LEADSPACE DATA PROCESSING ADDENDUM

With effect as of its execution by Leadspace and Customer, this Data Processing Addendum (“DPA”) forms part of the Leadspace Master Service Agreement (“Agreement”) between Leadspace Inc., of 122 Grand Street, New York, NY 10013, USA, (“Leadspace”) and the customer whose details are indicated in the Agreement (“Customer”). This DPA reflects the parties’ agreement regarding the Processing of Customer Personal Data and supersedes any conflicting terms under the Agreement. All capitalized terms not defined herein will have the meaning set forth in the Agreement or under applicable Privacy Laws and Regulations.

DATA PROCESSING TERMS

In the course of providing the Leadspace’s service (“Service”) to Customer pursuant to the Agreement, Leadspace may Process Customer Personal Data on behalf of Customer. The parties agree to comply with the following provisions concerning Customer Personal Data Processed by Leadspace as part of the Service.

1.              DEFINITIONS

1.1.         “Customer Personal Data” means Personal Data Processed by Leadspace on behalf of the Customer as part of the provision of the Service.

1.2.         “Data Controller”, “Business”, “Data Processor”, and “Service Provider” will have the same meaning as under applicable Privacy Laws and Regulations.

1.3.         “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject includes Consumer as such term is defined under the CPRA.

1.4.         “Personal Data” means any information relating to a Data Subject. Personal Data includes Personal Information as such term is defined under the CPRA.

1.5.         “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.6.         “Personnel” means persons authorized by Leadspace to Process Customer’s Personal Data.

1.7.         “Privacy Laws and Regulations” means (A) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”); (B) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); and, (C) the California Consumer Privacy Rights Act of 2020 (“CPRA”), and any successors thereof.

1.8.         “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.

1.9.         “Third Country” means a country outside the European Economic Area (“EEA”), the UK or Switzerland, which has not been acknowledged by the EU Commission, a UK Secretary of State or the Federal Data Protection and Information Commissioner (as applicable) as providing an adequate level of protection in accordance with Article 45(3) of the GDPR or of the UK GDPR, or the equivalent under Swiss law.

2.              DATA PROCESSING

2.1.         Scope and Roles. This DPA applies when Customer shares Personal Data with Leadspace for the purposes of processing such Personal Data as part of Leadspace’s provision of the Service. In this context, for the purposes of the GDPR, Customer is the Data Controller or Data Processor and Leadspace is the Data Processor or another Data Processor and for the purposes of the CPRA, Customer is a Business and Leadspace is the Service Provider.

2.2.         Subject Matter, Duration, Nature and Purpose of Processing. Leadspace processes Customer Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement, as further specified under ANNEX 1 to this DPA.

2.3.         Type of Personal Data and Categories of Data Subjects. Leadspace processes contact details and other business-related data which Customer shares with Leadspace. Leadspace does not process any special categories of data, as this term is referred to under the GDPR. The categories of relevant data subjects are business-related contacts of Customer’s customers and prospected customers.

2.4.         Instructions for Leadspace’s Processing of Personal Data. Leadspace will only Process Customer Personal Data, on behalf of and in accordance with Customer’s instructions. Customer instructs Leadspace to Process Customer Personal Data for the following purposes: (i) Processing related to the Service in accordance with the terms of the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Customer undertakes to provide Leadspace with lawful instructions only. Leadspace will inform Customer immediately, if in Leadspace’s opinion an instruction violates any provision Privacy Laws and Regulations and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties. As required under Privacy Laws and Regulations, Customer will provide all necessary notices to relevant Data Subjects and secure all necessary permissions and consents from them, to support the Processing of Customer Personal Data by Leadspace pursuant to this DPA.

2.5.         CPRA Specific Provisions. To the extent that the CPRA applies to the Processing of Customer Personal Data by Leadspace, the following provisions will also apply to such Processing:

2.5.1.             Customer and Leadspace acknowledge that (1) Customer Personal Data is disclosed to Leadspace only for the limited Business Purpose of providing Customer with the Services (the “Purpose”); and, (2) Customer is not selling Customer Personal Data to Leadspace.

2.5.2.             Customer will notify Leadspace of any valid request received from a Data Subject pursuant to the CPRA that Leadspace must comply with and will provide Leadspace with all necessary information to comply with such request.

