Last Updated: August 8th 2022
This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreement (“Agreement”) between LeadIQ Inc. (“Company”) and the Customer for the purchase, access to, and/or licensing of products, services and/or platforms (collectively the “Services”) to reflect the parties’ agreement with regard to the Processing of Personal Data. In the event of a conflict between the terms of the Agreement as it relates to the Processing of Personal Data and this DPA, the DPA shall prevail.
This DPA consists of the following:
This DPA shall be effective for the duration of the Agreement (or longer to the extent required by applicable law).
Signature
Signature
Name
Name
Title
Title
Date
Date
Capitalised terms that are not defined in this DPA shall have the meaning set out in the Agreement. References in this DPA to the terms "Controller", “Processor”, "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the meanings ascribed to them under Data Protection Laws.
“Customer Personal Data” means Personal Data provided by Customer to LeadIQ.
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area (EEA) and their member states, Switzerland, the United Kingdom, and any other applicable data protection law of any country to which the Parties are subject, including but not limited to, the GDPR, UK GDPR and the California Consumer Privacy Act (CCPA).
“Data Subject” means the identified or identifiable person or household to whom Personal Data relates.
"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
"GDPR" means EU General Data Protection Regulation 2016/679 and the UK GDPR.
“Leads Data” has the meaning provided in the Agreement.
"Subprocessor" means any third party, including without limitation a subcontractor, engaged by LeadIQ in connection with the Processing of Personal Data.
This Part 1 of this DPA applies to the processing of Customer Personal Data by LeadIQ in the course of providing the Services.
1. PROCESSING OF CUSTOMER PERSONAL DATA
1.1 Customer’s Processing of Personal Data. For the purposes of Part 1 of this DPA, Customer is Controller, LeadIQ is Processor. Customer shall, in its use of the Services, be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Customer Personal Data and the instructions it issues to LeadIQ.
1.2 LeadIQ’s Processing of Personal Data. LeadIQ shall process Customer Personal Data only in accordance with Customer’s reasonable and lawful instructions unless otherwise required to do so by applicable law. Customer hereby authorizes and instructs LeadIQ and its Subprocessors to:
1.2.1 process Customer Personal Data;
1.2.2 transfer Customer Personal Data to any country or territory subject to Section 10 (International Transfers);
1.2.3 engage any Subprocessors subject to Section 3 (Subprocessors),
as reasonably necessary for the provision of the Services and to comply with LeadIQ’s rights and obligations under the Agreement and DPA. Customer warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give such instruction.
1.3 Description of Processing. Schedule 2 to this DPA sets out a description of the processing activities to be undertaken as part of the Agreement and this DPA.
1.4 Confidentiality. To the extent the Personal Data is confidential, LeadIQ shall maintain the confidentiality of the Personal Data in accordance with the Agreement and shall require persons authorized to process the Personal Data (including its Subprocessors) to have committed to materially similar obligations of confidentiality.
2. SECURITY
LeadIQ shall in relation to the Customer Personal Data implement reasonably appropriate technical and organizational measures, based on industry standards, to ensure a level of security appropriate to any reasonably foreseeable security risks, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, LeadIQ shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
3. SUBPROCESSING
Customer agrees to the continued use of those Subprocessors already engaged by LeadIQ as of the date of this Agreement and listed at Schedule 2, Annex III and further generally authorises LeadIQ to appoint additional Subprocessors in connection with the provision of the Services, provided that:
4. DATA SUBJECT RIGHTS
Taking into account the nature of the Processing, LeadIQ shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is reasonably possible, for the fulfilment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws (“Data Subject Request”). To the extent that Customer is unable to independently address a Data Subject Request, then upon Customer’s written request LeadIQ shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Personal Data under the Agreement. Customer shall reimburse LeadIQ for the commercially reasonable costs arising from this assistance.
5. PERSONAL DATA BREACHES
5.1 LeadIQ shall notify Customer without undue delay upon LeadIQ or any Subprocessor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
5.2 LeadIQ shall make reasonable efforts to identify the cause of the Personal Data Breach and take those steps necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within LeadIQ’s reasonable control. The obligations herein shall not apply to incidents caused by Customer.
6. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
To the extent Customer does not otherwise have access to the relevant information, and to the extent the information is available to LeadIQ, LeadIQ shall provide reasonable assistance to Customer with any data protection impact assessments to fulfil Customer’s obligations under GDPR. LeadIQ shall provide reasonable assistance to Customer in the co-operation or prior consultation with Supervising Authorities or other competent data privacy authorities, as required under GDPR. In each case this is solely in relation to Customer’s use of Services and the Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to LeadIQ.
