Data Processing Addendum
Last updated: 7th October 2024
1. Background
- Sellframe Ltd (“CRM Inputs”, “we”, “our”, “us” or any of our integrations) entered into an Order Form and an agreement (the “Agreement”) with the entity or organization named in the Agreement (“Customer”, “you”, “your”, or “yours”) for the provision of our Services to you.
- This Data Processing Addendum (the “DPA”) between you and CRM Inputs (each a “Party” and collectively the “Parties”) is incorporated into and shall form part of the Agreement. Signatures of assent of the Parties to the Agreement will be deemed signature to, and acceptance and agreement of, this DPA and the Standard Contractual Clauses incorporated hereto.
- In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
- Sections 4 through 6 apply solely where and to the extent CRM Inputs is a Processor of Customer Personal Data. These Sections do not apply to the extent CRM Inputs is a Controller of Personal Data, as described in Section 3.2.
2. Definitions
- Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:
- “Controller” has the meaning given under the applicable Data Protection Laws that employ that term in designating between “processors” and “controllers” of personal data. Where applicable, “Controller” shall also have the same meaning as “Business” for the purposes of the CCPA.
- “Customer Personal Data” means Personal Data included in the Submitted Data that we Process on your behalf in connection with our provision of the Services. (For the avoidance of doubt, Customer Personal Data does not include any Personal Data as to which we act as a Controller.)
- “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
- “Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded, or replaced.
- “Data Protection Laws” means, solely where and to the extent applicable to the Processing of Customer Personal Data under the Agreement, any applicable national or state implementing legislation regarding privacy, data protection, or data security (including, where applicable and without limitation: the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act of 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018 (the “UK GDPR”), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”)), inclusive of any U.S. state law that draws a distinction between a data “controller” and a data “processor,” and, in each case as amended, replaced or superseded from time to time and together with implementing regulations.
- “Data Subject” has the meaning given under the applicable Data Protection Law(s), and shall also mean a “consumer” for purposes of Data Protection Laws using that term.
- “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
- “Instructions” means your instructions to us to process the Customer Personal Data as provided under the Agreement, this DPA, through your use of the features and functionality of the Services or as otherwise mutually agreed by authorized signatories of both parties in writing.
- “Personal Data” has the meaning given under the applicable Data Protection Laws, and, where applicable, shall include information that is “Personal Information” for the purposes of the CCPA.
- “Processing” has the meaning given under the applicable Data Protection Laws, and “Process” and its cognates will be interpreted accordingly.
- “Processor” has the meaning given under the applicable Data Protection Laws that employ that term in designating between “processors” and “controllers” of Personal Data. Where applicable, “Processor” shall also have the same meaning as “Service Provider” for the purposes of the CCPA.
- “Security Incident” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data in CRM Inputs’s possession or otherwise under CRM Inputs’s control.
- “Standard Contractual Clauses” means either or both of the following, as the context requires, along with any successor clauses thereto:
- The “EU SCCs”, meaning the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (located http://data.europa.eu/eli/dec_impl/2021/914/oj.) and completed as set forth herein.
- The “UK SCCs”, meaning the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf) and completed as set forth herein.
- “Subprocessor” means any Processor engaged by us who agrees to receive from us Customer Personal Data.
- “Supervisory Authority” shall mean the data protection supervisory authority (including any cognate terms) as defined under the applicable Data Protection Laws.
- “Third Party” has the meaning given in the CCPA.
