Data Processing Agreement

‍DEFINITIONS

Capitalised terms that are not defined in this DPA shall have the meaning set out in the Agreement. References in this DPA to the terms "Controller", “Processor”, "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the meanings ascribed to them under Data Protection Laws. 

“Customer Personal Data” means Personal Data provided by Customer to LeadIQ.

“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area (EEA) and their member states, Switzerland, the United Kingdom, and any other applicable data protection law of any country to which the Parties are subject, including but not limited to, the GDPR, UK GDPR and the California Consumer Privacy Act (CCPA).

“Data Subject” means the identified or identifiable person or household to whom Personal Data relates.

"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

"GDPR" means EU General Data Protection Regulation 2016/679 and the UK GDPR.

“Leads Data” has the meaning provided in the Agreement.

"Subprocessor" means any third party, including without limitation a subcontractor, engaged by LeadIQ in connection with the Processing of Personal Data.

‍

‍

PART 1

This Part 1 of this DPA applies to the processing of Customer Personal Data by LeadIQ in the course of providing the Services.

1. PROCESSING OF CUSTOMER PERSONAL DATA

1.1 Customer’s Processing of Personal Data. For the purposes of Part 1 of this DPA, Customer is Controller, LeadIQ is Processor. Customer shall, in its use of the Services, be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Customer Personal Data and the instructions it issues to LeadIQ.
‍

1.2 LeadIQ’s Processing of Personal Data. LeadIQ shall process Customer Personal Data only in accordance with Customer’s reasonable and lawful instructions unless otherwise required to do so by applicable law. Customer hereby authorizes and instructs LeadIQ and its Subprocessors to:

1.2.1 process Customer Personal Data;

1.2.2 transfer Customer Personal Data to any country or territory subject to Section 10 (International Transfers);

1.2.3 engage any Subprocessors subject to Section 3 (Subprocessors),

as reasonably necessary for the provision of the Services and to comply with LeadIQ’s rights and obligations under the Agreement and DPA. Customer warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give such instruction.

‍

1.3 Description of Processing. Schedule 2 to this DPA sets out a description of the processing activities to be undertaken as part of the Agreement and this DPA.

‍

1.4 Confidentiality. To the extent the Personal Data is confidential, LeadIQ shall maintain the confidentiality of the Personal Data in accordance with the Agreement and shall require persons authorized to process the Personal Data (including its Subprocessors) to have committed to materially similar obligations of confidentiality.

‍

2. SECURITY

LeadIQ shall in relation to the Customer Personal Data implement reasonably appropriate technical and organizational measures, based on industry standards, to ensure a level of security appropriate to any reasonably foreseeable security risks, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, LeadIQ shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

‍

3. SUBPROCESSING

Customer agrees to the continued use of those Subprocessors already engaged by LeadIQ as of the date of this Agreement and listed at Schedule 2, Annex III and further generally authorises LeadIQ to appoint additional Subprocessors in connection with the provision of the Services, provided that:
‍

• LeadIQ shall have in place a contract in writing with each Subprocessor that imposes obligations that are (i) relevant to the services to be provided by the Subprocessors and (ii) materially similar to the rights and/or obligations granted or imposed on LeadIQ under this DPA; 
  ‍
• where a Subprocessor fails to fulfil its data protection obligations, LeadIQ shall be liable to the Customer for the performance of the Subprocessor’s obligations; and
  ‍
• provide Customer with written notice of the prospective appointment; except if LeadIQ reasonably believes appointing a new Subprocessor on an expedited basis is necessary for maintaining the availability and security of the Services, LeadIQ will give such notice as soon as reasonably practicable. If Customer does not object to the appointment of the new Subprocessor within fourteen (14) days of receiving the notice (“Objection Period”), LeadIQ may use the new Subprocessor. If Customer objects to the appointment of the new Subprocessor, Customer must notify LeadIQ within the Objection Period and work with LeadIQ to find a commercially reasonable solution for the Customer. If the parties are unable to reach a resolution, Customer may terminate the Agreement as its sole and exclusive remedy.

‍

4. DATA SUBJECT RIGHTS

Taking into account the nature of the Processing, LeadIQ shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is reasonably possible, for the fulfilment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws (“Data Subject Request”). To the extent that Customer is unable to independently address a Data Subject Request, then upon Customer’s written request LeadIQ shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Personal Data under the Agreement. Customer shall reimburse LeadIQ for the commercially reasonable costs arising from this assistance.

‍

5. PERSONAL DATA BREACHES

5.1 LeadIQ shall notify Customer without undue delay upon LeadIQ or any Subprocessor becoming aware of a Personal Data Breach affecting Customer Personal Data,  providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

‍

5.2 LeadIQ shall make reasonable efforts to identify the cause of the Personal Data Breach and take those steps necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within LeadIQ’s reasonable control. The obligations herein shall not apply to incidents caused by Customer. 

