GrowthLoop Data Processing Addendum

This Data Processing Addendum (“DPA”), forms part of, and is subject to the GrowthLoop Segmentation Platform Terms of Services between Provider and Client that reference this DPA (the “Agreement”). The parties enter into this DPA on behalf of themselves and, to the extent required under applicable Data Protection Laws, in the name and on behalf of their affiliates, and this DPA shall be effective on the effective date of the Agreement (“Effective Date”).

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1. Definitions

“Business Purpose” has the meaning given in subdivision (e) of Cal. Civ. Code §1798.140 and “purpose” will be interpreted accordingly.  

“Client Data” means any information or other data (including Personal Data) provided by or on behalf of Client to Provider for purposes of the Agreement and/or any related services.

“Client Personal Data” means any Client Data that is Personal Data.

“Consumer” has the meaning given in subdivision (i) of Cal. Civ. Code §1798.140.

“Contractor” has the meaning given in subdivision (j)(1) of Cal. Civ. Code §1798.140.

“Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, in the EU, the GDPR and its implementing regulations; in the UK, the UK GDPR; and in the U.S., the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), the Virginia Consumer Data Protection Act of 2021, the Colorado Privacy Act of 2021, the Utah Consumer Privacy Act of 2022; and the Connecticut Data Privacy Act of 202.

“Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.

“EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (“Directive”) and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), and repealing Directive 95/46/EC.

“EEA” means, for the purposes of this DPA, the European Economic Area and/or its member states, United Kingdom and/or Switzerland.

“Model Clauses” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en and as updated from time to time.

“Personal Data” means information that: (i) identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, e-mail addresses and other unique identifiers); (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, financial account numbers, credit report information, biometric or health data, answers to security questions and other personal identifiers); or (iii) relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual, including inferences about such individual.  In the case of subclauses (i) through (iii), this information includes, without limitation, all Sensitive Personal Data. Client’s business contact information is not by itself deemed to be Personal Data. Further, the term “Personal Information” as defined in the CCPA/CPRA shall have the same meaning as Personal Data used herein.

“Processing” has the meaning given to it in subdivision (y) of Cal. Civ. Code §1798.150 and “process,” “processes” and “processed” will be interpreted accordingly.

“Purposes” shall mean the data Processing purposes described and defined in Section 3.4 of this DPA.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Client Personal Data, but does not include any unsuccessful attempt or activity that does not compromise the security of Client Personal Data, such as pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers).

“Services” means the services provided by Provider to Client pursuant to the Agreement.

“Sensitive Personal Data” is a subset of Client Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Further, the term “Sensitive Personal Information” as defined in the CPRA shall have the same meaning as Sensitive Personal Data used herein.

“Sell, Selling, Sale or Sold” has the meaning given in subdivision (ad)(1) of Cal. Civ. Code §1798.140.

“Service Provider” has the meaning given in subdivision (ag)(1) of Cal. Civ. Code §1798.140.

“Sharing” has the meaning given in subdivision (ah)(1) of Cal. Civ. Code §1798.140.

“Sub-processor” means any Data Processor engaged by or on behalf of Provider to assist in fulfilling its obligations pursuant to the Agreement or this DPA.

“Third Party” has the meaning given in subdivision (ai) of Cal. Civ. Code §1798.140.

“UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

“Verifiable Consumer Request” has the meaning given in subdivision (y) of Cal. Civ. Code §1798.140.

