Data Processing Agreement
Last updated May 1, 2022

This Data Processing Agreement (including any terms set forth in a schedule, appendix or addendum hereto, “DPA”), dated as of May 1st, 2022  (“Effective Date”), is by and between (“Client”), and Traact, Inc. (“Vendor”).  Client and Vendor may be referred to herein together as the “Parties”, and each may be referred to herein as a “Party”. To the extent that the Parties have entered into a prior agreement governing the processing of personal data (the “Prior Agreement”), the Parties understand and agree that this DPA shall supersede and replace such Prior Agreement. For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Client and Vendor hereby agree as follows:

 

  1. Definitions.  

    1. “Applicable Laws” means, collectively, all now existing or hereinafter enacted or amended laws, rules, regulations (including, without limitation, self-regulatory obligations), and/or sanctions programs applicable to a Party’s performance hereunder and/or obligations with respect to data protection. 

    2. “CCPA” means the California Consumer Privacy Act of 2018 (Title 1.81.5 of the Civil Code of the State of California), together with all effective regulations adopted thereunder (in each case, as amended from time to time).

    3. “Client Data” means all information, data, content and other materials, in any form or medium, that is submitted, posted, collected, transmitted or otherwise provided by or on behalf of Client through the Services. 

    4. “Client Personal Data” means Client Data that is Personal Data processed by Vendor on behalf of Client in the provision of the Services under the Service Agreement(s).

    5. “Controller” means (i) under and in the context of European Data Protection Law, the data “controller” (as defined by GDPR), (ii) under and in the context of CCPA, the “business” (or third party) (each, as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “controller”, “business”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.

    6. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (and each successor regulation, directive or other text of the foregoing, in each case as amended from time to time).

    7. “European Data Protection Law” means each of EU GDPR, UK GDPR, and the Federal Data Protection Act of 19 June 1992 (Switzerland) (as the same may be superseded by the Swiss Data Protection Act 2020 and as amended from time to time).

    8. “GDPR” means, as applicable, (i) the EU GDPR and/or (ii) the UK GDPR.

    9. “Personal Data” means any information that constitutes (a) “personal information” (as defined by, and in the context of, CCPA), (b) “personal data” (as defined by, and in the context of, European Data Protection Law), and/or (c) “personal data,” “personal information,” or other term denoting a substantially similar definition and obligations under, and in the context of, any other Applicable Laws, in each case that is (i) made available or otherwise provided by Client to Vendor in connection with the Services and/or (ii) collected or accessed by Vendor under a Service Agreement(s) via a pixel, cookie, tag, or similar technology on any of Client’s digital properties.

    10. “Process” means any operation or set of computer operations performed on Personal Data, including, but not limited to, collection, recording, organization, structuring, storage, access, adaptation, alteration, retrieval, consultation, use, transfer, transmit, sale, rental, disclosure, dissemination, making available, alignment, combination, deletion, erasure, or destruction.

    11. “Processor” means (i) under and in the context of European Data Protection Law, the data “processor” (as defined by GDPR), (ii) under and in the context of CCPA, a “service provider” (as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “processor”, “service provider”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.

    12. “Security Incident” means (i) any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data or (ii) any other event that constitutes a “security breach”, “personal data breach”, or substantially similar term with respect to Personal Data under an Applicable Law(s).

    13. “Service Agreements” means, collectively, the agreements and/or terms of service (including, as applicable, each of the Statements of Work/SOWs/Orders/Order Forms and exhibits thereunder) between Client and Vendor.

    14. “Services” means, collectively, the products and/or services provided by Vendor to Client under the Service Agreements.

    15. “Sub-Processor” means a contractor, subcontractor, consultant, third-party service provider, or agent engaged by Vendor for further Processing of Personal Data.

    16. “UK GDPR” has the meaning ascribed thereto in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018 (as amended from time to time).

  2. Data Processing Obligations.  

    1. General.  

  1. Each Party shall comply with its obligations relating to Personal Data under this DPA and under Applicable Laws at its own cost. With respect to Personal Data, (i) Client is a Controller and (ii) Vendor is a Processor that acts upon the instructions of Client, including, without limitation, in accordance with the applicable Service Agreement, this DPA, and any other documented instructions provided by Client.