2.5.3.             Leadspace will not (1) Sell Customer Personal Data; (2) Share (within the meaning thereof under the CPRA) Customer Personal Data; and, unless permitted under the CPRA, retain, use or disclose Customer Personal Data: (i) for any purpose other than for the specific purpose of performing the Service; (ii) for any commercial purpose other than the Purpose, including in providing services to other Leadspace Customers; or, (iii) outside of the direct business relationship between Customer and Leadspace.

2.5.4.             Leadspace will: (1) comply with all applicable provisions under the CPRA, including with respect to providing the same level of protection to privacy as required under the CPRA; and, (2) notify Customer no later than within five (5) business days after determining that Leadspace can no longer meet its obligations under the CPRA.

2.5.5.             Customer may: (1) take reasonable and appropriate steps to ensure that Leadspace uses Customer Personal Data in a manner consistent with Customer’s obligations under the CPRA; (2) upon notice, take reasonable and appropriate steps to stop and remediate Leadspace’s unauthorized use of Customer Personal Data.

3.              ASSISTANCE

Taking into account the nature of the Processing, Leadspace will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subjects’ rights, as required under applicable Privacy Laws and Regulations. Leadspace will further assist Customer in ensuring compliance with Customer’s obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer’s data protection impact assessments and Customer’s prior consultation with supervisory authorities, in relation to Leadspace’s Processing of Customer Personal Data under this DPA. Except for negligible costs, Customer will reimburse Leadspace with costs and expenses incurred by Leadspace in connection with the provision of assistance Customer under this DPA.

4.              LEADSPACE PERSONNEL

4.1.         Limitation of Access. Leadspace will ensure that Leadspace’s access to Customer Personal Data is limited to personnel who require such access to perform the Agreement.

4.2.         Confidentiality. Leadspace will impose appropriate contractual obligations upon its personnel engaged in the Processing of Customer Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Leadspace will ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Leadspace will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.

5.              OTHER PROCESSORS

5.1.         Leadspace may engage third-party service providers to Process Customer Personal Data on behalf of Customer (“Other Processors”). Customer hereby provides Leadspace with a general authorization to engage the Other Processors listed in ANNEX 3 to this DPA. All Other Processors have entered into written agreements with Leadspace that bind them by substantially the same material obligations under this DPA. Where an Other Processor fails to fulfil its data protection obligations in connection with the Processing of Customer Personal Data under this DPA, Leadspace will remain fully liable to Customer for the performance of that Other Processor’s obligations.

5.2.         Leadspace may engage with a new Other Processor (“New Processor”) to Process Customer Personal Data on Customer’s behalf. Customer may object to the Processing of Customer Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Leadspace’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Leadspace a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Leadspace will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer Personal Data.

6.              ONWARD AND CROSS-BORDER DATA TRANSFER

Transfers of Customer Personal Data to a Third Country by Leadspace, or by Leadspace’s Other Processors or Leadspace’s New Processors are subject to the data transfer requirements under ANNEX C.

7.              SECURITY

7.1.         Controls. Leadspace is certified with the ISO 27001 and ISO 22301 standards and maintains administrative, physical and technical safeguards to protect the security, confidentiality and integrity of Customer Personal Data, as further specified under ANNEX 2 to this DPA. Leadspace regularly monitors compliance with these safeguards and will not decrease the overall security of Customer Personal Data during the term of providing the Service to Customer under the Agreement.

8.              PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION

8.1.         Leadspace maintains security incident management and breach notification policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer Personal Data, which Leadspace, or any of Leadspace’s Other Processors, Process. Leadspace’s notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and an approximate number of Data Subjects concerned and the categories and an approximate number of Customer Personal Data records concerned; (b) communicate the name and contact details of the Leadspace’s data protection team, which will be reasonably available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by Leadspace to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

8.2.         Leadspace will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will promptly inform Customer accordingly.

9.              AUDIT AND DEMONSTRATION OF COMPLIANCE

9.1.         Leadspace will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Customer Personal Data under this DPA by Leadspace and its Other Processors.

