With effect as of its execution by Leadspace and Customer, this Data Processing Addendum (“DPA”) forms part of the Leadspace Software Service Agreement (“Agreement“) between Leadspace Inc., of 445 Bush Street, Suite 900, San Francisco, CA 94108, (“Leadspace”) and the customer whose details are indicated in the Agreement (“Customer”). This DPA reflects the parties’ agreement with regard to the Processing of Personal Data and supersedes any conflicting terms under the Agreement. All capitalized terms not defined herein will have the meaning as set forth in the Agreement or under applicable Privacy Laws and Regulations.
DATA PROCESSING TERMS
In the course of providing the Leadspace’s service (“Service”) to Customer pursuant to the Agreement, Leadspace may Process Personal Data on behalf of Customer. The parties agree to comply with the following provisions concerning Personal Data Processed by Leadspace as part of the Service for Customer.
1.1. “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject includes Consumer as such term is defined under the CCPA.
1.2. “Personal Data” means any information relating to a Data Subject. Personal Data includes Personal Information as such term is defined under the CCPA.
1.3. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1.4. “Personnel” means persons authorized by Leadspace to Process Customer’s Personal Data.
1.5. “Privacy Laws and Regulations” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. (“CCPA”).
1.6. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.7. “Leadspace Information Security Documentation” means the information security documentation applicable to the specific Service purchased by Customer, as updated from time to time, and made available by Leadspace upon request and subject to adequate confidentiality arrangements.
2. DATA PROCESSING
2.1. Scope and Roles. This DPA applies when Customer shares Personal Data with Leadspace for the purposes of processing such Personal Data as part of Leadspace’s provision of the Service. In this context, for the purposes of the GDPR, Customer is the data controller or data processor and Leadspace is the data processor or another data processor and for the purposes of the CCPA, Customer is a Business and Leadspace is the Service Provider.
2.2. Subject Matter, Duration, Nature and Purpose of Processing. Leadspace processes Customer’s Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement.
2.3. Type of Personal Data and Categories of Data Subjects. Leadspace processes contact details and other business-related data which Customer shares with Leadspace. Leadspace does not process any special categories of data, as this term is referred to under the GDPR. The categories of relevant data subjects are business-related contacts of Customer’s customers and prospected customers.
2.4. Instructions for Leadspace’s Processing of Personal Data. Leadspace will only Process Personal Data received from Customer, on behalf of and in accordance with Customer’s instructions. Customer instructs Leadspace to Process Personal Data for the following purposes: (i) Processing related to the Service in accordance with the terms of the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Customer undertakes to provide Leadspace with lawful instructions only. Leadspace will inform Customer immediately, if in Leadspace’s opinion an instruction violates any provision under the GDPR and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties. As required under Privacy Laws and Regulations, Customer will provide all necessary notices to relevant Data Subjects and secure all necessary permissions and consents from them, to support the Processing of Personal Data by Leadspace pursuant to this DPA.
2.5. Leadspace will not (1) Sell Personal Data, or (2) retain, use or disclose Personal Data: (i) for any purpose other than for the specific purpose of performing the Service, or (ii) outside of the direct business relationship between Customer and Leadspace, except as permitted under the applicable Privacy Laws and Regulations. Leadspace acknowledges and will comply with the restrictions set forth in this Section 2.5.
2.6. The parties acknowledge and agree that the Personal Data that Customer discloses to Leadspace is provided to Leadspace for a Business Purpose, and Customer does not Sell such Personal Data to Leadspace in connection with the Agreement.
3.1. Taking into account the nature of the Processing, Leadspace will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subjects’ rights, as required under applicable Privacy Laws and Regulations. Leadspace will further assist Customer in ensuring compliance with Customer’s obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer’s data protection impact assessments and Customer’s prior consultation with supervisory authorities, in relation to Leadspace’s Processing of Personal Data under this DPA. Except for negligible costs, Customer will reimburse Leadspace with costs and expenses incurred by Leadspace in connection with the provision of assistance Customer under this DPA.
4. LEADSPACE PERSONNEL
4.1. Limitation of Access. Leadspace will ensure that Leadspace’s access to Personal Data is limited to personnel who require such access to perform the Agreement.
4.2. Confidentiality. Leadspace will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Leadspace will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Leadspace will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
5. OTHER PROCESSORS
5.1. Leadspace may engage third-party service providers to process Personal Data on behalf of Customer (“Other Processors”). Customer hereby provides Leadspace with a general authorization to engage the Other Processors listed in Annex III of Exhibit A to this Agreement. All Other Processors have entered into written agreements with Leadspace that bind them by substantially the same material obligations under this DPA. Where an Other Processor fails to fulfil its data protection obligations in connection with the Processing of Personal Data under this DPA, Leadspace will remain fully liable to Customer for the performance of that Other Processor’s obligations.
5.2. Leadspace may engage with a new Other Processor (“New Processor”) to Process Customer Personal Data on Customer’s behalf. Customer may object to the Processing of Customer’s Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Leadspace’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Leadspace a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Leadspace will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer’s Personal Data.
6. DATA TRANSFER
6.1. Transfer of GDPR-governed Customer’s Personal Data from the EU (“Transferred Data”) to Leadspace’s Israel-based site is made in accordance the EU Commission decision 2011/61/EU, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data. Transfer of Personal Data from the EU to Leadspace’s sites in the US is governed by the applicable data transfer binding instrument, the EU standard contractual clauses (“EU SCCs”), pursuant to EU Commission Decision C(2021)3972, giving effect to the module specified in Exhibit A to the EU SCCs, as provided in here or, as required, in accordance with any successor thereof or an alternative lawful data transfer mechanism.
6.2. In accordance with Article 46 of the GDPR and the EU SCCs, and without prejudice to any provisions of this DPA, Leadspace undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs and in accordance with Clause 14(b)(iii) of the EU SCCs, to ensure the required adequate level of protection to the Transferred Data:
- 6.2.1. Leadspace will implement and maintain the technical measures, as specified in Annex II of Exhibit A, which is attached and incorporated by reference to this DPA, with a purpose to protect the Transferred Data from Processing for national security or other governmental purposes that goes beyond what is necessary and proportionate in a democratic society, considering the type of Processing activities under the Agreement and relevant circumstances;
- 6.2.2. For the purposes of safeguarding Transferred Data when any Third Country’s government or regulatory agency requests access to such data (“Request”), and unless required by a valid court order or if otherwise Leadspace may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to Transferred Data, or where the access is requested in the event of imminent threat to lives, Leadspace will:
- 18.104.22.168. not purposefully create ‘back doors’ or similar programming that could be used to access the Transferred Data;
- 22.214.171.124. not provide the source code or encryption keys to any government agency for the purpose of accessing the Transferred Data; and
- 126.96.36.199. upon Customer’s written request, provide reasonable available information about the requests of access to Personal Data by government agencies that Leadspace has received in the six (6) months preceding to Customer’s request.
- 6.2.3. If Leadspace receives a Request, Leadspace will notify Customer of such request to enable Customer to take necessary actions, to communicate directly with the relevant agency and to respond to the Request. If Leadspace is prohibited by law to notify Customer of the Request, Leadspace will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.
- 6.2.4. All Leadspace third-party service providers to whom Leadspace transfers Personal Data to provide the Service – (i) have executed or undertook to comply with such other binding instruments, standard contractual clauses, certifications or self-certifications for the lawful transfer of Customer’s Personal Data related to Data Subjects within the EU to other territories, as required and available under the GDPR, or (ii) are established in a country that was acknowledged by the EU Commission as providing adequate protection to Personal Data.
7.1. Controls. Leadspace is certified with the ISO 27001 and ISO 22301 standards and maintains administrative, physical and technical safeguards to protect the security, confidentiality and integrity of Customer’s Personal Data, as further specified under Annex II of Exhibit A. Leadspace regularly monitors compliance with these safeguards and will not decrease the overall security of Customer’s Personal Data during the term of providing the Service to Customer under the Agreement.
8. PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION
8.1. Leadspace maintains security incident management and breach notification policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer’s Personal Data, which Leadspace, or any of Leadspace’s Other Processors, Process. Leadspace’s notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and an approximate number of Data Subjects concerned and the categories and an approximate number of Personal Data records concerned; (b) communicate the name and contact details of the Leadspace’s data protection team, which will be available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by Leadspace to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
8.2. Leadspace will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will promptly inform Customer accordingly.
9. AUDIT AND DEMONSTRATION OF COMPLIANCE
9.1. Leadspace will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Personal Data under this DPA by Leadspace and its Other Processors.