  2. With regard to Vendor employees engaged in Processing Personal Data, Vendor shall ensure that such employees are informed of the confidential nature of the Personal Data and are subject to appropriate confidentiality obligations sufficient to comply with the terms of the applicable Service Agreement(s) and this DPA, which confidentiality obligations shall survive following termination of this DPA for at least as long as the period(s) required by the applicable Service Agreement(s) and this DPA.

  3. Client will have sole responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which Client obtained the Client Personal Data, including, without limitation, obtaining appropriate consent to collect the Client Personal Data and share such data Vendor in accordance with Applicable Laws.

  1. GDPR.  

    1. European Economic Area and Switzerland.  

      1. The Processing by Vendor of Personal Data relating to an EEA or Switzerland data subject (including, without limitation, the transfer of such Personal Data from the EEA to a third country not providing an adequate level of protection) will be further governed by the EU Standard Contractual Clauses (Transfers Controller-to-Processor) (Module Two thereunder), with Client as data exporter and Vendor as data importer, attached hereto (without provisions with respect to Module One, Module Three, or Module Four thereunder) as Schedule I-A (together with all Appendixes and Annexes thereto, and as the same may be amended, supplemented, or otherwise modified from time to time, “EU SCCs”), which is incorporated by reference into this DPA solely with respect to Personal Data relating to EEA and/or Switzerland data subjects.  If there is any conflict between (x) the terms and conditions of either this DPA or the applicable Service Agreement(s), on the one hand, and (y) the terms and conditions of the EU SCCs, on the other hand, then, with respect to Personal Data relating to an EEA and/or Switzerland data subject(s), the terms and conditions of the EU SCCs will prevail and control.  

      2. Vendor may only transfer Personal Data relating to an EEA or Switzerland data subject outside the EEA in compliance with Applicable Laws and pursuant to a data transfer mechanism then-recognized by the European Commission as a legitimate basis for the transfer of such Personal Data outside the EEA.

    2. United Kingdom.  

      1. The Processing by Vendor of Personal Data relating to UK data subjects (including, without limitation, the transfer of such Personal Data from the UK to a third country not providing an adequate level of protection) will be further governed by those certain “Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to processor transfers)”, with Client as data exporter and Vendor as data importer, attached hereto as Schedule I-B (together with all Appendixes and Annexes thereto, and as the same may be amended, supplemented, or otherwise modified from time to time, “UK SCCs”), which is incorporated by reference into this DPA solely with respect to Personal Data relating to UK data subjects; provided that Client and Vendor hereby agree to replace the UK SCCs attached hereto as Schedule I-B with the version (and module, if applicable) of the UK Standard Contractual Clauses as may be issued and/or required by the UK Information Commissioner’s Office after the Effective Date, with Client as data exporter (controller) and Vendor as data importer (processor), prior to the date required by Applicable Laws (if the term of a Service Agreement(s) is scheduled to continue such date).  If there is any conflict between (x) the terms and conditions of either this DPA or the applicable Service Agreement(s), on the one hand, and (y) the terms and conditions of the UK SCCs, on the other hand, then, with respect to Personal Data relating to a UK data subject(s), the terms and conditions of the UK SCCs will prevail and control.  

      2. Vendor may only transfer Personal Data relating to a UK data subject outside the UK in compliance with Applicable Laws and pursuant to a data transfer mechanism then-recognized by the government of the United Kingdom as a legitimate basis for the transfer of such Personal Data outside the UK.

  2. CCPA.  Without limiting any of the restrictions on or obligations of Vendor under this DPA, under any of the Service Agreements, or under Applicable Laws, with respect to Personal Data relating to a California “consumer” (as defined by CCPA) or household (“CCPA Personal Data”):

  3.  

    1. Client shall be disclosing such CCPA Personal Data under the applicable Service Agreement(s) to Vendor for a “business purpose” (as defined by CCPA), and Vendor shall Process such CCPA Personal Data solely on behalf of Client and only as necessary to perform such business purpose for Client; and

    2. Vendor shall not: (i) “sell” (as defined by CCPA) CCPA Personal Data; or (ii) retain, use, or disclose CCPA Personal Data (x) for any purpose (including a “commercial purpose” (as defined by CCPA)) other than for the specific purpose of performing for Client the services specified in the particular Service Agreement(s) or (y) outside of the direct business relationship between Vendor and Client; Vendor certifies that it understands the restrictions set forth in this Section 2.3(b) and shall comply with them; and

    3. Notwithstanding anything to the contrary in this DPA (including, for purposes of clarification and without limitation, clauses (a) and (b) of this Section 2.3), in no event shall Vendor process any CCPA Personal Data in such a manner as would constitute (i) a sale (as defined by CCPA) of CCPA Personal Data by Client to Vendor or (ii) on or after January 1, 2023, the sharing (as defined under CCPA (as amended by the California Privacy Rights Act of 2020)) of CCPA Personal Data by Client with Vendor; and

    4. If directed by Client with regard to a particular California consumer or household, Vendor shall delete the CCPA Personal Data of such consumer or household. 

