Data Processing Terms and Conditions

This Data Processing Agreement (“Agreement“) forms part of the Platform Subscription Agreement or the General Terms and Conditions (each a “Subscription Agreement”), as applicable, and is entered into between the customer (the “Customer”) and the relevant Datassential entity (“Provider“) , each as named in the Product Order Form (together as the “Parties”)

This Agreement shall only apply to the Processing of Personal Data for the provision of Services described in the Product Order Form related to the use of the Platform. Capitalized terms used but not defined in this Agreement shall have the meanings given to them in the GDPR or, if not defined in the GDPR, the Subscription Agreement.

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Customer Personal Data” means any Personal Data Processed by Provider on behalf of Customer pursuant to or in connection with the Subscription Agreement;

1.1.2 “Data Protection Laws” means, to the extent applicable to the Processing of Customer Personal Data by Provider, all applicable data protection and privacy legislation in force from time to time in the EU and UK, including Regulation (EU) 2016/679 (“GDPR”); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 (“UK GDPR”); the UK Data Protection Act 2018 (“DPA 2018”); the US Data Protection Laws, the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC), and the relevant national implementing legislation; the UK Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data;

1.1.3 “Product Order Form” means the order form appended to the Subscription Agreement.

1.1.4 “Services” means Customer’s use of the Provider’s Platform and any related services Provider provides to Customer under the Subscription Agreement and in accordance with the Product Order Form.

1.1.5 “Sub-processor” means any person appointed by or on behalf of a Processor to process Customer Personal Data on behalf of Customer in connection with the Services, Subscription Agreement or this Agreement.

1.1.6 “Standard Contractual Clauses” means where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); or where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs“).

1.1.7 “US Data Protection Laws” means the California Consumer Privacy Act as amended (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, and the Connecticut Data Privacy Act, and any other similar data or privacy law in effect in the United States as applicable to the Processing of Personal Data under this Agreement.

2. Processing of Customer Personal Data

2.1 The subject matter, nature, purpose, type of Personal Data and categories of Data Subjects are described in Schedule 1.

2.2 The Parties acknowledge that any Processing of Customer Personal Data by Provider pursuant to this Agreement shall be in the capacity of a Processor.

2.3 To the extent the CCPA applies to the Processing of Customer Personal Data, such Customer Personal Data will be disclosed by Customer to Provider to perform the Services, and Provider will act as Customer’s “Service Provider” as such terms are defined under CCPA, with respect to such data.

2.4 The Parties agree that the specific “business purpose(s)”, as “business purpose” is defined under CCPA, of Provider’s Processing of Customer Personal Data are identified in Schedule 1.

2.5 Provider:

2.5.1 shall comply with all Data Protection Laws in the Processing of Customer Personal Data;

2.5.2 shall not Process Customer Personal Data other than on Customer’s documented instructions, unless otherwise required by law, including, without limitation, as necessary for Provider to provide the Services or comply with its obligations in the Subscription Agreement and as described in Schedule 1;

2.5.3 shall immediately inform Customer if, in Provider’s opinion, an instruction from Customer related to Processing Customer Personal Data infringes any Data Protection Laws;

2.5.4 shall provide reasonable assistance to Customer as necessary for Customer to comply with its obligations under Data Protection Laws, including as may be applicable under UK GDPR and taking into account the nature of the Processing and the information available, assisting Customer to meet its obligations to keep Personal Data secure; notifying the Information Commissioner’s Office (“ICO”) of Personal Data Breaches; notifying the Data Subjects of Personal Data Breaches; responding to Data Subjects’ rights requests; carrying out data protection impact assessments (“DPIA”) when required; and consulting the ICO where a DPIA indicates there is a high risk that cannot be mitigated;

2.5.5 shall upon the termination of the Services, at Customer’s choice, Provider shall either delete or return to Customer all Customer Personal Data, to the extent possible, and shall delete any existing copies of Customer Personal Data unless storage of the same is required by any applicable law. Notwithstanding the foregoing, Provider is not required to delete Customer Personal Data in its archival storage systems; and

2.5.6 shall notify Customer without undue delay upon Provider becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data Breach under the Data Protection Laws.

2.6 To the extent the CCPA applies to the Processing of Customer Personal Data, Provider:

2.6.1 shall not: (a) “sell” or “share” Customer Personal Data, as “sell” and “share” are defined under CCPA; (b) retain, use, or disclose Customer Personal Data: (i) for any purpose other than those listed in Schedule 1, unless permitted by CCPA, (ii) for a commercial or any other purpose other than for the specific purpose of providing, managing, or supporting the Services, or as otherwise permitted by the CCPA, or (iii) outside of the direct business relationship between Provider and Customer, unless expressly permitted by CCPA; or (c) combine Customer Personal Data with Personal Data subject to the CCPA from another Provider customer, unless permitted by CCPA;

2.6.2 shall notify Customer no later than ten business days after its determination that it can no longer meet its obligations under CCPA; and

2.6.3 hereby grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate any of Provider’s use of Customer Personal Data.

2.7 Provider Personnel

Provider shall take reasonable steps to ensure the reliability of any of its personnel who has access to Customer Personal Data and ensure all such individuals are subject to confidentiality undertakings or obligations of confidentiality.