9.2. Leadspace will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Leadspace’s obligations under this DPA. Leadspace may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Other audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Leadspace, at least forty-five (45) days in advance and will be performed not more than once a year (unless the audit is required by a Supervisory Authority); (ii) a third-party auditor will execute a non-disclosure and non-competition undertaking toward Leadspace; (iii) the auditor will not have access to non-Customer data (iv) Customer will make sure that the audit will not interfere with or damage Leadspace’s business activities and information and network systems; (v) Customer will bear all costs and expenses related to the audit; (vi) Customer will receive only the auditor’s report, without any Leadspace ‘raw data’ materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this DPA; (vii) at the written request of Leadspace, Customer will provide Leadspace with a copy of the auditor’s report; and (viii) as soon as the purpose of the audit is completed, Customer will permanently and completely dispose of all copies of the audit report.
10. DELETION OF PERSONAL DATA
10.1. At the choice of Customer, Leadspace will delete or return all Customer’s Personal Data to Customer after the end of the provision of Services relating to Processing of Customer’s Personal Data and delete existing copies unless required or permitted under applicable Privacy Laws and Regulations.
11. ANONYMIZED AND AGGREGATED DATA
11.1. Leadspace may process data based on extracts of Personal Data on an aggregated and non-identifiable form, for Leadspace’s legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Leadspace’s discretion.
12. DISPUTE RESOLUTION
12.1. As Privacy Laws and Regulations are subject to considerable evolvements and interpretation, the parties agree to communicate regularly about any open issues or process problems that require resolution. The parties will attempt in good faith to resolve any dispute related to this DPA as a precondition to commencing legal proceedings, first by direct communications between the persons responsible for administering this DPA and next by negotiation between executives with authority to settle the controversy. Either party may give the other party a written notice of any dispute not resolved in the normal course of business. Within five (5) business days after delivery of the notice, the receiving party will submit a written response to the other party. The notice and the response will include a statement of each party’s position and a summary of arguments supporting that position and the name and title of the executive who will represent that party. Within five (5) business days after delivery of the disputing party’s notice, the executives of both parties will meet at a mutually acceptable time and place, including by phone, and thereafter as often as they reasonably deem necessary, to resolve the dispute. All reasonable requests for information made by one party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.
13.1. This DPA will commence on the later date of its execution or the effective date of the Agreement to which it relates and will continue until the Agreement expires or is terminated.
Standard Contractual Clauses
ANNEX to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
☐ MODULE TWO: Transfer controller to processor
☐ MODULE THREE: Transfer processor to processor
[Tick the box next to the relevant transfer module]
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. The Customer whose details are as specified under the applicable Order Form.
1. Name: Leadspace, Inc.
Address: 445 Bush Street, Suite 900 San Francisco, CA 94108
Contact person’s name, position and contact details: as detailed in the applicable Order Form
Activities relevant to the data transferred under these Clauses: Personal Data processing for the performance of the Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Representatives of Customer’s customers and prospective customers.
Categories of personal data transferred
Business related contact information such as name, title, business email address.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing
All operations such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.
Purpose(s) of the data transfer and further processing
The provision of the Service in accordance with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal Data will be retained during the term of the Agreement and will be deleted in accordance with the terms therein.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter of the processing is Customer’s Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
The technical and organizational measures (TOMs) provided below apply to all standard service offerings provided by Leadspace, except where the Customer is responsible for implementing technical and organizational measures to secure its data. Evidence of the measures implemented and maintained by Leadspace Security may be presented in the form of up-to-date certifications from independent bodies upon receipt of a written request from the Customer.
These measures are commercially reasonable, are aligned with industry standard technical and organizational measures, to protect personal data. These measures are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing personal data in the course of providing Leadspace’s services. Leadspace will regularly carry out, test, review and update all such measures.
These measures will be subject to technical progress and future developments of Leadspace’s services. Accordingly, Leadspace will be permitted to implement alternative adequate measures, in such event, the security level may not be lower that the measures memorialized hereto. Material changes will be coordinated with the relevant Data controller and will be documented.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Leadspace will create and maintain the following security and privacy documentation as well as store them in a central repository with restricted access control:
- Technical and Organizational Measures (TOMs)
- Non-disclosure Agreement (NDA) or Agreement to Exchange Confidential Information (AECI) or similar (as required)
- Sub-processor Agreement (as required)
Leadspace employees will complete security and privacy education annually and have acknowledged the need to comply with Leadspace’s ethical business conduct, confidentiality, privacy and security policies, as set out in Leadspace’s Code of Conduct and internal policies. Additional policy and process training will be provided to persons granted administrative access to security components that are specific to their role within Leadspace’s operations and support of the service, and as required to maintain compliance and certifications.
Leadspace Security will maintain policies and procedures designed to manage risks associated with the application of changes to the Leadspace SaaS platform.
Leadspace will incorporate Privacy by Design principles for systems and enhancements at the earliest stage of development.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Leadspace will validate that necessary documentation is in place between Leadspace and the Customer, where Leadspace processes non-sensitive Personal Data covered by GDPR. In case of a change to the defined scope, any change to the processing of Personal Data will be reviewed to determine any impact on required TOMs.
Leadspace will assess risks related to the processing and international transfer of Personal Data and create an action plan to mitigate identified risks.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Leadspace will maintain an incident response plan and follow documented incident response policies including data breach notification to Customers without undue delay in accordance with Leadspace’s obligation under its DPA.
Availability of data through business continuity and disaster recovery planning support Leadspace’s SaaS platform. Leadspace Services will have defined, documented, maintained and annually validated business continuity and disaster recovery plans consistent with industry standard practices. All backup data will be encrypted.
Measures for internal IT and IT security governance and management
Leadspace will maintain and follow IT security policies and practices that are integral to Leadspace’s business and mandatory for all Leadspace employees, including supplemental personnel. IT security policies will be reviewed periodically and amended as Leadspace deems reasonable to maintain protection of services and Personal Data processed therein.
Measures for ensuring physical security of locations at which personal data are processed
Leadspace will implement the physical security of Leadspace offices and take precautions against environmental threats and power disruptions for Customers.
Measures for the protection of data during storage
Leadspace relies on well-known cloud providers (GCP, Azure and AWS) to maintain all physical security aspects of their data-centers.
Leadspace will maintain measures meant to identify, manage, mitigate and/or remediate vulnerabilities within the Leadspace computing environments. Such measures include:
- Patch management
- Anti-virus / anti-malware
- Threat notification advisories
- Vulnerability scanning (all internal systems) and periodic penetration testing (Internet facing systems) within remediation of identified vulnerabilities.
As a general rule Leadspace does not use portable storage, in the rare cases that such usage may be needed and will be approved on a case by case basis, Leadspace will implement protections to secure portable storage media from damage, destruction, theft or unauthorized copying and the personal data stored on portable media through encryption and secure removal of data when it is no longer needed. Additional similar measures will be implemented for mobile computing devices to protect Personal Data.
Leadspace will implement protections on end-user devices and monitor those devices to be in compliance with relevant security standards, screen saver, antivirus software, firewall software, unauthenticated file sharing, hard disk encryption and appropriate patch levels. Controls are implemented to detect and remediate workstation compliance deviations.
Leadspace will securely sanitize physical media intended for reuse prior to such reuse and will destroy physical media not intended for reuse.
Measures for user identification and authorization
Leadspace will maintain proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing Personal Data. Only employees with clear business needs will be granted access to Personal Data located on servers, within applications, databases and/or will have the ability to download data within Leadspace’s network. All access requests will be approved based on individual role-based access and reviewed on a regular basis for continued business needs. All information systems will meet Leadspace’s IT information security policy and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources.
For Customers with Professional Services, Leadspace will maintain additional controls for user access to Customer’s Personal Data to prevent unauthorized access to Customer Personal Data. Access to customer Personal Data is verified regularly for continued employment and re-validated annually for continued business needs. Leadspace will limit privileged access to individuals for a limited period of time and usage will be monitored and logged.
Any shared access will be for a limited period of time and usage will be monitored and logged as well as revalidated regularly.
Measures for the protection of data during transmission
Leadspace will employ encrypted and authenticated remote connectivity between Leadspace computing environments and Customer’s systems.
Measures for ensuring limited data retention
Leadspace will maintain an inventory of Personal Data reflecting the instructions set out in the DPA, including destruction instructions upon termination of the agreement between Leadspace and Customer.
Measures for ensuring events logging
Computing environments with resources containing Personal Data will be logged and monitored.
Usage of privileged access will be monitored and logged.
Shared access will be monitored and logged.
LIST OF SUB-PROCESSORS
|Name of Other Processor||Type of Services|
|Google Cloud Platform||Hosting Services|