  4. Changes in Applicable Laws.  If, due to any change in Applicable Laws, a Party reasonably believes that (a) Vendor ceases to be able to provide a Service(s) in whole or in part (e.g., with respect to a particular jurisdiction) and/or Client ceases to be able to use a Service(s) in whole or in part under the then-current terms and conditions of the applicable Service Agreement(s) and this DPA, each Party may terminate the applicable Service Agreement(s) (in whole or, if reasonably practicable, in part).

  5. Security.  

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risks. Such measures will include reasonable administrative, physical, and technical security controls (including those required by Applicable Laws) that prevent the collection, use, disclosure, or access to Personal Data and Client confidential information that the Service Agreements do not expressly authorize, including maintaining a comprehensive information security program that safeguards Personal Data and Client confidential information. These security measures include, but are not limited to: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. 

    2. When assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

  6. Supplementary Measures and Safeguards.

    1. Assistance; Risk Assessment.  

      1. Vendor shall assist Client to ensure compliance with Applicable Laws in connection with the Processing of Personal Data.  

    2. Representation and Warranty. Vendor represents and warrants that it has no reason to believe that any Applicable Law(s), including any requirements to disclose Personal Data or measures authorizing access by governmental agency or regulatory authority, prevents Vendor from fulfilling any of its obligations under the Service Agreements or this DPA. 

    3. Orders. Vendor shall notify Client immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Client shall have the right to defend such action in lieu of and/or on behalf of Vendor. Client may, if it so chooses, seek a protective order. Vendor shall reasonably cooperate with Client in such defense.

  7. Notifications. 

    1. Security Incidents.  Vendor has and will maintain a security incident response plan that includes procedures to be followed in the event of a Security Incident. Vendor will provide Client with written notice promptly after discovering a Security Incident (including those affecting Vendor or its Sub-Processors), including any information that Client is required by law to provide to an applicable regulatory agency or to the individuals whose personal data was involved in the Security Incident. Such notice will, at a minimum, include the following information: (i) a description of the nature of the Security Incident, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) description of the likely consequences of the Security Incident; and (iii) a description of the measures taken or proposed to be taken by the Client to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

    2. Data Subject Requests.  Vendor shall (i) promptly notify Client about any request under Applicable Law(s) with respect to Personal Data received from or on behalf of the applicable data subject and (ii) reasonably cooperate with Client’s reasonable requests in connection with data subject requests with respect to Personal Data.  Vendor shall assist Client, through appropriate technical and organizational measures, to fulfill its obligations with respect to requests of data subjects seeking to exercise rights under Applicable Law with respect to Personal Data.

  8. Sub-Processors.

    1. Vendor shall not have Personal Data Processed by a Sub-Processor unless such Sub-Processor is bound by a written agreement with Vendor that includes data protection obligations at least as protective as those contained in this DPA and the applicable Service Agreement(s) and that meet the requirements of Applicable Laws. Vendor is and shall remain fully liable to Client for any failure by any Sub-Processor to fulfill Vendor’s data protection obligations under Applicable Laws, this DPA, and/or any and all of the Service Agreements.

    2. Vendor provides a website that lists all Sub-Processors who access Personal Data (the “Website”). Client specifically authorizes and instructs Vendor to engage the Sub-Processors listed on the Website as of the Effective Date. At least 14 days before authorizing any new Sub-Processors, Vendor will update the Website, notify Client and grant the opportunity to object to such change. Upon Client’s request, Vendor will provide all information necessary to demonstrate that the Sub-Processors will meet all requirements pursuant to Section 6.1. In the case Client objects to any Sub-Processor, Vendor can choose to either not engage the Sub-Processor or to terminate this DPA with thirty (30) days’ prior written notice.

    3. Third-party providers that maintain IT systems whereby access to Personal Data is not needed but can technically also not be excluded do not qualify as Sub-Processors within the meaning of this Section 6. They can be engaged based on regular confidentiality undertakings and subject to Vendor’s reasonable monitoring.

