LEADSPACE DATA PROCESSING ADDENDUM
With effect as of its execution by Leadspace and Customer, this Data Processing Addendum (“DPA”) forms part of the Leadspace Master Service Agreement (“Agreement”) between Leadspace Inc., of 122 Grand Street, New York, NY 10013, USA, (“Leadspace”) and the customer whose details are indicated in the Agreement (“Customer”). This DPA reflects the parties’ agreement regarding the Processing of Customer Personal Data and supersedes any conflicting terms under the Agreement. All capitalized terms not defined herein will have the meaning set forth in the Agreement or under applicable Privacy Laws and Regulations.
DATA PROCESSING TERMS
In the course of providing the Leadspace’s service (“Service”) to Customer pursuant to the Agreement, Leadspace may Process Customer Personal Data on behalf of Customer. The parties agree to comply with the following provisions concerning Customer Personal Data Processed by Leadspace as part of the Service.
1.1. “Customer Personal Data” means Personal Data Processed by Leadspace on behalf of the Customer as part of the provision of the Service.
1.2. “Data Controller”, “Business”, “Data Processor”, and “Service Provider” will have the same meaning as under applicable Privacy Laws and Regulations.
1.4. “Personal Data” means any information relating to a Data Subject. Personal Data includes Personal Information as such term is defined under the CPRA.
1.7. “Privacy Laws and Regulations” means (A) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”); (B) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); and, (C) the California Consumer Privacy Rights Act of 2020 (“CPRA”), and any successors thereof.
1.8. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.9. “Third Country” means a country outside the European Economic Area (“EEA”), the UK or Switzerland, which has not been acknowledged by the EU Commission, a UK Secretary of State or the Federal Data Protection and Information Commissioner (as applicable) as providing an adequate level of protection in accordance with Article 45(3) of the GDPR or of the UK GDPR, or the equivalent under Swiss law.
2. DATA PROCESSING
2.2. Subject Matter, Duration, Nature and Purpose of Processing. Leadspace processes Customer Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement, as further specified under ANNEX 1 to this DPA.
2.5. CPRA Specific Provisions. To the extent that the CPRA applies to the Processing of Customer Personal Data by Leadspace, the following provisions will also apply to such Processing:
2.5.1. Customer and Leadspace acknowledge that (1) Customer Personal Data is disclosed to Leadspace only for the limited Business Purpose of providing Customer with the Services (the “Purpose”); and, (2) Customer is not selling Customer Personal Data to Leadspace.
2.5.2. Customer will notify Leadspace of any valid request received from a Data Subject pursuant to the CPRA that Leadspace must comply with and will provide Leadspace with all necessary information to comply with such request.
2.5.4. Leadspace will: (1) comply with all applicable provisions under the CPRA, including with respect to providing the same level of protection to privacy as required under the CPRA; and, (2) notify Customer no later than within five (5) business days after determining that Leadspace can no longer meet its obligations under the CPRA.
4. LEADSPACE PERSONNEL
4.1. Limitation of Access. Leadspace will ensure that Leadspace’s access to Customer Personal Data is limited to personnel who require such access to perform the Agreement.
4.2. Confidentiality. Leadspace will impose appropriate contractual obligations upon its personnel engaged in the Processing of Customer Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Leadspace will ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Leadspace will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
5. OTHER PROCESSORS
5.2. Leadspace may engage with a new Other Processor (“New Processor”) to Process Customer Personal Data on Customer’s behalf. Customer may object to the Processing of Customer Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Leadspace’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Leadspace a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Leadspace will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer Personal Data.
6. ONWARD AND CROSS-BORDER DATA TRANSFER
7.1. Controls. Leadspace is certified with the ISO 27001 and ISO 22301 standards and maintains administrative, physical and technical safeguards to protect the security, confidentiality and integrity of Customer Personal Data, as further specified under ANNEX 2 to this DPA. Leadspace regularly monitors compliance with these safeguards and will not decrease the overall security of Customer Personal Data during the term of providing the Service to Customer under the Agreement.
8. PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION
8.2. Leadspace will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will promptly inform Customer accordingly.
9. AUDIT AND DEMONSTRATION OF COMPLIANCE
9.1. Leadspace will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Customer Personal Data under this DPA by Leadspace and its Other Processors.