2. Scope and Applicability of this DPA
   1. Scope and Applicability. This DPA applies where and only to the extent that Provider Processes Client Personal Data on behalf of Client as Data Processor in the course of providing Services pursuant to the Agreement.  Any other Processing of Personal Data with respect to Client and its users conducted by Provider as a Data Controller, including business relationship administration and system security, will be carried out in accordance with Provider’s then-current privacy policy.  Notwithstanding expiry or termination of the Agreement, this DPA and Model Clauses (if applicable) will remain in effect until, and will automatically expire upon, deletion of all Client Personal Data processed by Provider as described in this DPA.
3. Roles of the Parties; Details of Processing
   1. Role of the Parties. If and to the extent that the Services provided by Provider under the Agreement require Provider to Process Personal Data, then as between Provider and Client, Provider shall process Client Personal Data only as a Data Processor acting on behalf of Client.  Client is either the Data Controller of Client Personal Data, or in the case that Client is acting on behalf of a third-party Data Controller, then a Data Processor.  
   2. Client Processing of Personal Data. Client represents and warrants to Provider: (i) Client will comply with its obligations under Data Protection Laws in respect of its Processing of Personal Data, including any obligations specific to its role as a Data Controller; (ii) Client has provided all notices and obtained all consents, assignments, licenses, authorizations, permissions and/or rights necessary under Data Protection Laws for Provider to lawfully Process Personal Data as contemplated under this Agreement for the Purpose; and (iii) it shall ensure its Processing instructions are lawful, and that Provider’s Processing of Client Personal Data in accordance with such instructions will not violate or infringe upon applicable Data Protection Laws or intellectual property, publicity, privacy or other rights governing such Client Personal Data. If Client is itself a Data Processor acting on behalf of a third-party Data Controller, Client further represents to Provider that Client’s instructions and actions with respect to that Client Personal Data, including its appointment of Provider as another Data Processor, have been authorized by the relevant Data Controller. Without limiting anything else herein or in the Agreement, Client acknowledges and agrees that is it solely responsible and liable for all Client Personal Data that it submits to the Services and/or directs Provider to submit to the Services, including, without limitation, any Client Personal Data which is misattributed, mislabeled, and/or miscategorized.
   3. Provider Processing of Personal Data. Provider will process Client Personal Data only to the extent, and in such a manner, as is necessary for the Purposes and in accordance with Client’s documented lawful instructions. Provider will not, and will ensure its Sub-processors do not, combine Client Personal Data with any Personal Data from other sources, or which Provider or its Sub-processor collected on its own behalf, except as permitted by Data Protection Laws, and will not “sell” any Client Personal Data within the meaning of the CCPA or otherwise. Additionally, Provider will comply with applicable obligations under the CPRA, including that Provider will provide the same level of privacy protection as required under the CPRA. The parties agree that the Agreement (including this DPA) sets out Client’s complete and final instructions to Provider in relation to the Processing of Client Personal Data. Additional Processing outside the scope of such instructions will require prior written agreement between the parties.
   4. Details of Processing. The following describes the details of the Processing to be provided by Provider to Client under this DPA.

(a) Subject Matter. The subject matter of the Processing under this DPA is Client Personal Data.

(b) Duration. The duration of the Processing under this DPA is the Term of the Agreement.

(c) Purposes. The Purposes of the Processing under this DPA is the provision of the Services to Client.

(d) Nature of Processing. The nature of the Processing under this DPA is the provision of computation, storage and other Services agreed to by Provider and Client.

(e) Type of Data. The type of Client Data to be Processed under this DPA includes Client Personal Data uploaded to the Services through Client’s accounts, , the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to, the following types of Personal Data: (i) Identification and contact data (such as name, title, contact details, address, phone number, device identifiers, email address, Client’s username or other user identifiers, and social media handle); (ii) Financial information (such as purchase details, transactional details, billing details, credit or debit card meta-data, account details, eligibility details, subscription details, and payment information);(iii) Employment details (such as employer, job title, geographic location, and area of responsibility); and/or (iv) IT information (IP addresses, usage data, cookies data, and location data).

(f) Categories of Data Subjects. The data subjects of the Processing under this DPA may include, without limitation, customers, employees, agents, advisors, representatives, consultants, leads, prospects, business partners, independent contractors, vendors, and suppliers, as well as end users authorized by Client to use the Services.

5. Notice of Processing Obligations. If, at any time, Provider is cannot meet its obligations under this DPA: (i) Provider shall provide notice to Client; (ii) Client may retrieve all Client Personal Data provided under this DPA; and (iii) Provider shall properly dispose of Client Personal Data in accordance with the retention requirements of this DPA. 

