/ Legal Stuff / Data Processing Addendum
This Data Protection Addendum (“DPA”) applies to the Processing of Customer Personal Data (defined below) by Mperativ related to the Services Agreement.
1.1. In this DPA, the following capitalized terms will have the meanings set out below:
(a) “Affiliate” means an entity that owns or controls, is owned or controlled by or is under common control or ownership with a Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
(b) “Mperativ Group” means Mperativ and its Affiliates;
(c) “Authorized Affiliate” means an Affiliate of Customer that is authorized to use the Services pursuant to the Agreement but is not a direct party to the Agreement.
(d) “Agreement” means the existing Services Agreement(s), adoption agreement, order form or other written agreement between Mperativ and Customer pursuant to which Mperativ provides the Services, including any exhibits, statements of work, addenda and amendments thereto (including this DPA).
(e) “Applicable Laws” means Data Protection Laws, EU Data Protection Laws, and UK Data Protection Laws;
(f) “Controller” means the “controller,” “business” or equivalent term under applicable Data Protection Laws;
(g) “Customer Personal Data” means any Personal Data that is Processed by Mperativ (or any Subprocessor) on behalf of Customer or an Authorized Affiliate, pursuant to Mperativ’s performance of the Services under the Agreement;
(h) “Data Protection Laws” means the applicable data protection, privacy and cyber security laws or regulations, including (to the extent applicable) EU and UK Data Protection Laws and the California Consumer Privacy Act of 2018 (“CCPA”).
(i) “Data Subject” means the individual to whom the Customer Personal Data relates;
(j) “EU Data Protection Laws” means the GDPR and the laws implementing or supplementing the GDPR;
(k) “GDPR” means General Data Protection Regulation (EU) 2016/679;
(l) “Personal Data” means any information that identifies, could be used to identify or is otherwise linked or reasonably linkable with a particular individual or household, as well as any information defined as “personal data,” “personal information” or equivalent term under applicable Data Protection Laws;
(m) “Process” or “Processing” means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data;
(n) “Processor” means the “processor,” “service provider” or equivalent term under applicable Data Protection Laws;
(o) “Restricted Transfer” means a transfer of Customer Personal Data by or to Mperativ or a Subprocessor, in each case, where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses;
(p) “Security Incident” means any unauthorized access to, or use, disclosure or other Processing of Customer Personal Data, as well as any loss, theft or acquisition of Customer Personal Data;
(q) “Services” means the products, services and other activities to be supplied to or carried out by or on behalf of Mperativ for Customer under the Agreement, or has the meaning given to it by the Agreement;
(r) “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection of personal data, which have been approved by the European Commission as adducing adequate safeguards for Restricted Transfers, or any successor clauses thereto or recognized by the European Commission pursuant to Article 46 of the GDPR, or by the relevant Secretary of State where the UK GDPR applies;
(s) “Subprocessor” means any person or entity (excluding an employee of Mperativ) or entity appointed by or on behalf of Mperativ that Processes Customer Perosnal Data;
(t) “Supervisory Authority” means the relevant regulatory authority with regard to applicable Data Protection Laws, including where applicable a supervisory authority as defined under the GDPR; and
(u) “UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this Agreement, in circumstances where the UK Data Protection Laws apply, references to the GDPR and its provisions will be construed as references to the UK Data Protection Laws and its corresponding provisions, and references to “EU or Member State laws” shall be construed as references to UK laws.
1.2. Capitalized terms used but not otherwise defined in this DPA will have the meaning set forth in the Agreement.
2 Processing of Customer Personal Data
2.1 The Parties agree that Customer and/or any Authorized Affiliate is a Controller and that Mperativ is a Processor, with respect to the Customer Personal Data processed pursuant to the Services, and that each will comply with their respective obligations under applicable Data Protection Laws.
2.2 Customer represents and warrants that it has the authority and right to enter into this DPA and to instruct Mperativ to Process Customer Personal Data as set forth hereunder, on behalf of itself and each Authorized Affiliate (if applicable). Customer will not instruct Mperativ to Process Customer Personal Data in violation of applicable Data Protection Laws. Customer will provide of all necessary notices to and obtain all necessary consents from Data Subjects, pursuant to Data Protection Laws.
