This Data Processing Agreement (“DPA”) governs the processing of Personal Data (as defined below) in connection with the SaaS Services and supplements the SaaS Terms and Conditions or other agreement (together with any applicable Order Forms or SOWS, “Agreement”) entered into between the parties identified in the Agreement as “Company” (also referred to herein as “we” “our” or “us”), and “Customer”. In the event of any conflict or inconsistency between this DPA and other terms regarding the Services, the terms of this DPA shall prevail with respect to the subject matter hereof. Capitalized terms used herein and not defined shall have the meaning ascribed to such term in the Agreement.
1. Definitions
For the purposes of this DPA, the following terms will have the meaning ascribed below:
“Business” shall mean the entity which determines the purposes and means of Processing of Personal Data, including equivalent terms (e.g., “controller”) under Data Protection Laws.
“Data Protection Laws” shall mean all data protection, privacy, data security, security breach notification, and related laws, rules, regulations, and industry standard applicable to the processing of Personal Data within the U.S., each as amended or replaced from time to time, and including without limitation the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (collectively, the “CCPA”).
“Personal Data” means Customer Data relating to an identified or identifiable individual where (i) such information is processed by Company in connection with the SaaS Services; and (ii) is protected as personal data, personal information, or personally identifiable information under applicable Data Protection Laws. For the avoidance of doubt, Personal Data does not include Aggregated Data or Third Party Data and this DPA does not apply to any Aggregated Data or Third Party Data.
“Personnel” shall mean any employees, agents, contractors or affiliates, that a party uses to perform its obligations or exercise its rights under the Agreement or this DPA.
“Processor” shall mean the entity which Processes Personal Data on behalf of the Business, including equivalent terms (e.g., “processor”) under Data Protection Laws.
“Sensitive Data” shall include equivalent terms such as sensitive personal information, and shall have the meaning set forth under Data Protection Laws.
“Subprocessor” shall mean subcontractors and/or replacement subcontractors, which process Personal Data on behalf of Company from time to time.
The terms “process,” “processing,” “sell,” “share,” and “business purpose,” shall have the meanings set forth under Data Protection Laws.
2. Role Of The Parties
The Parties acknowledge that with respect to Personal Data Processed in connection with the Agreement, including this DPA, Customer is a Business and Company is a Service Provider.
3. Processing Of Personal Data
3.1 Customer Processing of Personal Data. Customer shall, in its use of the SaaS Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to individuals of the use of Company as Processor (including where the Customer is a Processor, by ensuring that the ultimate Business does so). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer is responsible for determining whether the SaaS Services are appropriate for storage and processing of information subject to any specific law or regulation and for using the SaaS Services in a manner consistent with Customer’s legal and regulatory obligations. Customer is responsible for responding to any request from a third party regarding Customer’s use of the SaaS Services. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the SaaS Services will not violate the rights of any individual, including those that have opted-out from the sale, share, or other disclosure of Personal Data, to the extent applicable under Data Protection Laws.
3.2 Company Processing of Personal Data. The Parties agree that Personal Data disclosed by Customer to Company under the Agreement and this DPA is disclosed for the business purposes set forth in Schedule 1 attached hereto and incorporated by reference herein (the “Permitted Purpose”). The Parties further agree that the categories of Personal Data to be Processed by Company and the processing activities to be performed under the Agreement are set out in Schedule 1.
3.3 Restrictions on Processing for Personal Data. With respect to Personal Data subject to the requirements of the CCPA, Company shall not, without Customer’s written consent:
- Sell or Share Personal Data for cross-context behavioral advertising, targeted advertising or profiling;
- Use, retain or disclose Personal Data outside of the direct business relationship between Company and Customer unless expressly permitted by Data Protection Laws, or for any commercial purposes other than the Permitted Purpose specified in this DPA, or as otherwise specified in written instructions from Customer or its Users;
- Combine Personal Data with personal data that Company received from or on behalf of another person or persons, or collects from its own interactions with a consumer unless expressly permitted by Data Protection Laws;
- to the extent data is de-identified or Aggregated Data, re-identify, or attempt to do so with, any Personal Data, or any portions thereof.
Notwithstanding the foregoing, the Parties acknowledge and agree that Company may use Personal Data to: (i) build or improve the quality of its services; (ii) comply as required by federal, state and local laws and with generally accepted accounting principles (GAAP) related to the provision of the services specified in the Agreement; (iii) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; and (iv) exercise or defend legal claims.
4. Compliance With Laws
Company will: (a) comply with Data Protection Laws applicable to its obligations in providing the SaaS Services; (b) permit Customer to take reasonable and appropriate steps to confirm that Company uses Personal Data in a manner consistent with Company’s obligations under Data Protection Laws in accordance with Section 12 of this DPA; (iii) permit Customer, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, it being understood that such reasonable and appropriate steps shall not include access to Company’s internal systems and platforms; (v) notify Customer if Company determines that it can no longer meet its obligations under Data Protection Laws. However, Company is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry that are not generally applicable to information technology service providers. Company does not determine whether Customer’s data includes information subject to any specific law or regulation.