‍

6. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

To the extent Customer does not otherwise have access to the relevant information, and to the extent the information is available to LeadIQ, LeadIQ shall provide reasonable assistance to Customer with any data protection impact assessments to fulfil Customer’s obligations under GDPR. LeadIQ shall provide reasonable assistance to Customer in the co-operation or prior consultation with Supervising Authorities or other competent data privacy authorities, as required under GDPR. In each case this is solely in relation to Customer’s use of Services and the Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to LeadIQ. 

‍

7. DELETION OR RETURN OF CUSTOMER PERSONAL DATA

Following termination of the Services, LeadIQ will delete or, upon Customer’s written request, return Customer Personal Data, except to the extent LeadIQ is required by applicable law to retain some or all of the Customer Personal Data. The terms of this DPA will continue to apply to that retained Customer Personal Data.

‍

8. AUDIT RIGHTS

LeadIQ shall make available to Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by LeadIQ. Any costs or fees incurred by LeadIQ related to any audits requested by Customer shall be the sole responsibility of Customer.  Customer shall provide LeadIQ with a minimum thirty (30) days notice if such audit is required. Such audit shall be at the maximum conducted once per calendar year, except where an additional audit is required by the Data Protection Law, or a Supervisory Authority.

‍

9. INTERNATIONAL TRANSFERS

9.1 LeadIQ may, in connection with the provision of the Services, or in the normal course of business, make international transfers of Personal Data from the European Union, the EEA and/or their member states (“EU Data”), Switzerland (“Swiss Data”) and the United Kingdom (“UK Data”) to its Subprocessors. When making such transfers, LeadIQ shall ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with the Agreement and this DPA.

‍

9.2 Where the provision of Services involves the international transfer of EU Data, the Parties agree to the Standard Contractual Clauses as approved by the European Commission under Decision 2021/914 of 4 June 2021 (“New EU SCC”), which shall be automatically incorporated by reference and form an integral part of this DPA.  The EU SCCs shall apply completed as follows: 

9.2.1 Module Two (Section 2.1.1.) and/or Three (Section 2.1.2.) will apply;

9.2.2 in Clause 7, the optional docking clause will apply;

9.2.3 in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 3 above;

9.2.4 in Clause 11, the optional language will not apply;

9.2.5 in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish Law

9.2.6 in Clause 18(b), disputes shall be resolved before the courts of Ireland;

9.2.7 Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex I-A of this DPA; and

9.2.8 Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex II of this DPA.

‍

9.3 Where the provision of Services involves the international transfer of UK Data, the Parties agree to the template Addendum B.1.0, International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (the “UK IDT Addendum”), shall amend the SCCs in respect of such transfers and Part 1 of the UK IDT Addendum shall be completed as follows:

‍

9.3.1 Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter and LeadIQ  as importer.

9.3.2 Table 2. The “Addendum EU SCCs” are the modules and clauses of the SCCs selected in relation to a particular transfer in accordance with Section 9.2 above.

9.3.3 Table 3. The “Appendix Information” is as set out in Schedule 2,  Annex I-A of this DPA.

9.3.4 Table 4. The exporter may end the UK IDT Addendum in accordance with its Section 19.

‍

9.4 Where the provision of Services involves the international transfer of Swiss Data subject to the Federal Act on Data Protection ("FADP"), the Parties agree to the EU SCC, which shall be automatically incorporated to this DPA in accordance with section 9.2 and with applicable references replaced with the Swiss equivalent.

‍

PART 2

This Part 2 of this DPA applies to the processing of Leads Data by Customer in the course of receiving the Services.

10. PROCESSING OF LEADS DATA

10.1 Customer acknowledges and agrees to its obligations as an independent Controller of Leads Data that it receives from Company

‍

11. INTERNATIONAL TRANSFERS

11.1 Customer that is located in a Third Country may, in connection with using the Services or in the normal course of business, be a recipient of EU Data, Swiss Data or UK Data. Where international transfer of EU Data occurs, the Parties agree to enter into the EU SCC which shall be automatically incorporated by reference and form an integral part of this DPA. The EU SCCs shall apply completed as follows:

‍

11.1.1 Module One will apply;

11.1.2 in Clause 7, the optional docking clause will apply;

11.1.3 in Clause 11, the optional language will not apply; 

11.1.4 in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

11.1.5 in Clause 18(b), disputes shall be resolved before the courts of Ireland;

11.1.6 Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex I-B  of this DPA; and

11.1.7 Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex II of this DPA.

‍

11.2 Where the provision of Services involves the international transfer of UK Data, the Parties agree to the UK IDT Addendum which shall amend the SCCs in respect of such transfers and Part 1 of the UK IDT Addendum shall be completed as follows:

‍

11.2.1 Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are LeadIQ as exporter and Customer as importer.

11.2.2 Table 2. The “Addendum EU SCCs” are the modules and clauses of the SCCs selected in relation to a particular transfer in accordance with Section 11.1 above.