4. Subprocessing
   1. Authorized Sub-processors.  Client agrees that Provider may engage Sub-processors to process Client Personal Data on Client’s behalf. Provider shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Client; and (ii) notify Client if it adds or removes Sub-processors at least fourteen (14) days’ prior to allowing such Sub-processor to process Client Personal Data. Client may object in writing to Provider’s appointment of a new Sub-processor within ten (10) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If Provider cannot provide an alternative Sub-processor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Client, as its sole and exclusive remedy, may terminate the Agreement (including this DPA) upon written notice to Provider but shall not be eligible for any refund and Client must immediately pay all fees payable under the Agreement. 
   2. Sub-processor Obligations. Provider will: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to Process the Client Personal Data in a manner that is substantially similar to the standards set forth in this DPA, and, to the extent applicable to the Services provided by Provider, to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of each Sub-processor.
5. Security
   1. Security Measures.  Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall implement and maintain appropriate technical and organizational security measures to protect Client Personal Data from Security Incidents and to preserve the security and confidentiality of the Client Personal Data Processed by Provider on behalf of Client (“Security Measures”). Client is responsible for reviewing the information made available by Provider relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Data Protection Laws. Client acknowledges that the Security Measures are subject to technical progress and development and that Provider may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services or Client Data, including Client Personal Data.
   2. Security Measures by Client. Client is responsible for using and configuring the Services in a manner that enables Client to comply with Data Protection Laws, including implementing appropriate technical and organizational measures. 
   3. Confidentiality of Processing. Provider shall ensure that any person who is authorized by Provider to process Client Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality.
   4. No Assessment of Client Data by Provider.  Client acknowledges that Provider will not assess the contents of Client Data in order to identify information subject to any specific legal requirements.  Client is solely responsible for complying with incident notification laws applicable to Client and fulfilling any third-party notification obligations related to any Security Incidents. 
   5. Client Responsibilities.  Client agrees that, without prejudice to Provider’s obligations under Section 5.1 (Security Measures) and Section 8.3 (Security Incident Response):
      1. Client is responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security and appropriate to the risk in respect of the Client Personal Data, securing its account authentication credentials, managing its data back-up strategies, and protecting the security of Client Personal Data when in transit to and from the Services and taking any appropriate steps to pseudonymize, securely encrypt, and/or backup any Client Personal Data uploaded to the Services; and
      2. Provider has no obligation to protect Client Personal Data that Client elects to store or transfer outside of Provider’s and its Sub-processors’ systems (for example, offline or on-premise storage).
6. Security Reports and Audits
   1. Reports. Provider acknowledges that Provider is regularly audited by independent third-party auditors and/or internal auditors against Provider’s Security Measures. Upon request, Provider shall supply (on a confidential basis) a summary of its then-current audit report(s) and any other published materials made available by Provider, which further describe Provider’s principles, programs, and practices regarding information security and privacy (collectively, “Report”) to Client, so that Client can verify Provider’s compliance with this DPA.  Notwithstanding the foregoing, Client may disclose a Report as allowed under the applicable confidentiality section of the Agreement, including where requested or required by data protection authorities having jurisdiction over Client even if not legally required (“Data Protection Authority Request”), provided, however, that Client, as permitted by law, shall give Provider prior written notice of the Data Protection Authority Request such that Provider can attempt to secure confidential treatment for the Report.  If Client is not legally permitted to give Provider prior notice, Client agrees to use reasonable efforts to secure confidential treatment for the Report and further agrees to not remove or obscure any “confidential,” “proprietary,” or similar markings from the Report.
   2. Information requests. Provider shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Client related to its Processing of Client Personal Data, including responses to information security and audit questionnaires that are necessary to confirm Provider’s compliance with this DPA, provided that Client shall not exercise this right more than once per year, except that this right may also be exercised in the event Client is expressly requested or required to provide this information to a data protection authority, or Provider has experienced a Security Incident, or other reasonably similar basis.
7. Transfers
   1. International Processing. Provider may process Client Data anywhere in the world where Provider, its affiliates or its Sub-processors maintain data Processing operations. Provider will at all times provide appropriate safeguards for Client Personal Data wherever it is processed, in accordance with the requirements of Data Protection Laws.