9.2.         Leadspace will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Leadspace’s obligations under this DPA. Leadspace may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Other audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Leadspace, at least forty-five (45) days in advance and will be performed not more than once a year (unless the audit is required by a Supervisory Authority); (ii) a third-party auditor will execute a non-disclosure and non-competition undertaking toward Leadspace; (iii) the auditor will not have access to non-Customer data (iv) Customer will make sure that the audit will not interfere with or damage Leadspace’s business activities and information and network systems; (v) Customer will bear all costs and expenses related to the audit; (vi) Customer will receive only the auditor’s report, without any Leadspace ‘raw data’ materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this DPA; (vii) at the written request of Leadspace, Customer will provide Leadspace with a copy of the auditor’s report; and (viii) as soon as the purpose of the audit is completed, Customer will permanently and completely dispose of all copies of the audit report.

10.           DELETION OF CUSTOMER PERSONAL DATA

At the choice of Customer, Leadspace will delete or return all Customer Personal Data to Customer after the end of the provision of Services relating to Processing of Customer Personal Data and delete existing copies unless required or permitted under applicable Privacy Laws and Regulations.

11.           ANONYMIZED AND AGGREGATED DATA

Leadspace may process data based on extracts of Customer Personal Data on an aggregated and non-identifiable form, for Leadspace’s legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Leadspace’s discretion.

12.           DISPUTE RESOLUTION

As Privacy Laws and Regulations are subject to considerable evolvements and interpretation, the parties agree to communicate regularly about any open issues or process problems that require resolution. The parties will attempt in good faith to resolve any dispute related to this DPA as a precondition to commencing legal proceedings, first by direct communications between the persons responsible for administering this DPA and next by negotiation between executives with authority to settle the controversy. Either party may give the other party a written notice of any dispute not resolved in the normal course of business. Within five (5) business days after delivery of the notice, the receiving party will submit a written response to the other party. The notice and the response will include a statement of each party’s position and a summary of arguments supporting that position and the name and title of the executive who will represent that party. Within five (5) business days after delivery of the disputing party’s notice, the executives of both parties will meet at a mutually acceptable time and place, including by phone, and thereafter as often as they reasonably deem necessary, to resolve the dispute. All reasonable requests for information made by one party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.

13.           TERM

This DPA will commence on the later date of its execution or the effective date of the Agreement to which it relates and will continue until the Agreement expires or is terminated.

ANNEX 1
– DETAILS OF THE PERSONAL DATA PROCESSING –
(Also serves as ANNEX I to the EU SCCs)

1. LIST OF PARTIES

Customer – Data exporter

Name, address and contact details: Customer, whose name, address and contact details are as detailed in the applicable Order Form.

Activities relevant to the data transferred under these Clauses: Provision of the Services under the Agreement.

Signature and date: The data exporter’s signature on the DPA or agreement between the parties applies herein.

Role (data controller/data processor): Data Controller or Data Processor, as applicable.

Leadspace – Data Importer

Name: Leadspace, Inc.

Address: 445 Bush Street, Suite 900 San Francisco, CA 94108

Contact person’s name, position and contact details: as detailed in the applicable Order Form

Activities relevant to the data transferred under these Clauses: Personal Data processing for the performance of the Agreement.

Role (data controller/data processor): Data Processor

• DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Representatives of Customer’s customers and prospective customers.

Categories of personal data transferred

Business related contact information such as name, title, business email address.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

continuous basis.

Nature of the processing

All operations such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.

Purpose(s) of the data transfer and further processing

The provision of the Service in accordance with the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained during the term of the Agreement and will be deleted in accordance with the terms therein.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter of the processing is Customer’s Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.

• COMPETENT SUPERVISORY AUTHORITY

Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.

ANNEX 2
– TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA –
(Also serves as Annex II to the EU SCCs)

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

The technical and organizational measures (TOMs) provided below apply to all standard service offerings provided by Leadspace, except where the Customer is responsible for implementing technical and organizational measures to secure its data. Evidence of the measures implemented and maintained by Leadspace Security may be presented in the form of up-to-date certifications from independent bodies upon receipt of a written request from the Customer.

These measures are commercially reasonable, are aligned with industry standard technical and organizational measures, to protect personal data. These measures are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing personal data in the course of providing Leadspace’s services. Leadspace will regularly carry out, test, review and update all such measures.

These measures will be subject to technical progress and future developments of Leadspace’s services. Accordingly, Leadspace will be permitted to implement alternative adequate measures, in such event, the security level may not be lower that the measures memorialized hereto. Material changes will be coordinated with the relevant Data Controller and will be documented.

Measure	Description
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services	Leadspace creates and maintains the following security and privacy documentation and store them in a central repository with restricted access control: DPA.Technical and Organizational Measures (TOMs).Non-disclosure Agreement (NDA) or Agreement to Exchange Confidential Information (AECI) or similar (as required).Sub-processor Agreement (as required). Leadspace employees complete security and privacy education annually and have acknowledged the need to comply with Leadspace’s ethical business conduct, confidentiality, privacy and security policies, as set out in Leadspace’s Code of Conduct and internal policies. Additional policy and process training will be provided to persons granted administrative access to security components that are specific to their role within Leadspace’s operations and support of the service, and as required to maintain compliance and certifications. Leadspace Security maintains policies and procedures designed to manage risks associated with the application of changes to the Leadspace SaaS platform. Leadspace incorporates Privacy by Design principles for systems and enhancements at the earliest stage of development.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Leadspace maintains an incident response plan and follow documented incident response policies including data breach notification to Customers without undue delay in accordance with Leadspace’s obligation under its DPA. Availability of data through business continuity and disaster recovery planning support Leadspace’s SaaS platform. Leadspace Services are defined, documented, maintained and annually validated business continuity and disaster recovery plans consistent with industry standard practices. All backup data is encrypted.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing	Leadspace validates that necessary documentation is in place between Leadspace and the Customer, where Leadspace processes non-sensitive Personal Data covered by GDPR. In case of a change to the defined scope, any change to the processing of Personal Data is reviewed to determine any impact on required TOMs. Leadspace assesses risks related to the processing and international transfer of Personal Data and create an action plan to mitigate identified risks.
Measures for user identification and authorization	Leadspace maintains proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing Personal Data. Only employees with clear business needs are granted access to Personal Data located on servers, within applications, databases and/or have the ability to download data within Leadspace’s network. All access requests are approved based on individual role-based access and reviewed on a regular basis for continued business needs. All information systems meet Leadspace’s IT information security policy and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources. For Customers with Professional Services, Leadspace maintains additional controls for user access to Customer’s Personal Data to prevent unauthorized access to Customer Personal Data. Access to customer Personal Data is verified regularly for continued employment and re-validated annually for continued business needs. Leadspace limits privileged access to individuals for a limited period of time and usage is monitored and logged. Access is shared for a limited period of time and usage is monitored and logged as well as revalidated regularly.
Measures for the protection of data during transmission	Leadspace employs encrypted and authenticated remote connectivity between Leadspace computing environments and Customer’s systems.
Measures for the protection of data during storage	Leadspace relies on well-known cloud providers (GCP, Azure and AWS) to maintain all physical security aspects of their data-centers. Leadspace maintains measures meant to identify, manage, mitigate and/or remediate vulnerabilities within the Leadspace computing environments. Such measures include: Patch managementAnti-virus / anti-malwareThreat notification advisoriesVulnerability scanning (all internal systems) and periodic penetration testing (Internet facing systems) within remediation of identified vulnerabilities. As a general rule Leadspace does not use portable storage, in the rare cases that such usage may be needed and is approved on a case by case basis, Leadspace implements protections to secure portable storage media from damage, destruction, theft or unauthorized copying and the personal data stored on portable media through encryption and secure removal of data when it is no longer needed. Additional similar measures are implemented for mobile computing devices to protect Personal Data. Leadspace implements protections on end-user devices and monitor those devices to be in compliance with relevant security standards, screen saver, antivirus software, firewall software, unauthenticated file sharing, hard disk encryption and appropriate patch levels. Controls are implemented to detect and remediate workstation compliance deviations. Leadspace securely sanitizes physical media intended for reuse prior to such reuse and destroys physical media not intended for reuse.
Measures for ensuring physical security of locations at which personal data are processed	Leadspace implements the physical security of Leadspace offices and takes precautions against environmental threats and power disruptions for Customers.
Measures for ensuring events logging	Computing environments with resources containing Personal Data are logged and monitored. Usage of privileged access is monitored and logged. Shared access is monitored and logged.
Measures for ensuring system configuration, including default configuration	Leadspace ensures a secure configuration of the environments by using IaC (infrastructure as code) for all standard operations such as deploy or update environments, Leadspace hardens deployments by removing unnecessary services, ports and hardening default configuration.
Measures for internal IT and IT security governance and management	Leadspace maintains and follows IT security policies and practices that are integral to Leadspace’s business and mandatory for all Leadspace employees, including supplemental personnel. IT security policies are reviewed periodically and amended as Leadspace deems reasonable to maintain protection of services and Personal Data processed therein.
Measures for certification/assurance of processes and products	Leadspace is ISO 27001 and 22301 certified and is SOC2 audited as of Q3 2023.
Measures for ensuring data minimization (using only necessary data)	Leadspace ensures data minimization by processing only that data which is relevant and necessary for the provision of the service. Sensitive data is outside the scope of Leadspace’s services.
Measures for ensuring limited data retention	Leadspace maintains an inventory of Personal Data reflecting the instructions set out in the DPA, including destruction instructions upon termination of the agreement between Leadspace and Customer.
Measures for ensuring accountability	Leadspace ensures accountability through the logging of access activity that is stored in a Centralized logging system. Logs are retained for defined periods and can be reviewed to ensure that any access is proportionate and appropriate. All Leadspace employees are required to abide by a data handling and classification program, any violation of these requirements will result in disciplinary actions.
Measures for ensuring data erasure	Leadspace ensures data portability by allowing customers to retrieve any data placed within our SaaS using Leadspace API or UI into a JSON or CSV format file, in some cases a support ticket may be required for special exports.  Data erasure is done as part of customer off-boarding, customers can also request certificate of destruction from Leadspace support.

ANNEX 3
– LIST OF OTHER PROCESSORS –
(Also serves as Annex III to the EU SCCs, to the extent required under the applicable module)

Name of Other Processor	Description of Processing	Territory	Contact Details
Google Cloud Platform	Hosting Services	US	https://support.google.com/cloud/contact/dpo
Informatica	Email verification	US	privacy@informatica.com
SalesIntel	Data enrichment	US	support@salesIntel.io
AwesomeOS	Support	Philippines	eric@awesomeos.com
LiveRamp	Marketing platform	US	US – https://submit-irm.trustarc.com/services/validation/5c2b0c65-cac5-4a10-96cd-aa3821a77b2b UK – ukprivacy@liveramp.com EEA – cil@liveramp.com
Databricks	Data processing platform	US	Privacy@databricks.com
Leadspace Ltd.	Data processing and analysis.	Israel	compliance_privacy@leadspace.com
Tray.io	Integration Platform	US	privacy@tray.io

ANNEX 4
– CROSS BORDER CUSTOMER PERSONAL DATA TRANSFER –

1. DEFINITIONS. Capitalized terms not defined herein will have the meaning set forth in the DPA or under Privacy Laws and Regulations.
   1.1. “EU SCCs” means the Standard Contractual Clauses pursuant to EU Commission Decision C(2021)3972.
   1.2. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (Status as of 1 March 2019) as replaced by its amendment of September 25, 2020 (effective as of September 1, 2023).
   1.3. “IDTA” means the International Data Transfer Agreement, issued by the ICO in accordance with section 119A of the Data Protection Act 2018, or any other applicable standard contractual clauses issued, approved, or otherwise recognized by the ICO.
   1.4. “Swiss SCCs” means the applicable standard contractual clauses issued, approved, or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).
   1.5. “Third Country” means a country outside the European Economic Area (“EEA”), the UK or Swit-zerland, which was not acknowledged by the EU Commission, a UK Secretary of State or the FDPIC (as applicable) as providing an adequate level of protection in accordance with Article 45(3) of the GDPR, Article 45 of the UK GDPR or the equivalent.
   1.6. A “Transfer” means a transfer by Leadspace, Leadspace’s New Processors or Leadspace’s Other Processors of: (1) GDPR-governed Customer Personal Data transferred outside the EEA (“EEA Transferred Data”); (2) UK-GDPR governed Customer Personal Data transferred outside the UK (“UK Transferred Data”); and, (3) FADP-governed Customer Personal Data transferred outside of Switzerland (“Swiss Transferred Data”, and with EEA and UK Transferred Data: “Transferred Data”).
   1.7. “UK Addendum” means the UK addendum published by the Information Commissioner’s Of-fice’s (“ICO”) in accordance with section 119A(1) of the Data Protection Act of 2018, incorporat-ing the EU SCCs.
2. EEA TRANSFERS. Transfers of EEA Transferred Data to a Third Country, will be made under the EU SCCs, giving effect to module 2 or 3, as applicable, which is incorporated by reference to this DPA, as follows:
   2.1. In Clause 7, the optional docking clause will apply.
   2.2. If applicable – in clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Section 5 of this DPA.
   2.3. In clause 11, the optional language will not apply.
   2.4. In clause 17, Option 1 will apply, and the EU SCC will be governed by the Irish law.
   2.5. In clause 18(b), disputes will be resolved before the courts of Ireland.
   2.6. Annexes (I)-(II) to the EU SCCs will be completed with the relevant details in ANNEXES A-B to this DPA.
3. UK TRANSFERS. Transfers of UK Transferred Data to a Third Country, will be made –
   3.1. In accordance with the EU SCCs as detailed in section 2 above, as amended by the UK Adden-dum, which is incorporated by reference to this DPA, with the necessary changes made as de-tailed in sections 12-15 to the UK Addendum; or,
