LEADSPACE DATA PROCESSING ADDENDUM
With effect as of its execution by Leadspace and Customer, this Data Processing Addendum (“DPA”) forms part of the Leadspace Software Service Agreement (“Agreement“) between Leadspace Inc., of 445 Bush Street, Suite 900, San Francisco, CA 94108, (“Leadspace”) and the customer whose details are indicated in the Agreement (“Customer”). This DPA reflects the parties’ agreement with regard to the Processing of Personal Data and supersedes any conflicting terms under the Agreement. All capitalized terms not defined herein will have the meaning set forth in the Agreement or under applicable Privacy Laws and Regulations.
DATA PROCESSING TERMS
In the course of providing the Leadspace’s service (“Service“) to Customer pursuant to the Agreement, Leadspace may Process Personal Data on behalf of Customer. The parties agree to comply with the following provisions concerning Personal Data Processed by Leadspace as part of the Service for Customer.
1.2. “Personal Data” means any information relating to a Data Subject. Personal Data includes Personal Information as such term is defined under the CCPA.
1.5. “Privacy Laws and Regulations” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. (“CCPA”).
1.6. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.7. “Leadspace Information Security Documentation” means the information security documentation applicable to the specific Service purchased by Customer, as updated from time to time, and made available by Leadspace upon request and subject to adequate confidentiality arrangements.
2. DATA PROCESSING
2.2. Subject Matter, Duration, Nature and Purpose of Processing. Leadspace processes Customer’s Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement.
2.5. Leadspace will not (1) Sell Personal Data, or (2) retain, use or disclose Personal Data: (i) for any purpose other than for the specific purpose of performing the Service, or (ii) outside of the direct business relationship between Customer and Leadspace, except as permitted under the applicable Privacy Laws and Regulations. Leadspace acknowledges and will comply with the restrictions set forth in this Section 2.5.
2.6. The parties acknowledge and agree that the Personal Data that Customer discloses to Leadspace is provided to Leadspace for a Business Purpose, and Customer does not Sell such Personal Data to Leadspace in connection with the Agreement.
4. LEADSPACE PERSONNEL
4.1. Limitation of Access. Leadspace will ensure that Leadspace’s access to Personal Data is limited to personnel who require such access to perform the Agreement.
4.2. Confidentiality. Leadspace will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Leadspace will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Leadspace will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
5. OTHER PROCESSORS
5.2. Leadspace may engage with a new Other Processor (“New Processor“) to Process Customer Personal Data on Customer’s behalf. Customer may object to the Processing of Customer’s Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Leadspace’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Leadspace a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Leadspace will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer’s Personal Data.
6. DATA TRANSFER
6.1. Transfer of GDPR-governed Customer’s Personal Data from the EU (“Transferred Data”) to Leadspace’s Israel-based site is made in accordance the EU Commission decision 2011/61/EU, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data. Transfer of Personal Data from the EU to Leadspace’s sites in the US is governed by the applicable data transfer binding instrument, the EU standard contractual clauses (“EU SCCs”), pursuant to EU Commission Decision C(2021)3972, giving effect to the module specified in Exhibit B to the EU SCCs, as provided in https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en or, as required, in accordance with any successor thereof or an alternative lawful data transfer mechanism.
6.2. In accordance with Article 46 of the GDPR and the EU SCCs, and without prejudice to any provisions of this DPA, Leadspace undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs and in accordance with Clause 14(b)(iii) of the EU SCCs, to ensure the required adequate level of protection to the Transferred Data:
6.2.1. Leadspace will implement and maintain the technical measures, as specified in Annex II of Exhibit B, which is attached and incorporated by reference to this DPA, with a purpose to protect the Transferred Data from Processing for national security or other governmental purposes that goes beyond what is necessary and proportionate in a democratic society, considering the type of Processing activities under the Agreement and relevant circumstances;
6.2.2. For the purposes of safeguarding Transferred Data when any Third Country’s government or regulatory agency requests access to such data (“Request”), and unless required by a valid court order or if otherwise Leadspace may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to Transferred Data, or where the access is requested in the event of imminent threat to lives, Leadspace will:
18.104.22.168. not purposefully create ‘back doors’ or similar programming that could be used to access the Transferred Data;
22.214.171.124. not provide the source code or encryption keys to any government agency for the purpose of accessing the Transferred Data; and
126.96.36.199. upon Customer’s written request, provide reasonable available information about the requests of access to Personal Data by government agencies that Leadspace has received in the six (6) months preceding to Customer’s request.
