Data Processing Addendum 

Last Modified: 8/27/2024 

This Data Processing Addendum (“DPA”), forms part of the Subscription Order Form and Terms of Use (“Agreement”) between etailinsights, Inc. (“Vendor”) and Customer (together the “Parties,” and each individually a “Party”) and is entered into and effective as of the last dated signature below.

With respect to the Processing of Personal Data, the Parties agree as follows:

1. Definitions. For the purposes of this Addendum, the terms below have the following meanings whenever capitalized:

  1. CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended from time to time, together with the regulations issued thereunder.

  2. Claims” means all claims, requests, accusations, allegations, assertions, complaints, petitions, demands, suits, actions, proceedings, causes of action, and judgments.

  3. Costs” means expenses of any kind, including attorney’s fees, litigation costs, investigatory costs, costs of providing notice to any person or organization in the event of a Security Incident, and costs of providing consumer protection services to any person in the event of a Security Incident, including credit monitoring and identity restoration services.

  4. Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

  5. Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller, and includes the term “service provider” as that term is defined in the CCPA.

  6. Data Protection Laws” means (a) any privacy or data security law, statute, ordinance, regulation, or governmental rule of any jurisdiction applicable to the processing of Personal Data under the Agreement, including as applicable and without limitation, CCPA, Canada’s Anti-Spam Legislation (CASL) and GDPR; and (b) any code of practice or guidance pertaining to the Processing of Personal Data published by a regulatory authority of either of the Parties.

  7. EEA Restricted Transfer” means a Transfer (or onward Transfer) by Customer to Vendor of Personal Data originating in the EEA or Switzerland that is subject to GDPR or the Swiss Federal Act on Data Protection, where any required adequacy means can be met by entering into the EU Standard Contractual Clauses.

  8. EU Standard Contractual Clauses” means the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant Regulation (EU) 2016/679 of the European Parliament and of the Council, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.  

  9. GDPR” Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and any European Union member state law implementing the same.

  10. Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. As used herein, the term “Personal Data” includes, but is not limited to, information defined as “personal information,” “personally identifiable information,” or other similar terms under applicable Data Protection Laws. Personal Data shall be limited to Personal Data Processed by the Parties pursuant to the Agreement.

  11. Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  12. Security Incident” means any actual breach or compromise of Vendor’s Security Program that presents a security threat to Personal Data.

  13. Security Program” refers to the security program, including all safeguards, described in Section 5 and Appendix 2 of this Addendum.

  14. Services” means the services provided by Vendor to Customer under the Agreement.

  15. Sub-processor” means any person appointed by or on behalf of Vendor to process Personal Data in connection with the Services.

  16. Third Country” means any country, organization, or territory not acknowledged by the European Commission or the UK government, as applicable, to ensure an adequate level of protection for Personal Data in accordance with Article 45 of GDPR.

  17. Transfer” means to disclose or otherwise make Personal Data available, either by physical movement of the Personal Data, or by enabling remote access to the Personal Data.

  18. UK Restricted Transfer” means a transfer (or onward transfer) by Customer or a Customer Affiliate to Vendor of Personal Data originating in the United Kingdom that is subject to UK GDPR where any required adequacy means can be met by entering into the EU Standard Contractual Clauses and the UK Addendum.

  19. UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses version B1.0, issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018 and in force as of 21 March 2022, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/ international-data-transfer-addendum.pdf, as revised by the UK Information Commissioner’s Office from time to time in accordance therewith.

2. Roles of the Parties; Processing of Personal Data.

  1. As between Customer and Vendor, Customer is the Data Controller of Personal Data processed by Vendor in connection with the Services and Vendor is the Data Processor of such Personal Data. Where the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq. and all implementing regulations thereunder, as amended from time to time) (“CCPA”) applies to the Processing of Personal Data, Vendor will act as Customer’s Service Provider and Customer will act as the “Business,” if applicable, as defined therein.
  2. In its capacity as Data Controller or Business, as applicable, Customer will ensure that it has secured a legal basis to support Processing of Personal Data by the Parties. Customer will provide Data Subjects with a conspicuously available, accurate privacy notice or policy, and will obtain and respect any Data Subject consent, authorization, preference, or exercise of rights that is necessary pursuant to Data Protection Laws for the Parties to Process Personal Data in the manner contemplated by the Agreement or any Order Form.
  3. Vendor shall Process Personal Data for the purposes described in the Agreement and this Addendum, or otherwise in accordance with Customer’s instructions unless Processing is required by applicable law, in which case Vendor shall to the extent permitted by applicable laws inform Customer of that legal requirement before the relevant Processing.
  4. In its role as a Service Provider subject to CCPA, Vendor shall not: (i) sell Personal Data or otherwise disclose it in exchange for monetary or other valuable consideration; (ii) Process Personal Data for any purpose other than the specific purpose of performing the Services or pursuant to the directions of Customer; (iii) Process Personal Data outside of the direct business relationship between Vendor and Customer; or (iv) combine the Personal Data with personal information received from or on behalf of other persons or collects from consumers, except as permitted by applicable regulations adopted pursuant to the California Privacy Rights Act of 2020.
  5. The subject matter and duration of the Processing of the Personal Data are described in the Agreement and this Addendum. The nature and purpose of the Processing of Personal Data is Vendor’s provision of Services to Customer. The types of Personal Data to be Processed by Vendor and the categories of data subjects to whom the Personal Data relates are set out in Schedule 1.

3. Confidentiality of Processing. Vendor will cause its employee or agents to commit themselves to confidentiality or are under a professional or statutory obligation of confidentiality.

4. Security Program.  Vendor represents that it has implemented and shall maintain a written Security Program that includes appropriate administrative, technical, and physical safeguards designed to ensure the ongoing confidentiality, availability, integrity, and security of Personal Data. The Security Program will include appropriate technical and organizational measures to ensure an appropriate level of security for Personal Data, including as appropriate the measures referred to in Article 32 of the GDPR, and will include, in addition to any security measures specified in the Agreement, the mandatory administrative, technical, and physical security measures specified in Schedule 2.

5. Security Incidents. Vendor agrees to promptly notify Customer of any Security Incident. Vendor shall provide, to the extent known, the nature and scope of the Security Incident and the corrective action already taken or to be taken by Vendor. Vendor shall promptly take appropriate corrective actions and provide reasonable support to Customer, including by responding to Customer’s reasonably inquiries about the Security Incident.

6. Sub-Processors.  Vendor is hereby authorized to engage the Sub-Processors listed in Schedule 1, provided that Vendor shall: (i) ensure that Sub-processors have the requisite capabilities to Process Personal Data in accordance with this Addendum; (ii) enter into a written agreement with each Sub-processor requiring the Sub-processor to protect Personal Data to the standard required by Data Protection Laws; and (iii) remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the Sub-processor that cause Vendor to breach any of its obligations under this Addendum. Vendor shall notify Customer at least thirty (30) days in advance in the event that it intends to engage different or additional Sub-processors that will Process Personal Data pursuant to this Addendum. Customer may object to the new Sub-processor within five (5) days of Vendor’s notice, and in such cases the Parties will act in good faith to resolve Customer’s objection or otherwise identify a suitable approach to continue Vendor’s provision of Services without reliance on the objectionable Sub-processor.

7. Individual Rights and Requests. Vendor shall provide Customer with reasonable assistance, which may include appropriate technical and organizational measures in responding to any requests or complaints from an individual data subject relating to the Processing of Personal data, and shall, to the extent legally permitted, promptly notify Customer if it receives a such request or complaint directly from an individual data subject. 

8. Information and Audits.  Vendor shall make available to Customer or any governmental supervisory authority information reasonably necessary to confirm Vendor’s compliance with this Addendum. Vendor shall allow for and contribute to reasonable assessments or audits performed by Customer, which shall not be conducted more often than annually and will require thirty (30) days’ or a vendor of Customer, to confirm Vendor’s compliance with this Addendum or Data Protection Laws.  Vendor shall promptly notify Customer of any requests or inquiries by any governmental supervisory authority regarding Customer’s Processing.