   3.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer UK Transferred Data, the IDTA will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
4. SWISS TRANSFERS. Transfers of Swiss Transferred Data to a Third Country, will be made –
   4.1. In accordance with the EU SCCs as detailed in section 2 above, as recognized by the FDPIC on August 27, 2021, with the following modifications: (1) references to ‘EU’, ‘Union’, ‘Member State’ and ‘Member State law’ will be interpreted as references to ‘Switzerland’, and ‘Swiss law’, as applicable; and, (2) references to ‘Competent supervisory authority’ and ‘Competent courts’ will be interpreted as references to the FDIPC and Competent courts in Switzerland; or,
   4.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer Swiss Transferred Da-ta in compliance with the FADP, the Swiss SCCs will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the rele-vant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
5. SUPPLEMENTAL MEASURES. In accordance with Article 46 of the GDPR, the EU SCCs and guidelines published by the European Data Protection Board (EDPB), and without prejudice to any provisions of the DPA or this Annex, Leadspace undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs, to ensure the required adequate level of protection to Transferred Data:
   5.1. Technical and Organizational Measures. Leadspace will implement and maintain the tech-nical and organizational measures, as specified in ANNEX 2, which is attached and incorporated by reference to this DPA, with a purpose to protect Customer Personal Data against any pro-cessing for national security or other government purposes that go beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances.
   5.2. Contractual Measures. For the purposes of safeguarding Transferred Data when any Third Country’s government or regulatory authority requests access to such data (“Request”), and un-less required by a valid court order or if otherwise Leadspace may face criminal charges for fail-ing to comply with orders or demands to disclose or otherwise provide access to EEA Trans-ferred Data, or where the access is requested in the event of imminent threat to lives, Leadspace will:
   5.2.1. not purposefully create back doors or similar programming that could be used to ac-cess EEA Transferred Data;
   5.2.2. not provide the source code or encryption keys to any government agency for the purpose of accessing EEA Transferred Data;
   5.2.3. upon Customer’s written request, provide reasonable available information about the requests of access to Customer Personal Data by government agencies Leadspace has received in the 6 months preceding to Customer’s request; and,
   5.2.4. notify Customer upon receiving a request by a government agency to access Cus-tomer Personal Data to enable Customer to take necessary actions, communicate di-rectly with the relevant authority and to respond to the request. If Leadspace is pro-hibited by law to notify the Customer of such request, Leadspace will make reasona-ble efforts to challenge such prohibition through judicial action or other means at Cus-tomer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.
6. FUTURE ADEQUACY. As applicable, if: (A) the Adequacy Recognition is invalidated or otherwise ter-minated by the EU Commission or a UK Secretary of State; (B) the EU SCC are invalidated or are no longer in effect; or (C) any other Transfer safeguard used for the Transfer of Transferred Data is no longer in effect for any reason, then Leadspace will take such alternative lawful measures, as may be available and applicable, to continue facilitating the lawful Transfer of Transferred Data by Leadspace, Leadspace’s Other Processors, Leadspace’s New Processors, or equivalents thereof.