11.2.3 Table 3. The “Appendix Information” is as set out in Schedule 2,  Annex I-B of this DPA.

11.2.4 Table 4. The exporter may end the UK IDT Addendum in accordance with its Section 19.

‍

11.3 Where the provision of Services involves the international transfer of Swiss Data subject to the FADP, the Parties agree to the EU SCC, which shall be automatically incorporated to this DPA in accordance with section 11.1 and with applicable references replaced with the Swiss equivalent.

‍

12. GENERAL TERMS

‍

12.1 Changes in Data Protection Laws. If any variation is required to this DPA as a result of a change in Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes with a view to agreeing and implementing those variations as soon as is reasonably practicable.

‍

12.2 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

‍‍

12.3 Liability. For the avoidance of doubt and to the extent permitted by Data Protection Laws, each party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the MSA.

‍

SCHEDULE 1 - CALIFORNIA SPECIFIC PROVISIONS

1. When processing California Personal Information (as defined in the CCPA) in accordance with Customer’s instructions, the parties acknowledge and agree that Customer is a Business and LeadIQ is a Service Provider for the purposes of the CCPA. LeadIQ shall process California Personal Information solely for a valid business purpose to perform the Services.
   ‍
2. LeadIQ understands and agrees to the prohibition from: (i) selling California Personal Information that it processes on behalf of the Customer; (ii) retaining, using, or disclosing California Personal Information for a commercial purpose other than providing the Services or otherwise permitted by CCPA; and (iii) retaining, using, or disclosing California Personal Information outside of the Agreement between LeadIQ and Customer.

‍

‍

SCHEDULE 2 - ANNEX I

Transfer controller to controller

‍

 A. LIST OF PARTIES

Data exporter(s):

Name: _________________________________________________________________

Address: _______________________________________________________________

Contact Name: ___________________________________________________________

Title: ___________________________________________________________________

Email: __________________________________________________________________

Activities relevant to the data transferred under these Clauses: 

Signature: _____________________________, Date: ____________________________

Role (controller/processor): Controller

‍

Data importer(s): 

Name: LeadIQ, Inc.

Address: 548 Market Street, PMB 20371, San Francisco, CA 94104, USA

Contact person’s name, position and contact details: Mei Siauw, CEO, privacy@leadiq.com

Activities relevant to the data transferred under these Clauses: Provision of Services

Signature: _____________________________, Date: ___________________________

Role (controller/processor): Processor

‍

 B. DESCRIPTION OF TRANSFER

‍

Data Subjects

• Employees, agents, advisors or any other users authorized by data exporter to use the data importer’s Services.
• Employees or contact persons of potential customers (prospects), current customers and business partners of data exporter. 

Categories of personal data 

• First name, Last name, Job title, Employer/Company name, Contact information (email, phone, physical business address), Localization and connection data.

Sensitive data

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal data of each data subject is transferred once. Personal data as a whole will be transferred on a continuous basis. 

Nature of the processing

The nature of the processing includes storing, transferring, review, deletion of the personal data, and as otherwise required under the MSA.

Purpose of the processing

To provide Data exporter with the Services as described in the MSA or as otherwise agreed by the parties. 

Duration

As necessary for data importer to provide and for the data exporter to receive the Services pursuant to the MSA.

‍

C.   COMPETENT SUPERVISORY AUTHORITY

The supervisory authority of the Data exporter.

Transfer controller to processor

‍

A. LIST OF PARTIES

Name: LeadIQ, Inc.

Address: 548 Market Street, PMB 20371, San Francisco, CA 94104, USA

Contact person’s name, position and contact details: Mei Siauw, CEO, privacy@leadiq.com

Activities relevant to the data transferred under these Clauses: Provision of Services

Signature and date: _____________________________________________________

Role (controller/processor): Controller

‍

Data importer(s): 

Name: _________________________________________________________________

Address: _______________________________________________________________

Contact Name: ___________________________________________________________

Title: ___________________________________________________________________

Email: __________________________________________________________________

Activities relevant to the data transferred under these Clauses: 

Signature: _____________________________, Date: ____________________________

Role (controller/processor): Controller

 B. DESCRIPTION OF TRANSFER

‍

Data Subjects

Employees or contact persons of potential customers (prospects), current customers and business partners of data importer. 

Categories of personal data 

First name, Last name, Job title, Employer/Company name, Contact information (email, phone, physical business address).

Sensitive data

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal data of each data subject is transferred once. Personal data as a whole will be transferred on a continuous basis. 

Nature of the processing

The nature of the processing includes storing, transferring, review, deletion of the personal data, and as otherwise required under the MSA.

Purpose of the processing

To provide Data importer with the Services as described in the MSA or as otherwise agreed by the parties. 

Duration

As necessary for data exporter to provide and for the data importer to receive the Services pursuant to the MSA.

‍

 C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred are located.

‍

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

See documentation in LeadIQ’s Security Policies and Processes. 

‍

‍

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors: