With effect as of its execution by Leadspace and Customer, this Data Processing Addendum (“DPA”) forms part of the Leadspace Master Service Agreement (“Agreement”) between Leadspace Inc., of 530 Lytton Avenue, 2nd Floor, #2124, Palo Alto, CA 94301, (“Leadspace”) and the customer whose details are indicated in the Agreement (“Customer”). This DPA reflects the parties’ agreement regarding the Processing of Customer Personal Data and supersedes any conflicting terms under the Agreement. All capitalized terms not defined herein will have the meaning set forth in the Agreement or under applicable Privacy Laws and Regulations.


In the course of providing Leadspace’s service (“Service”) to Customer pursuant to the Agreement, Leadspace may Process Customer Personal Data on behalf of Customer. The parties agree to comply with the following provisions concerning Customer Personal Data Processed by Leadspace as part of the Service.

    1. “Adequacy Recognition“ means a decision by a competent authority of a country, or statutory provisions, that recognize another country as providing an adequate level of protection to Personal Data, as determined pursuant to the Privacy Laws applicable to the country that issued the decision or enacted such statutory provisions, and in accordance with such decision or statutory provisions, the transfer of Personal Data to such other recognized country is permitted without additional measures related to the transfer of the Personal Data.
    2. “Customer Personal Data” means Personal Data Processed by Leadspace on behalf of the Customer as part of the provision of the Service.
    3. “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Sensitive Data” will have the same meaning as under applicable Privacy Laws and Regulations and will include any equivalent and similar terms under applicable Privacy Laws and Regulations. Specifically, Sensitive Data will include SPI, within the meaning of US Consumer Privacy Laws, and special categories of data and data relating to criminal convictions and offences, within the meaning of the GDPR and UK GDPR.
    4. “Personnel” means persons authorized by Leadspace to Process Customer’s Personal Data.
    5. “Privacy Laws and Regulations” means (A) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”); (B) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); and, (C) all state laws pertaining to the protection of Personal Data and privacy and to Personal Data Breach notification of the United States, including without limitation the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (“CPRA”), and any successors thereof (“US Privacy Laws”).
    6. “Third Country” means a country to which Personal Data is Transferred that does not hold an Adequacy Recognition.
    1. Scope and Roles. This DPA applies when Customer shares Personal Data with Leadspace for the purposes of processing such Personal Data as part of Leadspace’s provision of the Service. In this context, for the purposes of the Privacy Laws and Regulations, Customer is the Data Controller or Data Processor and Leadspace is the Data Processor or another Data Processor.
    1. Subject Matter, Duration, Nature and Purpose of Processing. Leadspace processes Customer Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement, as further specified under ANNEX 1 to this DPA.
    2. Type of Personal Data and Categories of Data Subjects. Leadspace processes contact details and other business-related data which Customer shares with Leadspace. Leadspace does not process any special categories of data, as this term is referred to under Privacy Laws and Regulations. The categories of relevant data subjects are business-related contacts of Customer’s customers and prospected customers.
    3. Instructions for Leadspace’s Processing of Personal Data. Leadspace will only Process Customer Personal Data, on behalf of and in accordance with Customer’s instructions. Customer instructs Leadspace to Process Customer Personal Data for the following purposes: (i) Processing related to the Service in accordance with the terms of the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Customer undertakes to provide Leadspace with lawful instructions only. Leadspace will inform Customer immediately, if in Leadspace’s opinion an instruction violates any provision Privacy Laws and Regulations and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties. As required under Privacy Laws and Regulations, Customer will provide all necessary notices to relevant Data Subjects and secure all necessary permissions and consents from them, to support the Processing of Customer Personal Data by Leadspace pursuant to this DPA.
    4. US Privacy Laws Specific Provisions. To the extent that US Privacy Laws apply to the Processing of Customer Personal Data by Leadspace, the following provisions will also apply to such Processing:
      1. Customer and Leadspace acknowledge that (i) Customer Personal Data is disclosed to Leadspace only for the limited business purpose of providing Customer with the Services (the “Purpose”); and, (ii) Customer is not selling Customer Personal Data to Leadspace.
      2. Each of Customer or Leadspace, as applicable, will notify the other party of any valid request received from a Data Subject pursuant to US Privacy Laws that the party receiving the notice must comply with, and will provide all necessary information to comply with such request. Each party will comply with such requests, in accordance with applicable US Privacy Laws.
      3. Leadspace will not (i) Sell Customer Personal Data; (ii) Share (within the meaning thereof under US Privacy Laws) Customer Personal Data; and, unless permitted under US Privacy Laws, retain, use or disclose Customer Personal Data: (a) for any purpose other than for the specific purpose of performing the Service; (b) for any commercial purpose other than the Purpose, including in providing services to other Leadspace Customers; or, (c) outside of the direct business relationship between Customer and Leadspace.
      4. Leadspace will: (i) comply with all applicable provisions under US Privacy Laws, including with respect to providing the same level of protection to privacy as required under US Privacy Laws; and, (ii) notify Customer no later than within five (5) business days after determining that Leadspace can no longer meet its obligations under US Privacy Laws.
      5. Customer may: (i) take reasonable and appropriate steps to ensure that Leadspace uses Customer Personal Data in a manner consistent with Customer’s obligations under US Privacy Laws; (ii) upon notice, take reasonable and appropriate steps to stop and remediate Leadspace’s unauthorized use of Customer Personal Data.
    1. Taking into account the nature of the Processing, Leadspace will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subjects’ rights, as required under applicable Privacy Laws and Regulations. Leadspace will further assist Customer in ensuring compliance with Customer’s obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer’s data protection impact assessments and Customer’s prior consultation with supervisory authorities, in relation to Leadspace’s Processing of Customer Personal Data under this DPA. Except for negligible costs, Customer will reimburse Leadspace with costs and expenses incurred by Leadspace in connection with the provision of assistance Customer under this DPA.