9. International Tranfers.

  1. When and to the extent that Vendor acts as the data importer with respect to an EEA Restricted Transfer, Vendor and Customer hereby enter into the EU Standard Contractual Clauses, which are incorporated by reference herein. For the purpose of any such EEA Restricted Transfer, the EU Standard Contractual Clauses will be completed as follows: 
     
    1. Module Two (Transfer Controller to Processor) will apply when Customer is a Data Controller.
    2. Module Three (Transfer Processor to Processor) will apply when Customer is a Data Processor, and Vendor acknowledges that Customer acts as a processor under the instructions of its controller(s).
    3. For the purpose of Section II, Clause 9, the parties select Option 2 and agree that Vendor may engage Sub-processors in accordance with the “Sub-processing” section of this DPA.
    4. For the purpose of Section IV, Clause 17, the parties select Option 2. Where the laws of that EU Member State does not allow for third-party beneficiary rights, the Parties agree that they shall be governed by the law of Ireland.
    5. For the purpose of Section IV, Clause 18, the parties agree that disputes arising from the Standard Contractual Clauses shall be resolved by the courts in Ireland.
    6. Annex I is deemed to be completed with the details set out in Schedule 1 to this DPA.
    7. Annex II (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data) is deemed to be completed with the details set out in Schedule 2 to this DPA.
    8. If and to the extent an EEA Restricted Transfer involves Personal Data originating from Switzerland and is subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”), the EU Standard Contractual Clauses are deemed to be supplemented with an additional annex that provides as follows:
      1.   for purposes of Clause 13 and Annex I.C of the EU Standard Contractual Clauses, the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner; 
      2. the term “member state” as used in the EU Standard Contractual Clauses must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18.c;
      3. references in the EU Standard Contractual Clauses to the GDPR should be understood as references to the FADP.
  2. When and to the extent that Vendor acts as the data importer with respect to a UK Restricted Transfer, Customer and Vendor hereby enter into the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference herein. For the purpose of any such UK Restricted Transfer, the UK Addendum will be completed as follows:
    1. Table 1 of the UK Addendum is deemed to be completed with the parties’ details and contact information as set forth in Schedule 2 to this DPA.
    2. For the purposes of Table 2 of the UK Addendum, the Addendum EU SCCs are the EU Standard Contractual Clauses entered into between Customer and Vendor under Section 11.b of this DPA.
    3. For the purposes of Table 3 of the UK Addendum, the Appendix Information is as set forth in Sections 11.b.vi and 11.b.vii of this DPA.
    4. For the purposes of Table 4 of the UK Addendum, the parties select “Exporter”.

10. Secure Return or Disposition.  Vendor shall dispose of any Personal Data in its possession, custody, or control that was Processed solely on behalf of Customer promptly following termination or expiration of the Agreement or, if feasible, upon Vendor’s receipt of Customer’s written direction.

Schedule 1

A. List of Parties

Data Exporter(s): 

Name: Customer

Contact Details: The email and mailing address(es) for Customer’s primary contact person(s) as set out in the Agreement.

Activities relevant to the data transferred: Receipt and/or use of the services provided by Vendor pursuant to the Agreement.

Signature and Date: By entering into the Agreement and the DPA, Customer is deemed to have signed this Schedule 1.

Role: Controller

Data Importer:

Name: Etailinsights, Inc.

Contact Details: The email and mailing address(es) for Vendor’s primary contact person(s) as set out in the Agreement.

Activities relevant to the data transferred: Provision of the Services to Customer as set forth in the Agreement.

Signature and Date: By entering into the Agreement and the DPA, Vendor is deemed to have signed this Schedule 1.

