With effect as of its execution by Leadspace and Customer, this Data Processing Addendum (“DPA”) forms part of the Leadspace Software Service Agreement (“Agreement”) between Leadspace Inc., of 445 Bush Street, Suite 900, San Francisco, California 94108 (“Leadspace”) and the Customer whose details are indicated in the Agreement (“Customer”). This DPA reflects the parties’ agreement with regard to the Processing of Personal Data and supersedes any conflicting terms under the Agreement. All capitalized terms not defined herein will have the meaning set forth in the Agreement or under applicable Privacy Laws and Regulations.
DATA PROCESSING TERMS
In the course of providing the Leadspace’s service (“Service”) to Customer pursuant to the Agreement, Leadspace may Process Personal Data on behalf of Customer. The parties agree to comply with the following provisions with respect to Personal Data Processed by Leadspace as part of the Service for Customer.
1.1. “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject includes Consumer as such term is defined under the CCPA.
1.2. “Personal Data” means any information relating to a Data Subject. Personal Data includes Personal Information as such term is defined under the CCPA.
1.3. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1.4. “Personnel” means persons authorized by Leadspace to Process Customer’s Personal Data.
1.5. “Privacy Laws and Regulations” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. (“CCPA”).
1.6. “Privacy Shield” means the EU-US Privacy Shield Framework, as administered by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.
1.7. “Privacy Shield Principles” mean the Privacy Shield Principles, as supplemented by the Supplemental Principles and contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016, as may be amended, superseded or replaced.
1.8. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.9. “Leadspace Information Security Documentation” means the information security documentation applicable to the specific Service purchased by Customer, as updated from time to time, and made available by Leadspace upon request and subject to adequate confidentiality arrangements.
2. DATA PROCESSING
2.1. Scope and Roles. This DPA applies when Personal Data is Processed by Leadspace as part of Leadspace’s provision of the Service. In this context, for the purposes of the GDPR, Customer is the data controller or data processor and Leadspace is the data processor or another data processor and for the purposes of the CCPA, Customer is a Business and Leadspace is the Service Provider.
2.2. Subject Matter, Duration, Nature and Purpose of Processing. Leadspace processes Customer’s Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement.
2.3. Type of Personal Data and Categories of Data Subjects. Leadspace processes business related contact details and insights. Leadspace does not process any special categories of data, as this term is referred to under the GDPR. The categories of relevant data subjects are business-related contacts of Customer’s customers and prospected customers.
2.4. Instructions for Leadspace’s Processing of Personal Data. Leadspace will only Process Personal Data received from the Customer, on behalf of and in accordance with Customer’s instructions. Customer instructs Leadspace to Process Personal Data for the following purposes: (i) Processing related to the Service in accordance with the terms of the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Customer undertakes to provide Leadspace with lawful instructions only. Leadspace will inform Customer immediately, if in Leadspace’s opinion an instruction violates any provision under the GDPR and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties. As required under Privacy Laws and Regulations, Customer will provide all necessary notices to relevant Data Subjects and secure all necessary permissions and consents from them, to support the Processing of Personal Data by Leadspace pursuant to this DPA.
2.5. Leadspace will not (1) Sell Personal Data, or (2) retain, use or disclose Personal Data: (i) for any purpose other than for the specific purpose of performing the Service, or (ii) outside of the direct business relationship between Customer and Leadspace, except as permitted under the applicable Privacy Laws and Regulations. Leadspace acknowledges and will comply with the restrictions set forth in this Section 2.5.
2.6. The parties acknowledge and agree that the Personal Data that Customer discloses to Leadspace is provided to Leadspace for a Business Purpose, and Customer does not Sell such Personal Data to Leadspace in connection with the Agreement.
3.1. Taking into account the nature of the Processing, Leadspace will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subjects’ rights, as required under applicable Privacy Laws and Regulations. Leadspace will further assist Customer in ensuring compliance with Customer’s obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer’s data protection impact assessments and Customer’s prior consultation with supervisory authorities, in relation to Leadspace’s Processing of Personal Data under this DPA. Except for negligible costs, Customer will reimburse Leadspace with costs and expenses incurred by Leadspace in connection with the provision of assistance Customer under this DPA.
4. LEADSPACE PERSONNEL
4.1. Limitation of Access. Leadspace will ensure that Leadspace’s access to Personal Data is limited to those personnel who require such access to perform the Agreement.
4.2. Confidentiality. Leadspace will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Leadspace will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Leadspace will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
5. OTHER PROCESSORS
5.1. Leadspace may engage third-party service providers to process Personal Data on behalf of Customer (“Other Processors”). Customer hereby provides Leadspace with a general authorization to engage the Other Processors listed in Exhibit A to this Agreement. All Other Processors have entered into written agreements with Leadspace that bind them by substantially the same material obligations under this DPA. Where an Other Processor fails to fulfil its data protection obligations in connection with the Processing of Personal Data under this DPA, Leadspace will remain fully liable to Customer for the performance of that Other Processor’s obligations.
5.2. Leadspace may engage with a new Other Processor (“New Processor”) to Process Customer Personal Data on Customer’s behalf. Customer may object to the Processing of Customer’s Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Leadspace’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Leadspace a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Leadspace will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer’s Personal Data.
6. DATA TRANSFER
6.1. Leadspace is self-certified to and complies with the Privacy Shield and will maintain its self-certification to and compliance with the Privacy Shield throughout the period of providing the Service to the Customer under the Agreement. Transfer of Personal Data related to EU Data Subjects to Leadspace’s US-based sites is made pursuant to the terms of the Privacy Shield.
6.2. All Leadspace third-party service providers to whom Leadspace transfers Personal Data to provide the Service – (i) are certified to the Privacy Shield, or (ii) undertook to provide at least the same level of protection for the Personal Data as is required by the Privacy Shield Principles, or (iii) have executed or undertook to comply with such other binding instruments, certifications or self-certifications for the lawful transfer of Customer’s Personal Data related to Data Subjects within the EU to other territories, as required and available under the GDPR, or (iv) are established in a country that was acknowledged by the EU Commission as providing adequate protection to Personal Data.
6.3. If the Privacy Shield is invalidated, or if Leadspace or any of its third-party service providers are no longer able to continue complying with the Privacy Shield, or provide the same level of protection as under the Privacy Shield Principles, then Leadspace will take such measures in coordination with Customer and as required under the GDPR, to continue facilitating the lawful Processing in the US of Customer’s Personal Data related to Data Subjects within the EU by Leadspace and its Other Processors.
7.1. Controls. Leadspace is certified with the ISO 27001 and ISO 22301 standards and maintains administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Customer’s Personal Data, pursuant to such standards. Leadspace regularly monitors compliance with these safeguards and will not decrease the overall security of Customer’s Personal Data during the term of providing the Service to Customer under the Agreement.
8. PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION
8.1. Leadspace maintains security incident management and breach notification policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer’s Personal Data which Leadspace, or any of Leadspace’s Other Processors, Process. Leadspace’s notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of the Leadspace’s data protection team, which will be available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by Leadspace to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
8.2. Leadspace will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will promptly inform Customer accordingly.
9. AUDIT AND DEMONSTRATION OF COMPLIANCE
9.1. Leadspace will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Personal Data under this DPA by Leadspace and its Other Processors.
9.2. Leadspace will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Leadspace’s obligations under this DPA. Leadspace may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Other audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Leadspace, at least forty-five (45) days in advance and will be performed not more than once a year (unless the audit is required by a Supervisory Authority); (ii) a third-party auditor will execute a non-disclosure and non-competition undertaking toward Leadspace; (iii) the auditor will not have access to non-Customer data (iv) Customer will make sure that the audit will not interfere with or damage Leadspace’s business activities and information and network systems; (v) Customer will bear all costs and expenses related to the audit; (vi) Customer will receive only the auditor’s report, without any Leadspace ‘raw data’ materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this DPA; (vii) at the written request of Leadspace, Customer will provide Leadspace with a copy of the auditor’s report; and (viii) as soon as the purpose of the audit is completed, Customer will permanently and completely dispose of all copies of the audit report.
10. DELETION OF PERSONAL DATA
10.1. At the choice of Customer, Leadspace will delete or return all Customer’s Personal Data to Customer after the end of the provision of Services relating to Processing of Customer’s Personal Data and delete existing copies unless required or permitted under applicable Privacy Laws and Regulations.
11. ANONYMIZED AND AGGREGATED DATA
11.1. Leadspace may process data based on extracts of Personal Data on an aggregated and non-identifiable forms, for Leadspace’s legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Leadspace’s discretion.
12. DISPUTE RESOLUTION
12.1. As the GDPR is subject to considerable evolvements and interpretation, the parties agree to communicate regularly about any open issues or process problems that require resolution. The parties will attempt in good faith to resolve any dispute related to this DPA as a precondition to commence legal proceedings, first by direct communications between the persons responsible for administering this DPA and next by negotiation between executives with authority to settle the controversy. Either party may give the other party a written notice of any dispute not resolved in the normal course of business. Within five (5) business days after delivery of the notice, the receiving party will submit to the other party a written response. The notice and the response will include a statement of each party’s position and a summary of arguments supporting that position and the name and title of the executive who will represent that party. Within five (5) business days after delivery of the disputing party’s notice, the executives of both parties will meet at a mutually acceptable time and place, including by phone, and thereafter as often as they reasonably deem necessary, to resolve the dispute. All reasonable requests for information made by one party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.
13.1. This DPA will commence on the later of the date of its execution or the effective date of the Agreement to which it relates and will continue until the Agreement expires or is terminated.
|Name of Other Processor||Type of Services|
|Google Cloud Platform||Hosting Services|