    1. Limitation of Access. Leadspace will ensure that Leadspace’s access to Customer Personal Data is limited to personnel who require such access to perform the Agreement.
    2. Confidentiality. Leadspace will impose appropriate contractual obligations upon its personnel engaged in the Processing of Customer Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Leadspace will ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Leadspace will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
    1. Leadspace may engage third-party service providers to Process Customer Personal Data on behalf of Customer (“Other Processors”). Customer hereby provides Leadspace with a general authorization to engage the Other Processors listed in ANNEX 3 to this DPA. All Other Processors have entered into written agreements with Leadspace that bind them by substantially the same material obligations under this DPA. Where an Other Processor fails to fulfil its data protection obligations in connection with the Processing of Customer Personal Data under this DPA, Leadspace will remain fully liable to Customer for the performance of that Other Processor’s obligations.
    2. Leadspace may engage with a new Other Processor (“New Processor”) to Process Customer Personal Data on Customer’s behalf. Customer may object to the Processing of Customer Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Leadspace’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Leadspace a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Leadspace will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer Personal Data.
    1. Transfers of Customer Personal Data to a Third Country by Leadspace, or by Leadspace’s Other Processors or Leadspace’s New Processors are subject to the data transfer requirements under ANNEX C.
    1. Controls. Leadspace is certified with the ISO 27001 and ISO 22301 standards and maintains administrative, physical and technical safeguards to protect the security, confidentiality and integrity of Customer Personal Data, as further specified under ANNEX 2 to this DPA. Leadspace regularly monitors compliance with these safeguards and will not decrease the overall security of Customer Personal Data during the term of providing the Service to Customer under the Agreement.
    1. Leadspace maintains security incident management and breach notification policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer Personal Data, which Leadspace, or any of Leadspace’s Other Processors, Process. Leadspace’s notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and an approximate number of Data Subjects concerned and the categories and an approximate number of Customer Personal Data records concerned; (b) communicate the name and contact details of the Leadspace’s data protection team, which will be reasonably available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by Leadspace to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
    2. Leadspace will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will promptly inform Customer accordingly.
    1. Leadspace will make available to Customer all information necessary for Customer or Leadspace (respective of their roles hereunder) to demonstrate compliance with the obligations laid down under Privacy Laws and Regulations in relation to the Processing of Customer Personal Data under this DPA by Leadspace and its Other Processors.
    2. Leadspace will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Leadspace’s obligations under this DPA. Leadspace may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Other audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Leadspace, at least forty-five (45) days in advance and will be performed not more than once a year (unless the audit is required by a Supervisory Authority); (ii) a third-party auditor will execute a non-disclosure and non-competition undertaking toward Leadspace; (iii) the auditor will not have access to non-Customer data (iv) Customer will make sure that the audit will not interfere with or damage Leadspace’s business activities and information and network systems; (v) Customer will bear all costs and expenses related to the audit; (vi) Customer will receive only the auditor’s report, without any Leadspace ‘raw data’ materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this DPA; (vii) at the written request of Leadspace, Customer will provide Leadspace with a copy of the auditor’s report; and (viii) as soon as the purpose of the audit is completed, Customer will permanently and completely dispose of all copies of the audit report.
    3. Notwithstanding the provisions of section 9.2 above and to the extent permitted by applicable Privacy Laws and Regulations, Leadspace may in the alternative arrange for a qualified and independent assessor to conduct an assessment of its policies and technical and organizational measures in support of the obligations under this DPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Leadspace will provide a report of such assessment to Customer upon request.
    1. At the choice of Customer, Leadspace will delete or return all Customer Personal Data to Customer after the end of the provision of Services relating to Processing of Customer Personal Data and delete existing copies unless required or permitted under applicable Privacy Laws and Regulations.
    1. Leadspace may process data based on extracts of Customer Personal Data on an aggregated and non-identifiable form, for Leadspace’s legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Leadspace’s discretion.
    1. As Privacy Laws and Regulations are subject to considerable evolvements and interpretation, the parties agree to communicate regularly about any open issues or process problems that require resolution. The parties will attempt in good faith to resolve any dispute related to this DPA as a precondition to commencing legal proceedings, first by direct communications between the persons responsible for administering this DPA and next by negotiation between executives with authority to settle the controversy. Either party may give the other party a written notice of any dispute not resolved in the normal course of business. Within five (5) business days after delivery of the notice, the receiving party will submit a written response to the other party. The notice and the response will include a statement of each party’s position and a summary of arguments supporting that position and the name and title of the executive who will represent that party. Within five (5) business days after delivery of the disputing party’s notice, the executives of both parties will meet at a mutually acceptable time and place, including by phone, and thereafter as often as they reasonably deem necessary, to resolve the dispute. All reasonable requests for information made by one party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.
  13. TERM
    1. This DPA will commence on the later date of its execution or the effective date of the Agreement to which it relates and will continue until the Agreement expires or is terminated.

(Also serves as ANNEX I to the EU SCCs)

    • Customer – Data exporter
    • Name, address and contact details: Customer, whose name, address and contact details are as detailed in the applicable Order Form.
    • Activities relevant to the data transferred under these Clauses: Provision of the Services under the Agreement.
    • Signature and date: The data exporter’s signature on the DPA or agreement between the parties applies herein.
    • Role (data controller/data processor): Data Controller or Data Processor, as applicable.
    • Leadspace – Data Importer
    • Name: Leadspace, Inc.
    • Address: 530 Lytton Avenue, 2nd Floor, #2124 Palo Alto, CA 94301
    • Contact person’s name, position and contact details: as detailed in the applicable Order Form
    • Activities relevant to the data transferred under these Clauses: Personal Data processing for the performance of the Agreement.
    • Role (data controller/data processor): Data Processor
    • Categories of data subjects whose personal data is processed / transferred
    • Representatives of Customer’s customers and prospective customers.
    • Categories of personal data processed / transferred
    • Business related contact information such as name, title, business email address.
    • Sensitive data processed / transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
    • N/A
    • The duration of the processing / frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
    • Continuous basis.
    • Nature of the processing
    • All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.
    • Purpose(s) of the data processing, transfer and further processing
    • The provision of the Service in accordance with the Agreement.
    • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
    • Personal Data will be retained during the term of the Agreement and will be deleted in accordance with the terms therein.
    • For processing by, and transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
    • The subject matter of the processing is Customer’s Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.
    Where this annex serves as ANNEX 2 to the EU SCCs, the following provisions apply:
    • Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority.
    • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
    • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.

(Also serves as Annex II to the EU SCCs)

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

The technical and organizational measures (TOMs) provided below apply to all standard service offerings provided by Leadspace, except where the Customer is responsible for implementing technical and organizational measures to secure its data. Evidence of the measures implemented and maintained by Leadspace Security may be presented in the form of up-to-date certifications from independent bodies upon receipt of a written request from the Customer.

These measures are commercially reasonable, are aligned with industry standard technical and organizational measures, to protect personal data. These measures are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing personal data in the course of providing Leadspace’s services. Leadspace will regularly carry out, test, review and update all such measures.

These measures will be subject to technical progress and future developments of Leadspace’s services. Accordingly, Leadspace will be permitted to implement alternative adequate measures, in such event, the security level may not be lower that the measures memorialized hereto. Material changes will be coordinated with the relevant Data Controller and will be documented.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and servicesLeadspace creates and maintains the following security and privacy documentation and store them in a central repository with restricted access control:

Technical and Organizational Measures (TOMs).
Non-disclosure Agreement (NDA) or Agreement to Exchange
Confidential Information (AECI) or similar (as required).

Sub-processor Agreement (as required).
Leadspace employees complete security and privacy education annually and have  acknowledged the need to comply with Leadspace’s ethical business conduct, confidentiality, privacy and security policies, as set out in Leadspace’s Code of Conduct and internal policies. Additional policy and process training will be provided to persons granted administrative access to security components that are specific to their role within Leadspace’s operations and support of the service, and as required to maintain compliance and certifications. Leadspace Security maintains policies and procedures designed to manage risks associated with the application of changes to the Leadspace SaaS platform. Leadspace incorporates Privacy by Design principles for systems and enhancements at the earliest stage of development.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incidentLeadspace maintains an incident response plan and follow documented incident response policies including data breach notification to Customers without undue delay in accordance with Leadspace’s obligation under its DPA. Availability of data through business continuity and disaster recovery planning support Leadspace’s SaaS platform. Leadspace Services are defined, documented, maintained and annually validated business continuity and disaster recovery plans consistent with industry standard practices. All backup data is encrypted.  
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the ProcessingLeadspace validates that necessary documentation is in place between Leadspace and the Customer, where Leadspace processes non-sensitive Personal Data covered by Privacy Laws and Regulations. In case of a change to the defined scope, any change to the processing of Personal Data is reviewed to determine any impact on required TOMs. Leadspace assesses risks related to the processing and international transfer of Personal Data and create an action plan to mitigate identified risks.
Measures for user identification and authorizationLeadspace maintains proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing Personal Data. Only employees with clear business needs are  granted access to Personal Data located on servers, within applications, databases and/or have the ability to download data within Leadspace’s network. All access requests are approved based on individual role-based access and reviewed on a regular basis for continued business needs. All information systems meet Leadspace’s IT information security policy and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources. For Customers with Professional Services, Leadspace maintains additional controls for user access to Customer’s Personal Data to prevent unauthorized access to Customer Personal Data. Access to customer Personal Data is verified regularly for continued employment and re-validated annually for continued business needs. Leadspace limits privileged access to individuals for a limited period of time and usage is monitored and logged. Access is shared for a limited period of time and usage is monitored and logged as well as revalidated regularly.
Measures for the protection of data during transmissionLeadspace employs encrypted and authenticated remote connectivity between Leadspace computing environments and Customer’s systems.
Measures for the protection of data during storageLeadspace relies on well-known cloud providers (GCP, Azure and AWS) to maintain all physical security aspects of their data-centers. Leadspace maintains measures meant to identify, manage, mitigate and/or remediate vulnerabilities within the Leadspace computing environments. Such measures include:

Patch management
Anti-virus / anti-malware
Threat notification advisories
Vulnerability scanning (all internal systems) and periodic penetration testing (Internet facing systems) within remediation of identified vulnerabilities.

As a general rule Leadspace does not use portable storage, in the rare cases that such usage may be needed and is approved on a case by case basis, Leadspace implements protections to secure portable storage media from damage, destruction, theft or unauthorized copying and the personal data stored on portable media through encryption and secure removal of data when it is no longer needed. Additional similar measures are implemented for mobile computing devices to protect Personal Data. Leadspace implements protections on end-user devices and monitor those devices to be in compliance with relevant security standards, screen saver, antivirus software, firewall software, unauthenticated file sharing, hard disk encryption and appropriate patch levels. Controls are implemented to detect and remediate workstation compliance deviations. Leadspace securely sanitizes physical media intended for reuse prior to such reuse and destroys physical media not intended for reuse.
Measures for ensuring physical security of locations at which personal data are processedLeadspace implements the physical security of Leadspace offices and takes precautions against environmental threats and power disruptions for Customers.
Measures for ensuring events loggingComputing environments with resources containing Personal Data are logged and monitored. Usage of privileged access is monitored and logged. Shared access is monitored and logged.
Measures for ensuring system configuration, including default configurationLeadspace ensures a secure configuration of the environments by using IaC (infrastructure as code) for all standard operations such as deploy or update environments, Leadspace hardens deployments by removing unnecessary services, ports and hardening default configuration.
Measures for internal IT and IT security governance and managementLeadspace maintains and follows IT security policies and practices that are integral to Leadspace’s business and mandatory for all Leadspace employees, including supplemental personnel. IT security policies are reviewed periodically and amended as Leadspace deems reasonable to maintain protection of services and Personal Data processed therein.
Measures for certification/assurance of processes and productsLeadspace is ISO 27001 and 22301 certified and is SOC2 audited as of Q3 2023.
Measures for ensuring data minimization (using only necessary data)Leadspace ensures data minimization by processing only that data which is relevant and necessary for the provision of the service.  
Measures for ensuring limited data retentionLeadspace maintains an inventory of Personal Data reflecting the instructions set out in the DPA, including destruction instructions upon termination of the agreement between Leadspace and Customer.
Measures for ensuring accountabilityLeadspace ensures accountability through the logging of access activity that is stored in a Centralized logging system.  Logs are retained for defined periods and can be reviewed to ensure that any access is proportionate and appropriate. All Leadspace employees are required to abide by a data handling and classification program, any violation of these requirements will result in disciplinary actions.
Measures for ensuring data erasureLeadspace ensures data portability by allowing customers to retrieve any data placed within our SaaS using Leadspace API or UI into a JSON or CSV format file, in some cases a support ticket may be required for special exports.  Data erasure is done as part of customer off-boarding, customers can also request certificate of destruction from Leadspace support.  

(Also serves as Annex III to the EU SCCs, to the extent required under the applicable module)

Name of Other ProcessorDescription of ProcessingTerritoryContact Details
Google Cloud PlatformHosting ServicesUShttps://support.google.com/cloud/contact/dpo
InformaticaEmail verificationUSprivay@informatica.com
SalesIntelData enrichmentUSsupport@salesIntel.io
LiveRampMarketing platformUSUS – https://submit-irm.trustarc.com/services/validation/5c2b0c65-cac5-4a10-96cd-aa3821a77b2b UK – ukprivacy@liveramp.com EEA – cil@liveramp.com
DatabricksData processing platformUSPrivacy@databricks.com
Leadspace Ltd.Data processing and analysis.Israelcompliance_privacy@leadspace.com 
WorkatoIntegration between the Services and Customer CRM/MAP systemsUSPrivacy@workato.com


  1. DEFINITIONS. Capitalized terms not defined herein will have the meaning set forth in the DPA or under Privacy Laws and Regulations.
    1. EU SCCs” means the Standard Contractual Clauses pursuant to EU Commission Decision C(2021)3972.
    2. FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (Status as of 1 March 2019) as replaced by its amendment of September 25, 2020 (effective as of September 1, 2023).
    3. IDTA” means the International Data Transfer Agreement, issued by the ICO in accordance with section 119A of the Data Protection Act 2018, or any other applicable standard contractual clauses issued, approved, or otherwise recognized by the ICO.
    4. Swiss SCCs” means the applicable standard contractual clauses issued, approved, or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).
    5. Third Country” means a country to which Personal Data is transferred that does not hold an Adequacy Recognition.
    6. A “Transfer” means a transfer by Leadspace, Leadspace’s New Processors or Leadspace’s Other Processors of: (1) GDPR-governed Customer Personal Data transferred outside the EEA (“EEA Transferred Data”); (2) UK-GDPR governed Customer Personal Data transferred outside the UK (“UK Transferred Data”); and, (3) FADP-governed Customer Personal Data transferred outside of Switzerland (“Swiss Transferred Data”, and all the EEA Transferred Data, UK Transferred Data and Swiss Transferred Data: “Transferred Data”).
    7. UK Addendum” means the UK addendum published by the Information Commissioner’s Office (“ICO”) in accordance with section 119A(1) of the Data Protection Act of 2018, incorporating the EU SCCs.
  2. EEA TRANSFERS. Transfers of EEA Transferred Data to a Third Country, will be made under the EU SCCs, giving effect to module 2 or 3, as applicable, which is incorporated by reference to this DPA, as follows:
    1. In Clause 7, the optional docking clause will apply.
    2. If applicable – in clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Section 5 of this DPA.
    3. In clause 11, the optional language will not apply.
    4. In clause 17, Option 1 will apply, and the EU SCC will be governed by the Irish law.
    5. In clause 18(b), disputes will be resolved before the courts of Ireland.
    6. Annexes (I)-(II) to the EU SCC will be completed with the relevant details in ANNEXES A-B to this DPA.
  3. UK TRANSFERS. Transfers of UK Transferred Data to a Third Country, will be made –
    1. In accordance with the EU SCCs as detailed in section 2 above, as incorporated by the UK Addendum, which is incorporated by reference to this DPA, with the necessary changes made as detailed in sections 12-15 to the UK Addendum; or,
    2. If the EU SCCs as implemented above cannot be used to lawfully Transfer UK Transferred Data, the IDTA will instead be incorporated by reference, will form an integral part of this DPA, and will apply to UK Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
  4. SWISS TRANSFERS. Transfers of Swiss Transferred Data to a Third Country, will be made –
    1. In accordance with the EU SCCs as detailed in section 2 above, as recognized by the FDPIC on August 27, 2021, with the following modifications: (1) references to ‘EU’, ‘Union’, ‘Member State’ and ‘Member State law’ will be interpreted as references to ‘Switzerland’, and ‘Swiss law’, as applicable; and, (2) references to ‘Competent supervisory authority’ and ‘Competent courts’ will be interpreted as references to the FDPIC and Competent courts in Switzerland; or,
    2. If the EU SCCs as implemented above cannot be used to lawfully Transfer Swiss Transferred Data in compliance with the FADP, the Swiss SCCs will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
  5. SUPPLEMENTAL MEASURES. In accordance with Article 46 of the GDPR, the EU SCCs and guidelines published by the European Data Protection Board (EDPB), and without prejudice to any provisions of the DPA or this Annex, Leadspace undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs, to ensure the required adequate level of protection to Transferred Data:
    1. Technical and Organizational Measures. Leadspace will implement and maintain the technical and organizational measures, as specified in ANNEX 2, which is attached and incorporated by reference to this DPA, with a purpose to protect Customer Personal Data against any processing for national security or other government purposes that go beyond what is necessary and proportionate in a democratic society, considering the nature of processing activities under the Agreement and relevant circumstances.
    2. Contractual Measures. For the purposes of safeguarding Transferred Data when any Third Country’s government or regulatory authority requests access to such data (“Request”), and unless required by a valid court order or if otherwise Leadspace may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to EEA Transferred Data, or where the access is requested in the event of imminent threat to lives, Leadspace will:
      1. Not purposefully create back doors or similar programming that could be used to access EEA Transferred Data;
      2. Not provide the source code or encryption keys to any third party for the purpose of accessing EEA Transferred Data;
      3. Upon Customer’s written request, provide reasonable information about the requests of access to Customer Personal Data by government agencies Leadspace has received in the 6 months preceding to Customer’s request; and,
      4. Notify Customer upon receiving a request by a government agency to access Customer Personal Data to enable Customer to take necessary actions, communicate directly with the relevant authority and to respond to the request. If Leadspace is prohibited by law to notify the Customer of such request, Leadspace will take reasonable efforts to challenge such prohibition through judicial action or other reasonable measures, and to the extent possible, will provide only the minimum amount of information necessary.
  6. FUTURE ADEQUACY. As applicable, if: (A) the Adequacy Recognition is amended or otherwise terminated by the EU Commission or a UK Secretary of State; (B) the EU SCC are invalidated or are no longer in effect; or (C) any other Transfer safeguard used for the Transfer of Transferred Data is no longer in effect for any reason, then Leadspace will take all reasonable efforts to ensure that a lawful mechanism is available and applied to enable the lawful Transfer of Transferred Data by Leadspace, Leadspace’s Other Processors, or equivalents thereof.