6.2.3. If Leadspace receives a Request, Leadspace will notify Customer of such request to enable Customer to take necessary actions, to communicate directly with the relevant agency and to respond to the Request. If Leadspace is prohibited by law to notify Customer of the Request, Leadspace will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.
7.1. Controls. Leadspace is certified with the ISO 27001 and ISO 22301 standards and maintains administrative, physical and technical safeguards to protect the security, confidentiality and integrity of Customer’s Personal Data, as further specified under Annex II of Exhibit B. Leadspace regularly monitors compliance with these safeguards and will not decrease the overall security of Customer’s Personal Data during the term of providing the Service to Customer under the Agreement.
8. PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION
8.2. Leadspace will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will promptly inform Customer accordingly.
9. AUDIT AND DEMONSTRATION OF COMPLIANCE
9.1. Leadspace will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Personal Data under this DPA by Leadspace and its Other Processors.
10. DELETION OF PERSONAL DATA
10.1. At the choice of Customer, Leadspace will delete or return all Customer’s Personal Data to Customer after the end of the provision of Services relating to Processing of Customer’s Personal Data and delete existing copies unless required or permitted under applicable Privacy Laws and Regulations.
11. ANONYMIZED AND AGGREGATED DATA
12. DISPUTE RESOLUTION
13.1. This DPA will commence on the later date of its execution or the effective date of the Agreement to which it relates and will continue until the Agreement expires or is terminated.
|Name of Other Processor||Type of Services|
|Google Cloud Platform||Hosting Services|
Standard Contractual Clauses
ANNEX to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
X MODULE TWO: Transfer controller to processor
- LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
- The Customer whose details are as specified under the applicable Order Form.
- Name: Leadspace, Inc.
Address: 445 Bush Street, Suite 900 San Francisco, CA 94108
Contact person’s name, position and contact details: as detailed in the applicable Order Form
Activities relevant to the data transferred under these Clauses: Personal Data processing for the performance of the Agreement.
Role (controller/processor): Processor
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Representatives of Customer’s customers and prospective customers.
Categories of personal data transferred
Business related contact information such as name, title, business email address.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing
All operations such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.
Purpose(s) of the data transfer and further processing
The provision of the Service in accordance with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal Data will be retained during the term of the Agreement and will be deleted in accordance with the terms therein.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter of the processing is Customer’s Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.
- COMPETENT SUPERVISORY AUTHORITY
Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
The technical and organizational measures (TOMs) provided below apply to all standard service offerings provided by Leadspace, except where the Customer is responsible for implementing technical and organizational measures to secure its data. Evidence of the measures implemented and maintained by Leadspace Security may be presented in the form of up-to-date certifications from independent bodies upon receipt of a written request from the Customer.
These measures are commercially reasonable, are aligned with industry standard technical and organizational measures, to protect personal data. These measures are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing personal data in the course of providing Leadspace’s services. Leadspace will regularly carry out, test, review and update all such measures.
These measures will be subject to technical progress and future developments of Leadspace’s services. Accordingly, Leadspace will be permitted to implement alternative adequate measures, in such event, the security level may not be lower that the measures memorialized hereto. Material changes will be coordinated with the relevant Data controller and will be documented.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Leadspace will create and maintain the following security and privacy documentation as well as store them in a central repository with restricted access control:
- Technical and Organizational Measures (TOMs)
- Non-disclosure Agreement (NDA) or Agreement to Exchange Confidential Information (AECI) or similar (as required)
- Sub-processor Agreement (as required)
Leadspace employees will complete security and privacy education annually and have acknowledged the need to comply with Leadspace’s ethical business conduct, confidentiality, privacy and security policies, as set out in Leadspace’s Code of Conduct and internal policies. Additional policy and process training will be provided to persons granted administrative access to security components that are specific to their role within Leadspace’s operations and support of the service, and as required to maintain compliance and certifications.
Leadspace Security will maintain policies and procedures designed to manage risks associated with the application of changes to the Leadspace SaaS platform.
Leadspace will incorporate Privacy by Design principles for systems and enhancements at the earliest stage of development.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Leadspace will validate that necessary documentation is in place between Leadspace and the Customer, where Leadspace processes non-sensitive Personal Data covered by GDPR. In case of a change to the defined scope, any change to the processing of Personal Data will be reviewed to determine any impact on required TOMs.
Leadspace will assess risks related to the processing and international transfer of Personal Data and create an action plan to mitigate identified risks.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Leadspace will maintain an incident response plan and follow documented incident response policies including data breach notification to Customers without undue delay in accordance with Leadspace’s obligation under its DPA.
Availability of data through business continuity and disaster recovery planning support Leadspace’s SaaS platform. Leadspace Services will have defined, documented, maintained and annually validated business continuity and disaster recovery plans consistent with industry standard practices. All backup data will be encrypted.
Measures for internal IT and IT security governance and management
Leadspace will maintain and follow IT security policies and practices that are integral to Leadspace’s business and mandatory for all Leadspace employees, including supplemental personnel. IT security policies will be reviewed periodically and amended as Leadspace deems reasonable to maintain protection of services and Personal Data processed therein.
Measures for ensuring physical security of locations at which personal data are processed
Leadspace will implement the physical security of Leadspace offices and take precautions against environmental threats and power disruptions for Customers.
Measures for the protection of data during storage
Leadspace relies on well-known cloud providers (GCP, Azure and AWS) to maintain all physical security aspects of their data-centers.
Leadspace will maintain measures meant to identify, manage, mitigate and/or remediate vulnerabilities within the Leadspace computing environments. Such measures include:
• Patch management
• Anti-virus / anti-malware
• Threat notification advisories
• Vulnerability scanning (all internal systems) and periodic penetration testing (Internet facing
systems) within remediation of identified vulnerabilities.
As a general rule Leadspace does not use portable storage, in the rare cases that such usage may be needed and will be approved on a case by case basis, Leadspace will implement protections to secure portable storage media from damage, destruction, theft or unauthorized copying and the personal data stored on portable media through encryption and secure removal of data when it is no longer needed. Additional similar measures will be implemented for mobile computing devices to protect Personal Data.
Leadspace will implement protections on end-user devices and monitor those devices to be in compliance with relevant security standards, screen saver, antivirus software, firewall software, unauthenticated file sharing, hard disk encryption and appropriate patch levels. Controls are implemented to detect and remediate workstation compliance deviations.
Leadspace will securely sanitize physical media intended for reuse prior to such reuse and will destroy physical media not intended for reuse.
Measures for user identification and authorization
Leadspace will maintain proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing Personal Data. Only employees with clear business needs will be granted access to Personal Data located on servers, within applications, databases and/or will have the ability to download data within Leadspace’s network. All access requests will be approved based on individual role-based access and reviewed on a regular basis for continued business needs. All information systems will meet Leadspace’s IT information security policy and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources.
For Customers with Professional Services, Leadspace will maintain additional controls for user access to Customer’s Personal Data to prevent unauthorized access to Customer Personal Data. Access to customer Personal Data is verified regularly for continued employment and re-validated annually for continued business needs. Leadspace will limit privileged access to individuals for a limited period of time and usage will be monitored and logged.
Any shared access will be for a limited period of time and usage will be monitored and logged as well as revalidated regularly.
Measures for the protection of data during transmissionLeadspace will employ encrypted and authenticated remote connectivity between Leadspace computing environments and Customer’s systems.
Measures for ensuring limited data retention
Leadspace will maintain an inventory of Personal Data reflecting the instructions set out in the DPA, including destruction instructions upon termination of the agreement between Leadspace and Customer.
Measures for ensuring events logging
Computing environments with resources containing Personal Data will be logged and monitored.
Usage of privileged access will be monitored and logged. Shared access will be monitored and logged.