3. Data Processing
- When We Act as a Processor. To the extent that we Process Customer Personal Data solely to provide you with Services, such as to Process your Customer Personal Data in order to (i) match it to and provide you with Output Data, (ii) provide emailing, prospecting, recording, meeting, calendar or other similar Services to you, or (iii) provide enhanced Services with artificial intelligence capabilities, we are acting as a Processor and you are acting as a Controller. When we act as a Processor, we will only Process Customer Personal Data in accordance with your Instructions, and we will notify you in the unlikely event that Data Protection Law requires us to process Customer Personal Data other than pursuant to the Instructions (unless prohibited from doing so by applicable law). As a Processor, to the extent required by Data Protection Laws, we:
- acknowledge that Customer Personal Data is disclosed only for the limited and specified business purposes set forth under the Agreement (“Business Purposes”) and will not retain, use, or disclose Customer Personal Data outside of the direct business relationship between you and us, or for any purpose (including any commercial purpose) other than the Business Purposes or as otherwise permitted by Data Protection Law;
- will not “sell” any Customer Personal Data “share” Customer Personal Data or Process any Customer Personal Data for purposes of targeted advertising, as such terms are defined in Data Protection Laws;
- will comply with any applicable restrictions under the CCPA on combining Customer Personal Data with other data; and
- will provide the same level of protection for the Customer Personal Data subject to the CCPA as is required of Customer under the CCPA and comply with all applicable provisions of the CCPA. We will notify you in the event we determine that we can no longer comply with our obligations under the CCPA.
- When We Each Act as Controllers. We are each independent Controllers, and (for CCPA purposes), each a Business as to Personal Data included in Output Data and Account Information when such Output Data or Account Information, as the case may be, is in our respective possession. For the avoidance of doubt, this means that CRM Inputs is an independent Controller of all Personal Data in its Contributor Database, including Personal Data that has been enriched and/or verified by Submitted Data or otherwise contributed by you as set forth in Section 6(b)(iii) of the Agreement. You are an independent Controller when you provide such Personal Data to us. For the avoidance of doubt, CRM Inputs is also the Controller of any Personal Data included in the Service Metadata.
- Required Notices and Consents. You shall have sole responsibility and liability for the means by which you acquire Customer Personal Data and provide such data to us. In particular, where required by Data Protection Laws, you will ensure that you have provided/will provide all necessary notices and have obtained/will obtain all necessary consents for the Processing of Customer Personal Data as contemplated in the Agreement.
4. Subprocessors
- Authorized Subprocessors. You agree that we may use the Subprocessors: DigitalOcean, Findymail, Apollo.io and Hostinger.
- Adding New Subprocessors. We shall notify you of any changes concerning the addition of a new Subprocessor at least thirty (30) days before the new Subprocessor commences its Processing of Customer Personal Data (the “Notice”). We will provide Notice by updating this page. If you object to a new Subprocessor on reasonable grounds related to the protection of Customer Personal Data, then without prejudice to any right to terminate the Agreement, the Parties shall attempt to negotiate a resolution in good faith. If the Parties cannot agree on a resolution within 30 days of your objection to a new Subprocessor, then you may terminate the Agreement immediately upon written notice to us and you shall be entitled to a refund of any prepaid fees for services unused as of the effective date of termination. This termination right and refund is your sole and exclusive remedy if you object to any new Subprocessor. If you do not object within thirty (30) days of receipt of the Notice, you are deemed to have accepted the new Subprocessor.
- Subprocessor Agreements. We will enter into a written agreement with each Subprocessor that imposes substantially similar data protection obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on us where we are acting as a Processor under this DPA.
- Liability of Subprocessors. We will be liable to you for the acts and omissions of any Subprocessor as if they were our acts and omissions.
5. Data Security, Audits, and Security Notifications; Deletion and Retention
- CRM Inputs Security Obligations. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in Exhibit 2.
- Demonstrating Compliance. Upon your reasonable request, we will make available all information reasonably necessary to demonstrate our compliance with our obligations under Data Protection Law(s).
- Security Incident Notification. If we become aware of a Security Incident we will (a) notify you of the Security Incident without undue delay (and in any event within 72 hours), (b) investigate the Security Incident and provide you (and any law enforcement or regulatory official, as required by Data Protection Law) with reasonable assistance as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
- CRM Inputs Employees and Personnel. We will treat the Customer Personal Data as confidential and shall ensure that any employees or other personnel who are subject to a binding duty of confidentiality with respect to the Customer Personal Data (both during the term of their employment or engagement and thereafter).