7. DELETION OR RETURN OF CUSTOMER PERSONAL DATA
Following termination of the Services, LeadIQ will delete or, upon Customer’s written request, return Customer Personal Data, except to the extent LeadIQ is required by applicable law to retain some or all of the Customer Personal Data. The terms of this DPA will continue to apply to that retained Customer Personal Data.
8. AUDIT RIGHTS
LeadIQ shall make available to Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by LeadIQ. Any costs or fees incurred by LeadIQ related to any audits requested by Customer shall be the sole responsibility of Customer. Customer shall provide LeadIQ with a minimum thirty (30) days notice if such audit is required. Such audit shall be at the maximum conducted once per calendar year, except where an additional audit is required by the Data Protection Law, or a Supervisory Authority.
9. INTERNATIONAL TRANSFERS
9.1 LeadIQ may, in connection with the provision of the Services, or in the normal course of business, make international transfers of Personal Data from the European Union, the EEA and/or their member states (“EU Data”), Switzerland (“Swiss Data”) and the United Kingdom (“UK Data”) to its Subprocessors. When making such transfers, LeadIQ shall ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with the Agreement and this DPA.
9.2 Where the provision of Services involves the international transfer of EU Data, the Parties agree to the Standard Contractual Clauses as approved by the European Commission under Decision 2021/914 of 4 June 2021 (“New EU SCC”), which shall be automatically incorporated by reference and form an integral part of this DPA. The EU SCCs shall apply completed as follows:
9.2.1 Module Two (Section 2.1.1.) and/or Three (Section 2.1.2.) will apply;
9.2.2 in Clause 7, the optional docking clause will apply;
9.2.3 in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 3 above;
9.2.4 in Clause 11, the optional language will not apply;
9.2.5 in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish Law
9.2.6 in Clause 18(b), disputes shall be resolved before the courts of Ireland;
9.2.7 Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex I-A of this DPA; and
9.2.8 Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex II of this DPA.
9.3 Where the provision of Services involves the international transfer of UK Data, the Parties agree to the template Addendum B.1.0, International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (the “UK IDT Addendum”), shall amend the SCCs in respect of such transfers and Part 1 of the UK IDT Addendum shall be completed as follows:
9.3.1 Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter and LeadIQ as importer.
9.3.2 Table 2. The “Addendum EU SCCs” are the modules and clauses of the SCCs selected in relation to a particular transfer in accordance with Section 9.2 above.
9.3.3 Table 3. The “Appendix Information” is as set out in Schedule 2, Annex I-A of this DPA.
9.3.4 Table 4. The exporter may end the UK IDT Addendum in accordance with its Section 19.
9.4 Where the provision of Services involves the international transfer of Swiss Data subject to the Federal Act on Data Protection ("FADP"), the Parties agree to the EU SCC, which shall be automatically incorporated to this DPA in accordance with section 9.2 and with applicable references replaced with the Swiss equivalent.
This Part 2 of this DPA applies to the processing of Leads Data by Customer in the course of receiving the Services.
10. PROCESSING OF LEADS DATA
10.1 Customer acknowledges and agrees to its obligations as an independent Controller of Leads Data that it receives from Company
11. INTERNATIONAL TRANSFERS
11.1 Customer that is located in a Third Country may, in connection with using the Services or in the normal course of business, be a recipient of EU Data, Swiss Data or UK Data. Where international transfer of EU Data occurs, the Parties agree to enter into the EU SCC which shall be automatically incorporated by reference and form an integral part of this DPA. The EU SCCs shall apply completed as follows:
11.1.1 Module One will apply;
11.1.2 in Clause 7, the optional docking clause will apply;
11.1.3 in Clause 11, the optional language will not apply;
11.1.4 in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
11.1.5 in Clause 18(b), disputes shall be resolved before the courts of Ireland;
11.1.6 Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex I-B of this DPA; and
11.1.7 Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex II of this DPA.
11.2 Where the provision of Services involves the international transfer of UK Data, the Parties agree to the UK IDT Addendum which shall amend the SCCs in respect of such transfers and Part 1 of the UK IDT Addendum shall be completed as follows:
11.2.1 Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are LeadIQ as exporter and Customer as importer.