5. Company Personnel
Company shall ensure that all Personnel authorized to Process Personal Data are made aware of the confidential nature of Personal Data and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
6. Subprocessors
Upon request, Company shall provide Customer with a list of its current Subprocessors used in connection with the SaaS Services. Company shall have a written contract with each Subprocessor that imposes data protection and security obligations that are no less protective than those included in this DPA.
7. Consumer Requests
If reasonably requested by Customer, Company shall provide reasonable assistance necessary for Customer to fulfill its obligations in response to consumer requests to exercise their rights under Data Protection Laws with respect to Personal Data, unless this proves impossible or involves disproportionate effort. If Company receives a request directly from an individual regarding Personal Data, Company will, to the extent not prohibited by applicable law: (a) promptly forward the request to Customer for handling; (b) if requested, provide Customer with copies of documents relating to the request; and (c) not disclose any Proprietary Information of Customer without Customer’s prior written consent. Customer shall reimburse Company for Company’s costs incurred in providing assistance with such consumer requests.
8. Data Security
Company shall maintain appropriate technical and organizational measures for the protection of the security, confidentiality, and integrity of the Personal Data. All data security practices shall be appropriate to the volume and nature of the Personal Data used, collected, and stored. Company shall maintain a process to address any unauthorized access, use, or disclosure of Personal Data by Company or its respective officers, directors, employees and agents.
9. Security Incident
In the event that Company becomes aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Company (a “Security Incident”), Company shall (i) notify Customer without undue delay; (ii) promptly communicate the nature of the Security Incident to Customer, including a description of the Security Incident; and (ii) use commercially reasonable efforts to assist Customer with mitigating or remediating the damages resulting from the Security Incident, to the extent feasible and within Company’s control. The obligations set forth in this Section 9 shall not apply to any Security Incident caused by Customer or its users.
10. Security Audit
Company shall internally or through a qualified and independent assessor conduct an assessment of its policies and technical and organizational measures in support of its obligations under Data Protection Laws. Such assessment shall use an appropriate and accepted control standard or framework and assessment procedure (e.g., SOC 2 Type II audit). Solely in connection with Customer assessing whether Company’s use of Personal Data is in compliance with Data Protection Laws and this DPA, Company shall, upon Customer’s request (not to exceed once annually), make available to Customer a copy of such report created in connection with such assessment, which report shall be considered Company’s Proprietary Information.
11. Miscellaneous
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be: (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or (ii) construed in a manner as if the invalid or unenforceable part had never been contained in this DPA. The terms of this DPA, that by their nature or pursuant to Data Protection Laws are intended to survive termination or expiration of this DPA or the Agreement, shall so survive. Any notice, request, instruction or other document to be given under the DPA shall be sent in accordance with the terms of the Agreement. Failure or delay in exercising any right or remedy under this DPA shall not constitute a waiver of such (or any other) right or remedy. Except as expressly stated otherwise, nothing in this DPA shall create or confer any rights or other benefits in favor of any person other than a party to this DPA. Company’s obligations under this DPA shall be subject to the limitations of liability set forth in Section 8 of the Agreement. Company may modify, amend, or update the terms of this DPA to address any modifications, amendments, or updates to the Services and/or Data Protection Law.
Schedule 1: Description of Personal Data Processing
1. Subject matter of Processing
The subject matter of the Processing of the Personal Data is to provide the SaaS Services set forth in the Agreement (including any applicable Order Form or SOW) and this DPA.
2. Duration of Processing
The duration of the Processing activities shall be for the term set forth in the Agreement (or the applicable Order Form or SOW).
3. Nature and Purpose of Processing
The purpose of the Processing of Personal Data by Company is the performance of the SaaS Services pursuant to the Agreement, and specifically to provide its secured storage service, assist with investor outreach, manage investment portfolios and provide certain reporting and metrics information regarding Customer’s portfolio companies. Company shall also be permitted to use Process Personal Data and the following business purposes:
- Helping to ensure security and integrity to the extent the use of the Personal Data is reasonably necessary and proportionate for these purposes;
- Debugging to identify and repair errors that impair existing intended functionality of the SaaS Services;
- Performing services on behalf of Customer, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of Customer;
- Providing professional and consulting services and technical support;
- Create Aggregated Data; and
- To calculate statistics related to Customer Data.
4. Frequency of Transfer
The Personal Data transferred on a continuous basis.
5. Categories of Personal Data
Customer determines the categories of Personal Data that are Processed in connection with the SaaS Services based on the Personal Data Customer submits to the SaaS Services. Depending on use of the SaaS Services, Customer may elect to include Personal Data from any of the following categories of Personal Data;
- Basic Personal Data ( e.g. names, email address (business), physical address (business))
- Authentication Data (e.g. user name and password)
- Contact Information (e.g. email address (business), phone numbers (business), physical address (business))
- Employment Information (e.g. employment history, education details, jobs and position data, locations and organizations)
- Any other category of Personal Data set forth under Data Protections Laws uploaded by Customer to the SaaS Services.
Company and/or its Subprocessors do not intentionally collect or process any Sensitive Data in connection with the provision of the SaaS Services under the Agreement. However, Customer may choose to include this type of data within content that the Customer instructs Company to Process on its behalf.
6. Categories of Individuals
Individuals whose personal information is subject to Processing in connection with the SaaS Services may include (1) Customer’s business clients; (2) potential target company employee information, and (3) employees and other personnel working for or on behalf of Customer.