- Audits. We will, upon your reasonable request and where and to the extent so required by Data Protection Law, allow for, cooperate with, and contribute to assessments and audits (including inspections, of our compliance with the applicable Data Protection Law, conducted by you (or a third party on your behalf and mandated by you) provided (a) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (b) are conducted only during business hours; and (c) are conducted in a manner that causes minimal disruption to CRM Inputs’s operations and business.
- Remediation Right. Where and to the extent such a right is explicitly provided under the CCPA, you retain the right, upon reasonable notice to us, to take reasonable and appropriate steps to (a) ensure that we are using Customer Personal Data we collected pursuant to the Agreement in a manner consistent with your obligations under CCPA, and (b) stop and remediate unauthorized use of Customer Personal Data.
- Deletion of data. Subject to Section 5.8 below, we will, at your election within 90 (ninety) days of the date of termination of the Agreement:
- delete all Customer Personal Data Processed by us or any Subprocessors; or
- return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified to us by you.
- Retention. We and our Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws; provided that we ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
6. Access Requests and Assistance with Compliance
- Government Disclosure. We will notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
- Assistance Generally. Solely to the extent and in the manner required under Data Protection Laws, we will provide reasonable assistance to you for your compliance with such laws, including, without limitation, as set forth in Sections 6.3 and 6.4.
- Data Subject Rights. To the extent required under Data Protection Laws, and taking into account the nature of the Processing, we will use reasonable endeavors to assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising Data Subject rights laid down in Data Protection Laws.
- Data Protection Impact Assessments; Prior Consultations. To the extent required under Data Protection Laws: (a) we will provide you with reasonably requested information regarding our Services to enable you to carry out data protection impact assessments (including any similar assessments under Data Protection Laws) or prior consultations with any Supervisory Authority, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to us; and (b) we shall provide reasonable assistance to you in the cooperation or consultation with a Supervisory Authority as it relates to the Processing of Customer Personal Data hereunder.
7. Controller Obligations
- In the course of acting as a Controller (and/or Third Party), such Party shall:
- Limit its use of Personal Data received from the other Party to the limited and specific purposes set forth in the Agreement or any applicable Order Form, and (without limitation of the foregoing) to purposes that it reasonably believes an average consumer would reasonably expect.
- Comply with its own obligations under Data Protection Laws applicable to it as a Controller, including (without limitation) as to any Data Subject rights to deletion, access, and “opt-out” of “sale” or “sharing” of Personal Data (as such terms are defined in Data Protection Laws).
- Notify the other Party about all valid opt-out, deletion, or other data subject requests, as and to the extent required by Data Protection Laws. You shall cooperate and comply with any such notification made by CRM Inputs to you with respect to Output Data in a timely manner. Without limitation of the foregoing, CRM Inputs may make opt-out and deletion information available in the activity log of your account or via a database available in our privacy policy or another secure webpage, and (to the extent you continue to hold any Output Data) you agree to apply all such opt-out or deletion requests to any Output Data you continue to hold in a timely manner.
- As to any Personal Data received from the other Party, implement and maintain reasonable security procedures, as appropriate to the level of sensitivity and confidentiality applicable to such Personal Data.
- Upon request, provide the other Party with reasonable assurances, in writing, as may be necessary to permit the other Party to ensure that it has employed Personal Data subject to the Agreement as contemplated by the Agreement.
- For Personal Data subject to the CCPA, provide the same level of protection to the Personal Data as the Party providing the Personal Data is required to provide under the CCPA, and notify the other Party if it determines that it is no longer able to comply with its CCPA obligations.
- Solely where and to the extent the CCPA applies to such Processing, the Party providing the Personal Data retains the right, upon reasonable notice, to (a) take reasonable and appropriate steps to ensure that the other Party uses Personal Data consistent with the CCPA, and (b) stop and remediate any unauthorized Processing of Personal Data made available to the other Party.
8. Data Transfers
- Transfers Mechanism. To the extent that the Processing of Personal Data involves the transmission of such Personal Data to a country or territory outside the country from which such Personal Data was provided to the Party receiving the data (the “data importer”), the Parties will comply with any requirements under Data Protection Laws regarding such transfers. To the extent required by Data Protection Laws, the data importer shall ensure that a lawful data transfer mechanism is in place prior to engaging in any onward transfers of Personal Data from one country to another.