11.2.2 Table 2. The “Addendum EU SCCs” are the modules and clauses of the SCCs selected in relation to a particular transfer in accordance with Section 11.1 above.
11.2.3 Table 3. The “Appendix Information” is as set out in Schedule 2, Annex I-B of this DPA.
11.2.4 Table 4. The exporter may end the UK IDT Addendum in accordance with its Section 19.
11.3 Where the provision of Services involves the international transfer of Swiss Data subject to the FADP, the Parties agree to the EU SCC, which shall be automatically incorporated to this DPA in accordance with section 11.1 and with applicable references replaced with the Swiss equivalent.
12. GENERAL TERMS
12.1 Changes in Data Protection Laws. If any variation is required to this DPA as a result of a change in Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes with a view to agreeing and implementing those variations as soon as is reasonably practicable.
12.2 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.3 Liability. For the avoidance of doubt and to the extent permitted by Data Protection Laws, each party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the MSA.
A. LIST OF PARTIES
Data exporter(s):
Name: _________________________________________________________________
Address: _______________________________________________________________
Contact Name: ___________________________________________________________
Title: ___________________________________________________________________
Email: __________________________________________________________________
Activities relevant to the data transferred under these Clauses:
Signature: _____________________________, Date: ____________________________
Role (controller/processor): Controller
Data importer(s):
Name: LeadIQ, Inc.
Address: 548 Market Street, PMB 20371, San Francisco, CA 94104, USA
Contact person’s name, position and contact details: Mei Siauw, CEO, privacy@leadiq.com
Activities relevant to the data transferred under these Clauses: Provision of Services
Signature: _____________________________, Date: ___________________________
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Data Subjects
Categories of personal data
Sensitive data
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data of each data subject is transferred once. Personal data as a whole will be transferred on a continuous basis.
Nature of the processing
The nature of the processing includes storing, transferring, review, deletion of the personal data, and as otherwise required under the MSA.
Purpose of the processing
To provide Data exporter with the Services as described in the MSA or as otherwise agreed by the parties.
Duration
As necessary for data importer to provide and for the data exporter to receive the Services pursuant to the MSA.
C. COMPETENT SUPERVISORY AUTHORITY
The supervisory authority of the Data exporter.
A. LIST OF PARTIES
Name: LeadIQ, Inc.
Address: 548 Market Street, PMB 20371, San Francisco, CA 94104, USA
Contact person’s name, position and contact details: Mei Siauw, CEO, privacy@leadiq.com
Activities relevant to the data transferred under these Clauses: Provision of Services
Signature and date: _____________________________________________________
Role (controller/processor): Controller
Data importer(s):
Name: _________________________________________________________________
Address: _______________________________________________________________
Contact Name: ___________________________________________________________
Title: ___________________________________________________________________
Email: __________________________________________________________________
Activities relevant to the data transferred under these Clauses:
Signature: _____________________________, Date: ____________________________
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Data Subjects
Employees or contact persons of potential customers (prospects), current customers and business partners of data importer.
Categories of personal data
First name, Last name, Job title, Employer/Company name, Contact information (email, phone, physical business address).
Sensitive data
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data of each data subject is transferred once. Personal data as a whole will be transferred on a continuous basis.
Nature of the processing
The nature of the processing includes storing, transferring, review, deletion of the personal data, and as otherwise required under the MSA.
Purpose of the processing
To provide Data importer with the Services as described in the MSA or as otherwise agreed by the parties.
Duration
As necessary for data exporter to provide and for the data importer to receive the Services pursuant to the MSA.
C. COMPETENT SUPERVISORY AUTHORITY
The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred are located.
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
See documentation in LeadIQ’s Security Policies and Processes.
LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors:
Amazon Web Services
410 Terry Avenue North, Seattle, WA 98109-5210, United States
Cloud Hosting
MongoDB
229 W. 43rd Street, 5th Floor, New York, NY 10036, United States
Database Program
Zendesk
1019 Market St, San Francisco, CA 94103, United States
Customer Service
LeadIQ Pte. Ltd
163 Tras St, #05-03 Singapore 079024
Subsidiary
410 Terry Avenue North, Seattle, WA 98109-5210, United States
Cloud hosting
229 W. 43rd Street, 5th Floor, New York, NY 10036, United States
Database program
1019 Market St, San Francisco, CA 94103, United States
Customer Service
163 Tras St, #05-03 Singapore 079024
Subsidiary