10. DELETION OF CUSTOMER PERSONAL DATA
At the choice of Customer, Leadspace will delete or return all Customer Personal Data to Customer after the end of the provision of Services relating to Processing of Customer Personal Data and delete existing copies unless required or permitted under applicable Privacy Laws and Regulations.
11. ANONYMIZED AND AGGREGATED DATA
12. DISPUTE RESOLUTION
This DPA will commence on the later date of its execution or the effective date of the Agreement to which it relates and will continue until the Agreement expires or is terminated.
– DETAILS OF THE PERSONAL DATA PROCESSING –
(Also serves as ANNEX I to the EU SCCs)
- LIST OF PARTIES
Customer – Data exporter
Name, address and contact details: Customer, whose name, address and contact details are as detailed in the applicable Order Form.
Activities relevant to the data transferred under these Clauses: Provision of the Services under the Agreement.
Signature and date: The data exporter’s signature on the DPA or agreement between the parties applies herein.
Role (data controller/data processor): Data Controller or Data Processor, as applicable.
Leadspace – Data Importer
Name: Leadspace, Inc.
Address: 445 Bush Street, Suite 900 San Francisco, CA 94108
Contact person’s name, position and contact details: as detailed in the applicable Order Form
Activities relevant to the data transferred under these Clauses: Personal Data processing for the performance of the Agreement.
Role (data controller/data processor): Data Processor
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Representatives of Customer’s customers and prospective customers.
Categories of personal data transferred
Business related contact information such as name, title, business email address.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing
All operations such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.
Purpose(s) of the data transfer and further processing
The provision of the Service in accordance with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal Data will be retained during the term of the Agreement and will be deleted in accordance with the terms therein.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter of the processing is Customer’s Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.
- COMPETENT SUPERVISORY AUTHORITY
Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.
– TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA –
(Also serves as Annex II to the EU SCCs)
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
The technical and organizational measures (TOMs) provided below apply to all standard service offerings provided by Leadspace, except where the Customer is responsible for implementing technical and organizational measures to secure its data. Evidence of the measures implemented and maintained by Leadspace Security may be presented in the form of up-to-date certifications from independent bodies upon receipt of a written request from the Customer.
These measures are commercially reasonable, are aligned with industry standard technical and organizational measures, to protect personal data. These measures are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing personal data in the course of providing Leadspace’s services. Leadspace will regularly carry out, test, review and update all such measures.
These measures will be subject to technical progress and future developments of Leadspace’s services. Accordingly, Leadspace will be permitted to implement alternative adequate measures, in such event, the security level may not be lower that the measures memorialized hereto. Material changes will be coordinated with the relevant Data Controller and will be documented.
– LIST OF OTHER PROCESSORS –
(Also serves as Annex III to the EU SCCs, to the extent required under the applicable module)
|Name of Other Processor
|Description of Processing
|Google Cloud Platform
|US – https://submit-irm.trustarc.com/services/validation/5c2b0c65-cac5-4a10-96cd-aa3821a77b2b UK – firstname.lastname@example.org EEA – email@example.com
|Data processing platform
|Data processing and analysis.
– CROSS BORDER CUSTOMER PERSONAL DATA TRANSFER –
- DEFINITIONS. Capitalized terms not defined herein will have the meaning set forth in the DPA or under Privacy Laws and Regulations.
1.1. “EU SCCs” means the Standard Contractual Clauses pursuant to EU Commission Decision C(2021)3972.
1.2. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (Status as of 1 March 2019) as replaced by its amendment of September 25, 2020 (effective as of September 1, 2023).
1.3. “IDTA” means the International Data Transfer Agreement, issued by the ICO in accordance with section 119A of the Data Protection Act 2018, or any other applicable standard contractual clauses issued, approved, or otherwise recognized by the ICO.
1.4. “Swiss SCCs” means the applicable standard contractual clauses issued, approved, or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).
1.5. “Third Country” means a country outside the European Economic Area (“EEA”), the UK or Swit-zerland, which was not acknowledged by the EU Commission, a UK Secretary of State or the FDPIC (as applicable) as providing an adequate level of protection in accordance with Article 45(3) of the GDPR, Article 45 of the UK GDPR or the equivalent.
1.6. A “Transfer” means a transfer by Leadspace, Leadspace’s New Processors or Leadspace’s Other Processors of: (1) GDPR-governed Customer Personal Data transferred outside the EEA (“EEA Transferred Data”); (2) UK-GDPR governed Customer Personal Data transferred outside the UK (“UK Transferred Data”); and, (3) FADP-governed Customer Personal Data transferred outside of Switzerland (“Swiss Transferred Data”, and with EEA and UK Transferred Data: “Transferred Data”).