- Data Privacy Framework. At the time of the execution of the Agreement, CRM Inputs participates in and certifies compliance with the Data Privacy Framework. As required by the Data Privacy Framework, CRM Inputs will: (a) provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (b) notify Customer if CRM Inputs makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles (in which event CRM Inputs will cease such processing or take other reasonable and appropriate steps to remediate). Where and to the extent that the Data Privacy Framework applies, CRM Inputs will use the Data Privacy Framework to lawfully receive Customer Personal Data and/or Personal Data in the United States.
- EU SCCs. To the extent legally required (for example, if the Data Privacy Framework does not cover the transfer to CRM Inputs and/or the Data Privacy Framework is invalidated), the Parties are deemed to have entered into and signed the EU SCCs and its Annexes, which form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict. Except as described in Sections 8.4 and 8.5 below, the EU SCCs are deemed completed as follows: In the course of acting as a Controller (and/or Third Party), such Party shall:
- Module 1 applies to transfers of Personal Data where both Parties are independent Controllers (as described in Section 3.2 of this DPA). Module 2 of the EU SCCs applies to transfers of Customer Personal Data from Customer (the Controller) to us (the Processor).
- Clause 7 (the optional docking clause) is included.
- Clause 9 of Module 2 (Use of sub-processors): The Parties select Option 2 (General written authorization). The initial list of Subprocessors and the procedures for updating such list are set forth in Sections 4.1 and 4.2 of this DPA.
- Clause 11 (Redress): The optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body is not included.
- Clause 17 (Governing law): The Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and select the law of Ireland.
- Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Ireland.
- Annex I is completed as set forth in Exhibits 1A, 1B and 1C of this DPA. For Annex I(C), the Parties select the Irish Data Protection Commission. Annex II is completed as set forth in Exhibit 2 of this DPA. Annex III is not applicable because the Parties have chosen General Authorization under Clause 9.
- UK SCCs. To the extent legally required, by entering into this DPA, the Parties are deemed to have entered into and signed the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables within the UK SCCs are deemed completed as follows:
- Table 1: The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in Exhibits 1A, 1B and IC of this DPA, as applicable.
- Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed above, except that: (a) Clause 17 (Governing law): The Parties choose the law of England and Wales; (b) Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of England and Wales and (c) Annex 1C and Clause 13 the Parties select the UK Information Commissioner.
- Table 3: Annex I is set forth in Exhibits 1A, 1B and 1C of this DPA. Annex II is set forth in Exhibit 2 of this DPA. Annex III is inapplicable.
- Table 4: We may end this DPA as set out in Section 19 of the UK SCCs.
- Swiss Data. For transfers of Personal Data that are subject to the Swiss Federal Act on Data Protection (“FADP”), the EU SCCs form part of this DPA as set forth above, but with the following differences to the extent required by the FADP:
- References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR, and references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of FADP revisions that eliminate this broader scope.
- The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
- The relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
- The EU SCCs shall be modified as follows: (a) Clause 17 (Governing law): The Parties choose the law of Switzerland; (b) Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Switzerland and (c) Annex 1C and Clause 13 the Parties select the Swiss Federal Data Protection and Information Commissioner.
9. Limitation of Liability
Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s entire liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, and any other data protection agreements or security addendum signed by the parties (“Ancillary Agreement”) in connection with the Agreement (if any), whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations on liability section in the Agreement, and any reference in such section to the liability of a party means the total aggregate liability of that party under the Agreement, this DPA and any Ancillary Agreement (if any) together.
Exhibit 1A
Controller/Exporter (Customer) to Processor/Importer (CRM Inputs)
- List Of Parties
Data exporter(s):
Name: The Customer identified in the Agreement or Order Form.Address: As set forth in the Agreement or Order Form.
Contact person’s name, position and contact details: As set forth in the Agreement and Order Form, or as otherwise agreed to by the parties.