  9. Deletion, Return, and Retention.  Subject to all Applicable Laws: (a) Vendor shall, for forty-five (45) days following the termination of a Service Agreement (unless Client otherwise instructs Vendor in writing (including email) that such forty-five (45) day period can be changed to a shorter period set forth in such writing) and at Client’s request, permit Client to (at the election of Client) either (i) export its Personal Data under such Service Agreement or (ii) delete all Personal Data under such Service Agreement in accordance with the capabilities of the service thereunder; and (b) promptly (but in any event not more than forty-five (45) days) following such forty-five (45) day period, Vendor shall securely delete all Personal Data stored by Vendor on behalf of Client under such Service Agreement.

  10. Documentation; Audits.  

    1. Vendor shall, upon Client’s request, provide Client (a) comprehensive documentation of Vendor’s technical and organizational security measures, (b) any and all third-party audits and certifications available with respect to such security measures, and (c) and all other information reasonably necessary to demonstrate compliance with the Vendor’s obligations under this DPA and/or under Applicable Laws.

    2. In the case Client has justifiable reason to believe that Vendor is not complying with the terms and conditions under this agreement, in particular with the obligation to implement and maintain the agreed technical and organizational data security measures, and only once per year, Client is entitled to audit Vendor. This audit right can be exercised by (i) requesting additional information, (ii) accessing the databases which process Personal Data or (iii) by inspecting Vendor’s working premises whereby in each case no access to personal data of other customers or Vendor’s confidential information will be granted. Alternatively, Client may also engage third party auditors to perform such tasks on its behalf. The costs associated with such audits and/or for providing additional information shall be borne by Client unless such audit reveals Vendor’s material breach of this DPA. If Client intends to conduct an audit at Vendor’s working premises, Client shall give reasonable notice to Vendor and agree with Vendor on the time and duration of the audit. In the case of a special legitimate interest, such audit can also be conducted without prior notice. Both Parties shall memorialize the results of the audit in writing

  11. Term; Termination.  This DPA shall remain in effect until (a) all Service Agreements have terminated and (b) all obligations that Vendor has under the Service Agreements and under Applicable Laws with respect to Personal Data, and all rights that Client has under the Service Agreements and under Applicable Laws with respect to Personal Data, have terminated.  Notwithstanding termination of this DPA, any provisions hereof that by their nature are intended to survive, shall survive termination.

  12. Miscellaneous.

    1. Any notice made pursuant to this DPA will be in writing and will be deemed delivered on (a) the date of delivery if delivered personally, (b) five (5) calendar days (or upon written confirmed receipt) after mailing if duly deposited in registered or certified mail or express commercial carrier, or (c) one (1) calendar day (or upon written confirmed receipt) after being sent by email, addressed to Client at the address or email address on record with Vendor in Client’s account information, or addressed to Vendor at the address or email address set forth below, or to such other address or email address as may be hereafter designated by either Party:

Traact, Inc.

545 Bryant St.

Palo Alto, CA 94086

support@traact.com

 

  1. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the applicable Service Agreements, unless required otherwise by Applicable Laws.

  2. Neither Party may assign or transfer any part of this DPA without the written consent of the other Party; provided, however, that this DPA, collectively with all Service Agreements, may be assigned without the other Party’s written consent by either Party to a person or entity who acquires, by sale, merger or otherwise, all or substantially all of such assigning Party’s assets, stock or business.  Subject to the foregoing, this DPA shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns.  Any attempted assignment in violation of this Section 12.3 shall be void and of no effect.

  3. This DPA is the Parties’ entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject; provided, however, that, notwithstanding the foregoing but subject to the last sentence of this Section 10.4, nothing in this DPA shall be deemed to supersede any of the Service Agreements.  Failure to enforce any provision of this DPA shall not constitute a waiver.  If any provision of this DPA is found unenforceable, it and any related provisions shall be interpreted to best accomplish the unenforceable provision’s essential purpose.  The headings contained in this DPA are for reference purposes only and shall not affect in any way the meaning or interpretation of this DPA.  In the event of a conflict between the terms and conditions of this DPA and the terms and conditions of any Service Agreement, the terms and conditions of this DPA shall govern.

SCHEDULE I-A

EU SCCs

 

[TO BE ATTACHED]

 

SCHEDULE I-B

UK SCCs