2.3 Mperativ will Process Customer Personal Data only in accordance with the documented instructions of Customer (which shall include this DPA, the Agreement and any further written agreement or documentation through which Customer instructs Mperativ to perform specific Processing of Customer Personal Data), or where otherwise required by Applicable Laws. Customer hereby instructs the Mperativ to Process Customer Personal Data to provide the Services or otherwise perform the Agreement, including by engaging Subprocessors and transferring Customer Data to international jurisdictions provided such complies with Sections 5 and 12 herein, respectively. Mperativ will notify Customer if it is or believes it will be unable to comply with the terms of this DPA or applicable Data Protection Laws.
2.4 Annex 1 to this DPA sets out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Customer Personal Data and the categories of Data Subjects, as required by applicable Data Protection Laws, including Article 28(3) of the GDPR.
2.5 Mperativ shall not disclose, transfer, or sell any Customer Personal Data for any purpose other than for the specific purpose set forth in Section 2.3, and not outside of its direct business relationship with Customer; Mperativ certifies that it understands and will comply with the foregoing restrictions.
2.6 Customer acknowledges and agrees that Mperativ may, as a part of the Services and unless prohibited by Applicable Laws process aggregate or anonymous data and information related to the Services, being referred to herein as “Aggregated Data”) and may (subject to any restrictions under applicable law) aggregate such De-identified Data, for the purpose of providing the Services and improving the features, functions, and performance of the Services. All Aggregated Data shall be owned by Mperativ, and shall not be Customer Personal Data hereunder.
3.1 Mperativ will take reasonable steps to (a) ensure the reliability of any individual who may have access to Customer Personal Data; and (b) ensure that each such individual is informed of the confidential nature of Customer Data and the restrictions on Processing of Customer Personal Data hereunder, and subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Mperativ will, in relation to the Customer Personal Data, implement technical and organizational measures, as set forth in Annex 2 to this DPA, which are designed to ensure a level of security appropriate to the risks presented by Processing, taking into account in particular the risks from a Security Incident.
5.1 Customer expressly consents to Mperativ’s engagement of Subprocessors as of the data of the DPA. Further, Customer agrees that Mperativ may engage Subprocessors, subject to Mperativ’s compliance with this Section 5. Without limiting the foregoing, Customer specifically authorizes Mperativ to engage as Subprocessors: (i) Mperativ Affiliates; and (ii) those Subprocessors currently engaged by Mperativ as of the Effective Date [and set forth below]; and (iii) additional or new Subprocessors. Mperativ will provide Customer with notice at least thirty (30) days prior to appointing any additional or new Subprocessor. Upon receiving such notice, Customer may reasonably and in good faith object to Mperativ’s appointment of a new Suboprocessor by notifying Mperativ in writing within thirty (30) days of receiving notice of the new Subprocessor; the Parties will work together in good faith to resolve Customer’s objection. If the Parties are unable to resolve the Customer’s objection within thirty (30) of Customer’s notice of objection, Mperativ may terminate the Agreement by notifying Customer in writing.
5.2 With respect to each Subprocessor, Mperativ will:
(a) carry out adequate due diligence to ensure that the Subprocessor is capable of providing an equivalent level of protection for Customer Personal Data required by this DPA;
(b) ensure that the arrangement with the Subprocessor is governed by a written contract including terms which include an equivalent level of protection for Customer Personal Data as those set out in this DPA;
(c) if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses, as set forth in Annex 3, are at all relevant times incorporated into the agreement with Subprocessor; and
(d) remain fully liable to Customer for the performance of each Subprocessor’s obligations.
6 Reasonable Assistance
6.1 With respect to any request, enquiry, or complaint received by Mperativ or any Subprocessor from a Data Subject regarding Customer Personal Data, including any request to exercise rights under the Data Protection Laws, (hereafter, a “Data Subject Request”), Mperativ will:
(a) promptly notify Customer of such Data Subject Request;
(b) not respond to such Data Subject Request, except on the documented instructions of Customer or as required by applicable Laws, in which case Mperativ will to the extent permitted by such Applicable Laws provide prior notice to Customer of such legal requirement prior to responding to such Third-Party Request; and
(c) provide reasonable assistance as necessary to the Customer to enable Customer to limit, seek to limit, or respond to such Data Subject Request. Such assistance will include, to the extent Customer does not already have access to the relevant information, and where required and practicable, appropriate technical and organizational measures, to allow Customer to effectively respond to requests from Data Subjects to exercise their rights under the Data Protection Laws.
6.2 Upon request and taking into account the information available to Mperativ, Mperativ will provide reasonable assistance to Customer as necessary to enable Customer to conduct any required data protection impact assessments and prior consultations with Supervisory Authorities as required by Data Protection Law.
7 Third Party Requests
With respect to any request, enquiry, or complaint received by Mperativ or any Subprocessor from a Supervisory Authority or other third-party regarding Customer Personal Data, including any request to exercise rights under the Data Protection Laws, (hereafter, a “Third Party Request”), Mperativ will, unless prohibited from doing so by Applicable Laws:
(a) promptly notify Customer of such Third-Party Request;
(b) not respond to such Third-Party Request, except on the documented instructions of Customer or as required by Applicable Laws, in which case Mperativ will to the extent permitted by such Applicable Laws provide prior notice to Customer of such legal requirement prior to responding to such Third-Party Request; and
(c) provide reasonable assistance as necessary to the Customer to enable Customer to seek to limit, quash or respond to such Third-Party Request. Such assistance will include, where practicable, appropriate technical and organizational measures to allow Customer to effectively respond to requests from Data Subjects to exercise their rights under the Data Protection Laws.
8 Security Incident
8.1 Mperativ will notify Customer without undue delay, and in any case within seventy-two (72) hours, upon Mperativ becoming aware of a Security Incident affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to notify a Supervisory Authority, Data Subjects or other third party of the Security Incident under the Data Protection Laws.
8.2 Mperativ will co-operate with Customer as necessary and take such reasonable commercial steps as are requested by Customer to assist in the investigation, mitigation and remediation of each such Security Incident. Unless required by Applicable Laws, Mperativ will not inform any third party of such a Security Incident without the prior, written consent of Customer.
9 Deletion or return of Customer Data
Mperativ will destroy or securely delete, or otherwise render permanently inaccessible the Customer Data [within seven (7) days after the termination or expiration of the Agreement], unless prohibited by Applicable Laws, and will upon request certify in writing to Customer that such Customer Data has been deleted in accordance with this DPA. If Mperativ is required by Applicable Laws to retain any Customer Data, Mperativ shall takes steps to (i) ensure the continued confidentiality and security of the Customer Data; (ii) securely delete or destroy the Customer Data when the legal retention period has expired, and (iii) not actively Process the Customer Data other than as needed for to comply with such applicable law.
10 Audit rights
10.1 Mperativ will make available to Customer on request information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to, and cooperate with, audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Data and associated privacy and security controls, subject to the following conditions:
(a) Customer will give Mperativ reasonable notice of any audit or inspection to be conducted under this Section 10.1, and will take (and ensure that each of its mandated auditors takes) reasonable measures to avoid or minimize any damage, injury or disruption to the Mperativ’s or a Subprocessors premises, equipment, personnel and business during the course of such audit or inspection; and
(b) an audit or inspection will be conducted no more than once annually, except to the extent conducted in response to a Security Incident or where required by a Supervisory Authority or Data Protection Laws].
10.2 Customer shall bear the full costs of any such audit, unless an audit is triggered by a Security Incident for which Mperativ is responsible.
11 Restricted Transfers
11.1 Customer hereby expressly consents to Restricted Transfers, subject to compliance with the obligations set out in this Section 11 and the DPA.
11.2 Customer for itself and each Authorized Affiliate as relevant (each a “data exporter”) and Mperativ for itself and its Affiliates as relevant, (each a “data importer”) hereby enter into the Standard Contractual Clauses as set forth in Annex 3, in respect of any Restricted Transfer, which will take effect upon the commencement of a Restricted Transfer and the execution of the Standard Contractual Clauses by the data importer.
11.3 Prior to any Restricted Transfer to a Subprocessor, Mperativ will ensure that in its written agreement with Subprocessor, the Standard Contractual Clauses have been incorporated and duly and effectively executed as required herein. Customer hereby authorizes Mperativ to enter into the Standard Contractual Clauses with Subprocessors for and on its behalf.
12 General Terms
12.1 Governing Law. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses, the Parties hereby agree to submit to the choice of jurisdiction and venue set forth in the Agreement, with respect to any disputes or claims arising under this DPA.