   2. EEA Transfers. To the extent Provider processes any Client Personal Data protected by applicable Data Protection Laws of the EEA (“EEA Data”), the parties agree that Provider makes available the transfer mechanisms listed below, for any transfers of EEA Data from the EEA to Provider located in a country which does not ensure an adequate level of protection (within the meaning of applicable Data Protection Law) and to the extent such transfers are subject to such Data Protection Laws of the EEA, Provider agrees to abide by and process EEA Data in compliance with the Model Clauses and for these purposes Provider agrees that it is a “data importer” and Client is the “data exporter” under the Model Clauses (notwithstanding that Client may be an entity located outside of the EEA).
8. Return or Deletion of Data
   1. Deletion by Client. Provider will enable Client to delete Client Data during the Term in a manner consistent with the functionality of the Service.  
   2. Deletion on Termination.  For thirty (30) days following termination or expiration of the Agreement, Client shall have the option to retrieve any remaining Client Personal Data in accordance with the Agreement. Thereafter, Client instructs Provider to automatically delete all remaining (if any) Client Personal Data (including copies).  Provider shall not be required to delete Client Personal Data to the extent (i) Provider is required by applicable law or order of a governmental or regulatory body to retain some or all of the Client Personal Data; and/or (ii), Client Personal Data has been archived on back-up systems, which Client Personal Data Provider shall securely isolate and protect from any further Processing, except to the extent required by applicable law.
   3. Security Incident Response. Upon confirming a Security Incident, Provider shall: (i) notify Client without undue delay, and in any event such notification shall occur no later than seventy two (72) hours from Provider becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Client; and (iii) Provider shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Provider’s notification of or response to a Security Incident under this Section 8.3 (Security Incident Response) will not be construed as an acknowledgment by Provider of any fault or liability with respect to the Security Incident.
9. Compliance
   1. Cooperation. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority. If a law enforcement agency sends Provider a demand for Client Personal Data (e.g., a subpoena or court order), Provider will attempt to redirect the law enforcement agency to request that data directly from Client.  As part of this effort, Provider may provide Client’s contact information to the law enforcement agency.  If compelled to disclose Client Personal Data to a law enforcement agency, then Provider will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy to the extent Provider is legally permitted to do so.
   2. Consumer Access Requests. Taking into account the nature of the Processing, Provider shall (at Client’s request and expense) provide reasonable cooperation to enable Client to respond to any requests from applicable data protection authorities or a Verifiable Consumer Request to exercise rights (to the extent available to them under Data Protection Laws) of: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to Processing, not to be subject to automated individual decision making, opt-out of the sale of Personal Data, or the right not to be discriminated against, in each case solely to the extent relating to the Processing of Client Personal Data through the Services under the Agreement. In the event that any Verifiable Consumer Request is made directly to Provider where such request identifies Client, Provider shall not respond to such communication directly without Client’s prior authorization, unless legally compelled to do so, and instead, after being notified by Provider, Client shall respond to the Verifiable Consumer Request. If Provider is required to respond to such a Verifiable Consumer Request, Provider will promptly notify Client and provide Client with a copy of the Verifiable Consumer Request unless legally prohibited from doing so.
   3. Records. Client acknowledges that Provider may be required under the GDPR or the UK GDPR, as applicable to: (a) collect and maintain records of certain information, including the name and contact details of each Data Processor and/or Data Controller on behalf of which Provider is acting and, where applicable, of such Data Processor’s or Data Controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities.  Accordingly, if the GDPR or UK GDPR applies to the Processing of Client Personal Data, Client will, where requested, provide such information to Provider via the Services or other means provided by Provider, and will ensure that all information provided is kept accurate and up-to-date.
   4. DIPA. To the extent Provider is required under applicable Data Protection Law, Provider shall (at Client’s request and expense) provide reasonably requested information regarding the Services to enable the Client to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
10. Relationship with the Agreement
    1.  Entire Agreement. The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment or exhibit the parties may have previously entered into in connection with the Services. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Client Personal Data. Notwithstanding the foregoing, and solely to the extent applicable to any patient, medical or other protected health information regulated by HIPAA or any similar U.S. federal or state laws, rules or regulations (“PHI”), if there is any conflict between this DPA and a Business Associates Agreement between Client and Provider (“BAA”), then the BAA shall prevail to extent the conflict relates to such PHI.
    2.  Liability. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party’s affiliates under this DPA shall be subject to the limitations on liability set out in the Agreement.  Without limiting either of the parties’ obligations under the Agreement, Client agrees that any regulatory penalties incurred by Provider in relation to the Client Personal Data that arise as a result of, or in connection with, Client’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Provider’s liability under the Agreement as if it were liability to the Client under the Agreement.
    3. Governing Law and Jurisdiction. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
    4.  Certification. Provider certifies that it understands its obligations under this DPA and shall comply with them.

‍