Activities relevant to the data transferred under these Clauses: Processing in connection with the receipt of the Services provided by the data importer in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller
Data importer:
Name: Sellframe LtdAddress: 14 Avonside Grove, Hamilton, UK, ML3 7DL
Contact person’s name, position, and contact details: Legal Department; [[email protected]](mailto:[email protected]) or such other person designated by CRM Inputs.
Activities relevant to the data transferred under these Clauses: Processing in connection with providing, maintaining and improving the Services in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Processor
- Description of Transfer
Categories of data subjects whose personal data is transferred: Data subjects may include data exporter’s employees (or other end-users of the Services), prospects, customers, business partners and vendors.
Categories of personal data transferred: Customer Personal Data which may include, but is not limited to the following categories:
- First and last name
- Title
- Employer
- Contact information (company, email, phone, physical business address)
- IP address
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuously for the duration of the Agreement.
Nature of the processing: Data importer Processes Customer Personal Data to provide the Services pursuant to the Agreement, which includes, without limitation, receiving, storing, analyzing, and deleting Customer Personal Data.
Purpose(s) of the data transfer and further processing: Data importer’s provision of Services to the data exporter pursuant to the Agreement between data exporter and data importer.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As further set forth under the Agreement and the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above.
Exhibit 1B
Controller/Exporter (Customer) to Controller/Importer (CRM Inputs)
- List Of Parties
Data exporter(s):
Name: The Customer identified in the Agreement or Order Form.Address: As set forth in the Agreement or Order Form.
Contact person’s name, position and contact details: As set forth in the Agreement and Order Form, or as otherwise agreed to by the parties.
Activities relevant to the data transferred under these Clauses: Processing in connection with the receipt of the Services provided by the data importer in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller
Data importer:
Name: Sellframe LtdAddress: 14 Avonside Grove, Hamilton, UK, ML3 7DL
Contact person’s name, position, and contact details: Legal Department; [[email protected]](mailto:[email protected]) or such other person designated by CRM Inputs.
Activities relevant to the data transferred under these Clauses: Processing in connection with providing, maintaining and improving the Services in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller
- Description of Transfer
Categories of data subjects whose personal data is transferred: Data subjects may include data exporter’s employees (or other end-users of the Services), prospects, customers, business partners and vendors.
Categories of personal data transferred: Customer Personal Data which may include, but is not limited to the following categories:
- First and last name
- Title
- Employer
- Contact information (company, email, phone, physical business address)
- IP address
- Any other categories of Personal Data provided by Customer.
In each case where and to the extent such Personal Data is included in the Account Information, Service Metadata or Submitted Data Processed by data importer in its role as a data controller.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuously for the duration of the Agreement.
Nature of the processing: Data importer Processes Personal Data as further set forth under the Agreement and in data importer’s privacy policy, including Processing to verify, enrich and grow Output Data and the Contributor Database, which includes, without limitation, receiving, storing, analyzing, and deleting Personal Data.
Purpose(s) of the data transfer and further processing: Such purposes as further set forth under the Agreement and in data importer’s privacy policy, including Processing by data importer’s to verify, enrich and grow Output Data and the Contributor Database.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Where data importer is a Controller: As further set forth under the data importer’s privacy policy.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above.
Exhibit 1C
Controller/Exporter (CRM Inputs) to Controller/Importer (Customer)
- List Of Parties
Data exporter(s):
Name: Sellframe LtdAddress: 14 Avonside Grove, Hamilton, UK, ML3 7DL
Contact person’s name, position and contact details: Legal Department; [[email protected]](mailto:[email protected]) or such other person designated by CRM Inputs.
Activities relevant to the data transferred under these Clauses: Providing the Services (including Output Data) to the data importer in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller
Data importer:
Name: The Customer identified in the Agreement.
Address: As set forth in the Agreement.
Contact person’s name, position, and contact details: As set forth in the Agreement and Order Form or otherwise agreed to by the parties.
Activities relevant to the data transferred under these Clauses: Receiving the Services (including Output Data) provided by the data exporter in accordance with the Agreement and the DPA.