12.2 Order of precedence. Conflicts or inconsistencies will be resolved as follows: (i) in any conflict between the terms of the Agreement and this DPA, this DPA will control; and (ii) the Standard Contractual Clauses will control in any conflict with the other terms of this DPA.
12.3 Changes in Data Protection Laws. If any amendment to this DPA is required as a result of a change in Data Protection Laws, including any variation which is required to the Standard Contractual Clauses, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA, including the Standard Contractual Clauses, to address such changes. Parties will not unreasonably withhold consent or approval to amend this DPA pursuant to this section 12.3 or otherwise.
12.4 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
1.1.1 ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER DATA
This Annex 1 includes certain details of the Processing of Customer Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Customer Personal Data:
The subject matter and duration of the Processing of Customer Personal Data are set out in the Agreement.
1. Processing operations
The nature and purpose of the Processing of Customer Personal Data includes:
The subject matter of the Processing under this DPA is the ongoing ingestion of customer’s Customer Relationship Management (CRM) and Marketing Automation (MA) data for the purpose of using the Mperativ platform as a read-only, revenue marketing system of record and related to customer support purposes.
2. Customer Data
The types of Customer Personal Data to be Processed include:
CRM data such as leads, contacts, companies, opportunities, users, contracts, campaigns,
Marketing automation data including leads, contacts, campaigns, lead sources.
Types of data processed include:
● Lead Data
● Contact Data
● Campaign Data
● Activity / Event Data
● Opportunity Data
● Company Data
● Contract Data
● Partner Data
● End-user data
The types of Special Categories of Data to be Processed include, where relevant to the Services:
3. Data Subjects
The categories of Data Subjects to whom Customer Personal Data relates include:
The obligations and rights of Customer and the Customer Affiliates:
Are set out in this DPA, and include the obligations related to the lawfulness of the Processing, information obligations, Data Subject requests, prior consultation, and the other obligations applicable to the controller under the GDPR.
ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES
This Annex 2 (“Security Controls”) sets forth the minimum security requirements applicable to the Service Agreement, the Services and the Processing of Customer Personal Data pursuant to the DPA.
1. Any Processing of Customer Personal Data will take place on data processing systems for which commercially reasonable technical and organizational measures for protecting Customer Personal Data have been implemented. Mperativ will maintain reasonable and appropriate technical, physical, and administrative measures to protect Customer Personal Data under its possession or control against unauthorized or unlawful Processing or accidental loss, destruction or damage, taking into account the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage and the sensitivity of the Customer Personal Data.
2. Security measures will be designed to:
(a) deny unauthorized persons access to data-processing equipment used for processing Customer Personal Data (equipment access control);
(b) prevent the unauthorized reading, copying, modification or removal of media (data media control);
(c) prevent the unauthorized input of Customer Personal Data and the unauthorized inspection, modification or deletion of stored Personal Data (storage control);
(d) prevent the use of automated data-processing systems by unauthorized persons using data communication equipment (user control);
(e) provide that persons authorized to use an automated data-processing system only have access to the Customer Personal Data covered by their access authorization (data access control);
(f) enable Mperativ to verify and establish to which individuals Customer Personal Data have been or may be transmitted or made available using data communication equipment (communication control);
(g) enable identification of which Customer Personal Data have been put into automated data-processing systems and when and by whom the input was made (input control);
(h) prevent the unauthorized reading, copying, modification or deletion of Customer Personal Data during transfers of those data or during transportation of storage media (transport control);
(i) include commercially reasonable disaster recovery procedures to provide for the continuation of services under the Agreement and backup of Customer Personal Data; and
(j) include appropriate technical security solutions are implemented and managed to protect the confidentiality, integrity and availability of Customer Personal Data.
3. Where appropriate, data will be encrypted in transmission and at rest, using industry-standard cryptographic techniques and secure management of keys.
4. Mperativ will take reasonable steps to ensure the reliability of its employees and other personnel having access to Customer Personal Data, and will limit access to Customer Personal Data to those Personnel who have a business need to have access to such Customer Personal Data, and have received reasonable training regarding the handling of Personal Data and Data Protection Laws.
5. On request and subject to written confidentiality obligations, Mperativ will provide Customer with access to its relevant data security policies and procedures.