Role: Processor

B. Description of Transfer

Categories of data subjects whose personal data is transferred (check all that apply)

[_] employees

[✔️] consumers or customers

[_] other (specify where possible): [____________________]

 

Categories of personal data transferred (check all that apply)

[✔️] personal identification (name)

[_] government issued identification (driver’s license, social security number, or other national identity number)

[✔️] contact details (email, phone, address)

[_] real-time, precise location

[_] education and training details

[_] employment-related data

[_] family, lifestyle, and social circumstances

[_] financial, economic and insurance data, including financial account numbers

[_] billing and payment information

[✔️] digital, device, and social media identifiers or digital profiles

[__] account credentials

[_] immigration status or citizenship information

[_] contents of communications not directed to Vendor or Customer

[_] any other categories of Personal Information provided by or on behalf of Customer to Vendor in connection with the Services (specify where possible): [____________________]

 

Sensitive data transferred (check all that apply).

[✔️] none

[_] racial or ethnic origin

[_] political opinions

[_] religious or philosophical beliefs

[_] trade union membership

[_] genetic data

[_] biometric data

[_] data concerning health

[_] sex life or sexual orientation

The frequency of the transfer

[✔️] “One-off” (Personal Information will be transferred only on seldom, ad hoc basis.)

[_] Ongoing/regular (Personal Information will be transferred on an ongoing or regular basis, not intermittent.)

Nature and Purposes of Processing

Vendor will Process Personal Data as necessary to perform the Services under the Agreement, including for the purposes of: (a) setting up, operating, monitoring, and providing, the Services; (b) communicating with Users; and (c) executing other agreed-upon written instructions of Customer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be processed and retained for the duration of the Agreement. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Sub-processors will process Personal Data as necessary to perform the Services in accordance with the “Sub-Processing” section of DPA, and will Process Personal Data for the duration of the Agreement.

As of the date of this DPA, the Sub-processors engaged by Vendor are as follows:

Sub-processor Description of Processing Location
Amazon Web Services, Inc. Cloud hosting and infrastructure provider United States
Google, LLC. Cloud hosting and infrastructure provider United States
HubSpot, Inc. Customer relationship management United States
Salesforce, Inc. Customer relationship management United States
PandaDoc, Inc. Contract administration and e-signature tool United States
Atlassian Corporation Customer and product support United States
Totango, Inc. Customer and product support United States
Zendesk Customer and product support  United States
Intuit, Inc. Billing and accounting United States
Paypal, Inc. Billing and accounting United States

Schedule 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Vendor has implemented and shall maintain an information security program designed to protect against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage, including the measures described below.

Human Resources Security – policies and procedures designed to ensure the reliability of Vendor’s workforce, including background screening in accordance with applicable laws and regulations; and completion of annual security awareness training which includes training on how to implement and comply with Vendor’s security program.

Physical Security Controls – policies, procedures, and physical and technical controls designed to limit physical access to information systems and facilities in which they are housed to properly authorized persons, including appropriate entry controls to limit access to authorized personnel, including where appropriate logging of access events.

System Access Controls – policies, procedures, and technical controls to ensure that all members of Vendor’s workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access, including:

  • role-based access policies based on the principle of least privilege;
  • processes to grant and revoke access rights based on business need, and to regularly review user access rights to ensure ongoing alignment with business needs; and
  • strong authentication procedures for production environments that require a username, password, and multifactor authentication.

Data Access Controls – policies, procedures, and technical controls to ensure the appropriate protection of data maintained by Vendor.

Security Incident Response – policies and procedures to detect, respond to, and otherwise address security incidents, including documented procedures to identify, escalate, and respond to suspected or known security incidents, mitigate harmful effects of security incidents.

Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including documented policies and procedures for the backup and recovery of production systems and data.

Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Vendor facility, and the movement of these items within a Vendor facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.

Audit controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information.

Transmission Security – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network.

Assigned Security Responsibility – designation of a security official responsible for the development, implementation, and maintenance of Vendor’s security program.

Testing – Regular testing and monitoring of the effectiveness of Vendor’s security program, including through periodic vulnerability scans and risk assessments designed to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Data, and to ensure that these risks are addressed.

Adjustments to the Program – Monitoring, evaluation, and adjustment, as appropriate, of Vendor’s security program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Vendor or the Personal Data, and Vendor’s own changing business arrangements.