Signature and date: See signature and/or electronic acceptance date to the Agreement.
Role (controller/processor): Controller
- Description of Transfer
Categories of data subjects whose personal data is transferred: Data subjects include individuals whose data has been contributed to the Contributor Database.
Categories of personal data transferred: Output Data which includes (without limitation) the following categories of Personal Data:
- First and last name
- Title
- Employer
- Contact information (company, email, phone, physical business address)
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuously for the duration of the Agreement.
Nature of the processing: For the data importer’s use subject to the terms and license restrictions of the Agreement.
Purpose(s) of the data transfer and further processing: Data importer’s receipt of Services (including Output Data) provided by data exporter under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain the Output Data in accordance with the Agreement.
For transfers to (sub-) processors, also specify the subject matter, nature,and duration of the processing: Same as above.
Exhibit 2
Technical And Organizational Measures Including Technical And Organizational Measures To Ensure The Security Of The Data
Data importer will implement and maintain the Technical and Organisational Measures described in Annex II. Notwithstanding any provision to the contrary otherwise agreed to by Data exporter, Data importer may modify or update these Technical and Organisational Measures at its discretion provided that such modifications and updates do not result in the degradation of the overall security of the Services. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
- Access Control
- Preventing Unauthorized Product Access
Outsourced processing: CRM Inputs hosts its Service with outsourced, US-based data center providers. Additionally, CRM Inputs maintains contractual relationships with vendors in order to provide the Service. CRM Inputs relies on contractual agreements, privacy policies, and vendor compliance programs in order to assure the protection of data processed or stored by these vendors.
Physical and environmental security: CRM Inputs hosts its product infrastructure with multi-tenant, outsourced data center providers. The physical and environmental security controls are audited for SOC 2 Type II compliance.
Authentication: CRM Inputs implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of CRM Inputs’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
- Preventing Unauthorized Product Use
CRM Inputs implements industry-standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure.
Static code analysis: Security reviews of code stored in CRM Inputs’s source code repositories are performed, checking for coding best practices and identifiable software flaws.
- Limitations of Privilege & Authorization Requirements
Product access: A subset of CRM Inputs’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, troubleshoot potential problems, and detect and respond to security incidents. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high-risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
- Preventing Unauthorized Product Access
- Transmission Control
In-transit: CRM Inputs makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the CRM Inputs products. CRM Inputs’s HTTPS implementation uses industry-standard algorithms and certificates.
At-rest: CRM Inputs stores user passwords following policies that follow at least industry standard practices for security.
- Input Control
Detection: CRM Inputs designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. CRM Inputs personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: CRM Inputs maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, CRM Inputs will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If CRM Inputs becomes aware of unlawful access to Customer data stored within its products, CRM Inputs will: 1) notify the affected Customers of the incident; 2) provide a description of the steps CRM Inputs is taking to resolve the incident; and 3) provide status updates to the Customer contact, as CRM Inputs deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form CRM Inputs selects, which may include via email or telephone.
- Job Control
The CRM Inputs Product provides a solution for Customers to conduct their marketing and sales activities. Customers control the data types collected by and stored within their portals. CRM Inputs never sells personal data to any third party.
Terminating Customers: Customer Data in active (i.e., primary) databases are purged upon a customer’s written request, or for our web-based application available at https://crminputs.com, 90 days after a customer terminates all agreements for such products with CRM Inputs. Marketing information stored in backups, replicas, and snapshots is not automatically purged but instead ages out of the system as part of the data lifecycle. CRM Inputs reserves the right to alter the data purging period in order to address technical, compliance, or statutory requirements.
- Availability Control
Infrastructure availability: The data center providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple data centers and availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry-standard methods.
CRM Inputs’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal of preventing single points of failure. This design assists CRM Inputs operations in maintaining and updating the product applications and backend while limiting downtime.
- Separation in Processing
CRM Inputs’s collection of personal data from its Customers is to provide and improve our products. CRM Inputs does not use that data for other purposes that would require separate processing.