (i) determining the specific types and categories of data to be collected from End Users using the Secure Forms Feature; (ii) obtaining any and all necessary consents and permissions or establishing other required legal bases for the collecting, use, and handling of End Users’ data via the Secure Forms Feature; (iii) providing End Users with all necessary and legally required disclosures and privacy notices regarding the collection, use, and handling of their data via the Secure Forms Feature; and (iv) ensuring that all aspects of Subscriber’s collection, use, and handling of data via the Secure Forms Features are properly configured and comply with applicable laws and regulations (including without limitation Applicable Data Protection Laws, and PCI DSS where applicable). 

   3. iii. Sensitive Information; PHI. Notwithstanding anything to the contrary in the Usage Policy, Subscriber is authorized to collect Sensitive Information using the Secure Forms Feature; provided however, Subscriber agrees that it shall not use the Secure Forms Feature to collect any categories of Sensitive Information beyond those explicitly required for the stated purpose of the Secure Form and will only collect what is permissible under these Guardian Terms and applicable laws and regulations. Subscriber acknowledges and agrees that the Secure Forms Feature is not designed nor intended for the collection of PHI, and Subscriber is expressly prohibited from using the feature to collect PHI.

4. d. Sprout Social Responsibilities

   1. i. Sprout Social will maintain its PCI compliance certification specifically for the Secure Forms Feature in its role as a service provider facilitating the secure transmission of PCI Data to VGS for Tokenization. Subject to confidentiality obligations in the Agreement, Sprout Social will provide Subscriber with its most current  PCI Attestation of Compliance (AoC) upon request. 

5. e. Limitations

   1. i. Data Retention. Notwithstanding any other data retention settings or data retention periods, Subscriber acknowledges and agrees that all fields designated for the collection of PCI Data are subject to a mandatory data expiration policy of sixty (60) minutes from the time of submission. For any data outside of PCI Data, Subscriber may determine the length of the retention periods of such data. Each form provided to an End User will automatically expire and be inaccessible if it is not completed within twenty-four (24) hours after its creation. Once the retention period expires, the data is permanently purged by VGS and cannot be retrieved or viewed by Subscriber or Sprout Social.

   2. ii. Secure Forms Disclaimer. SPROUT SOCIAL EXPRESSLY DISCLAIMS ALL LIABILITY AND RESPONSIBILITY FOR: (I) THE CONTENT OF THE FORMS CREATED BY SUBSCRIBER OR THE LEGALITY, ACCURACY, OR COMPLETENESS OF THE SECURE FORMS DATA; (II) ANY COLLECTION, USE, PROCESSING, OR HANDLING OF PHI BY SUBSCRIBER THROUGH THE SECURE FORMS FEATURE IN VIOLATION OF THESE TERMS; (III)  ANY FAILURE BY AN END USER TO SUCCESSFULLY COMPLETE OR SUBMIT A FORM; AND (IV) ANY LOSS OR IRRETRIEVABILITY OF SUBSCRIBER’S DATA DUE TO THE EXPIRATION OF THE MANDATORY 60-MINUTE RETENTION PERIOD FOR PCI DATA OR THE SUBSCRIBER-DEFINED RETENTION PERIOD FOR NON-PCI DATA.