1.7. “UK Addendum” means the UK addendum published by the Information Commissioner’s Of-fice’s (“ICO”) in accordance with section 119A(1) of the Data Protection Act of 2018, incorporat-ing the EU SCCs.
- EEA TRANSFERS. Transfers of EEA Transferred Data to a Third Country, will be made under the EU SCCs, giving effect to module 2 or 3, as applicable, which is incorporated by reference to this DPA, as follows:
2.1. In Clause 7, the optional docking clause will apply.
2.2. If applicable – in clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Section 5 of this DPA.
2.3. In clause 11, the optional language will not apply.
2.4. In clause 17, Option 1 will apply, and the EU SCC will be governed by the Irish law.
2.5. In clause 18(b), disputes will be resolved before the courts of Ireland.
2.6. Annexes (I)-(II) to the EU SCCs will be completed with the relevant details in ANNEXES A-B to this DPA.
- UK TRANSFERS. Transfers of UK Transferred Data to a Third Country, will be made –
3.1. In accordance with the EU SCCs as detailed in section 2 above, as amended by the UK Adden-dum, which is incorporated by reference to this DPA, with the necessary changes made as de-tailed in sections 12-15 to the UK Addendum; or,
3.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer UK Transferred Data, the IDTA will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
- SWISS TRANSFERS. Transfers of Swiss Transferred Data to a Third Country, will be made –
4.1. In accordance with the EU SCCs as detailed in section 2 above, as recognized by the FDPIC on August 27, 2021, with the following modifications: (1) references to ‘EU’, ‘Union’, ‘Member State’ and ‘Member State law’ will be interpreted as references to ‘Switzerland’, and ‘Swiss law’, as applicable; and, (2) references to ‘Competent supervisory authority’ and ‘Competent courts’ will be interpreted as references to the FDIPC and Competent courts in Switzerland; or,
4.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer Swiss Transferred Da-ta in compliance with the FADP, the Swiss SCCs will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the rele-vant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
- SUPPLEMENTAL MEASURES. In accordance with Article 46 of the GDPR, the EU SCCs and guidelines published by the European Data Protection Board (EDPB), and without prejudice to any provisions of the DPA or this Annex, Leadspace undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs, to ensure the required adequate level of protection to Transferred Data:
5.1. Technical and Organizational Measures. Leadspace will implement and maintain the tech-nical and organizational measures, as specified in ANNEX 2, which is attached and incorporated by reference to this DPA, with a purpose to protect Customer Personal Data against any pro-cessing for national security or other government purposes that go beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances.
5.2. Contractual Measures. For the purposes of safeguarding Transferred Data when any Third Country’s government or regulatory authority requests access to such data (“Request”), and un-less required by a valid court order or if otherwise Leadspace may face criminal charges for fail-ing to comply with orders or demands to disclose or otherwise provide access to EEA Trans-ferred Data, or where the access is requested in the event of imminent threat to lives, Leadspace will:
5.2.1. not purposefully create back doors or similar programming that could be used to ac-cess EEA Transferred Data;
5.2.2. not provide the source code or encryption keys to any government agency for the purpose of accessing EEA Transferred Data;
5.2.3. upon Customer’s written request, provide reasonable available information about the requests of access to Customer Personal Data by government agencies Leadspace has received in the 6 months preceding to Customer’s request; and,
5.2.4. notify Customer upon receiving a request by a government agency to access Cus-tomer Personal Data to enable Customer to take necessary actions, communicate di-rectly with the relevant authority and to respond to the request. If Leadspace is pro-hibited by law to notify the Customer of such request, Leadspace will make reasona-ble efforts to challenge such prohibition through judicial action or other means at Cus-tomer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.
- FUTURE ADEQUACY. As applicable, if: (A) the Adequacy Recognition is invalidated or otherwise ter-minated by the EU Commission or a UK Secretary of State; (B) the EU SCC are invalidated or are no longer in effect; or (C) any other Transfer safeguard used for the Transfer of Transferred Data is no longer in effect for any reason, then Leadspace will take such alternative lawful measures, as may be available and applicable, to continue facilitating the lawful Transfer of Transferred Data by Leadspace, Leadspace’s Other Processors, Leadspace’s New Processors, or equivalents thereof.