2.8 Sub-processing

2.8.1 Provider may, and Customer provides its general written authorization for Provider to, engage any Sub-processor as necessary to provide the Services under the Subscription Agreement or this Agreement.

2.8.2 Provider shall make available an up-to-date list of the Sub-processors it has appointed upon written request from Customer. To the extent legally permitted by Data Protection Laws, Customer may reasonably object in writing to Provider’s appointment of a new Sub-processor, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution.

2.8.3 To the extent Provider engages a Sub-processor for carrying out specific processing activities on behalf of Customer, equivalent obligations in this Agreement shall be imposed on Sub-processor. Where that Sub-processor fails to fulfil its data protection obligations, Provider shall remain fully liable to Customer for the performance of the Sub-processor’s obligations.

3. Customer’s Obligations

3.1 Customer shall at all times comply with Data Protection Laws when processing Personal Data in connection with the Subscription Agreement, including any Personal Data it has received or that has otherwise been made available to it in connection with the Platform. Customer represents it has the lawful right and authority to provide Customer Personal Data to Provider in connection with the performance of the Subscription Agreement and this Agreement.

3.2 Customer shall notify Provider of any consumer requests made pursuant to CCPA that Provider must comply with and shall provide any information necessary for Provider to so comply.

3.3 Any material breach of the Data Protection Laws by the Customer shall, if not remedied within 30 days of written notice from Provider, entitle Provider to terminate this Agreement with immediate effect.

4. Mutual Obligations

Each party shall assist the other in complying with all applicable requirements of the Data Protection Law.

5. Audit rights

Provider shall make available to Customer on reasonable request information necessary to demonstrate compliance with Article 28 of GDPR, Article 28 of UK GDPR, and any applicable US Data Protection Law. To the extent legally required, Provider shall allow for and contribute to audits, including inspections, by Supervising Authorities in relation to the Processing of Customer Personal Data at Customer’s expense. Customer shall provide Provider with advanced notice of such audits.

6. Data Transfer

6.1 Customer authorizes Provider to transfer and process any Customer Personal Data subject to the GDPR or UK GDPR outside of the European Economic Area and the United Kingdom in order to provide the Services pursuant to the Subscription Agreement, provided that Provider has taken appropriate measures designed to ensure the transfer and resulting processing is in compliance with Data Protection Laws.

6.2 In relation to transfers of Customer Personal Data which require such additional protection, the EU SCCs shall apply, completed as follows:

6.2.1 Module Two will apply (as applicable);

6.2.2 In Clause 7, the optional docking clause will not apply;

6.2.3 In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be set out in this Agreement;

6.2.4 In Clause 11, the optional language will not apply;

6.2.5 In Clause 17, Option 1 will apply, and the EU SCCs will be governed by French law;

6.2.6 In Clause 18(b), disputes shall be resolved before the courts of Ireland;

6.2.7 Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this Agreement, as applicable; and

6.2.8 Subject to Section 4 of this Agreement, Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 of this Agreement.

6.3 In relation to transfers of Customer Personal Data which require such additional protection, the UK SCCs shall apply, completed as follows:

6.3.1 In Table 1 of the UK SCCs, the parties’ details and key contact information are located in Annex 1(A) of Schedule 1 of this Agreement;

6.3.2 In Table 2 of the UK SCCs, information about the version of the EU SCCs which the UK SCCs are appended to and the modules and selected clauses is located in Section 6.2 of this Agreement; and

6.3.3 In Table 3 of the UK SCCs: The required information is set out in the Schedules to this Agreement.

Schedule 1 – Description of the Processing / Transfer

Annex 1(A): List of Parties

Data Importer: Datassential, Inc., as identified in the Product Order Form

Contact person’s name, position and contact details: Molly Josh, CFO, molly@datassential.com

Role: Processor

Data Exporter: Customer, address and contact point each as identified in the Product Order Form

Role: Controller

Annex 1(B): Description of Processing / Transfer

1. SCOPE AND SUBJECT MATTER OF THE PROCESSING: The subject matter of the processing is set out in the applicable Platform Subscription Agreement and Product Order Form.
2. NATURE AND PURPOSE OF PROCESSING: The provision of access to and use of the SNAP! platform developed by Provider, as further documented in the Platform Subscription Agreement and Product Order Form.
3. FREQUENCY AND DURATION OF THE PROCESSING: continuous, and for the purposes stipulated in the Platform Subscription Agreement.
4. TYPES OF DATA: Contact details of Customer employees, contacts, customers, and leads including name, email address, postal address, phone number, job title, and employer name.
5. CATEGORIES OF DATA SUBJECT: Customer contacts, customers, and leads.

Annex 1(C): Competent Supervisory Authority

When subject to GDPR, the Data Protection Commission Authority is the French Data Protection Authority (CNIL)in France. When subject to UK GDPR, the Information Commissioner’s Office.

Schedule 2 – Security Measures

• Access controls, physical restrictions, training, data recovery procedures, malicious software prevention, security incident management, and including, as appropriate, the measures referred to in Article 32(1) of the GDPR and UK GDPR;
• A detailed, current account of relevant security measures implemented by the relevant Provider entity is available on written request by the Customer.