← TradeScreen

Data Processing Addendum (North America)

DATA PROCESSING ADDENDUM (NORTH AMERICA)

This Data Processing Addendum (“DPA”) forms part of the Terms and any applicable Order Form between Customer and Provider (collectively, the “Agreement”) where Provider Processes Customer Personal Information as a Processor on behalf of Customer.

This DPA supplements, and does not limit, the Agreement. In the event of a direct conflict between this DPA and the Agreement regarding the Processing of Customer Personal Information, this DPA will control. Nothing in this DPA increases either party’s monetary liability beyond the limitations set out in the Agreement.

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.

  1. Definitions
    1. Applicable Privacy Laws” means all privacy and data-protection laws applicable to the Processing of Customer Personal Information under this DPA, including, as applicable, (a) U.S. federal and state privacy and data-protection laws (including, without limitation, the California Consumer Privacy Act as amended by the CPRA and other comprehensive U.S. state consumer privacy laws in effect from time to time); (b) Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws (including Alberta PIPA, BC PIPA, and Quebec’s Law 25); and (c) any substantially similar or successor laws.
    2. Controller” means the entity that determines the purposes and means of Processing Personal Information. For this DPA, Customer is the Controller of Customer Personal Information.
    3. Customer Personal Information” has the meaning given in the Agreement; for clarity, Customer Personal Information is the Personal Information within Customer Data that Provider Processes on behalf of Customer under the Agreement.
    4. “Data Subject” means an identified or identifiable natural person to whom Personal Information relates.
    5. “Personal Information” means any information relating to an identified or identifiable individual, including information defined or described as “personal information,” “personal data,” “personally identifiable information,” or similar terms under Applicable Privacy Laws.
    6. “Processor” means an entity that Processes Personal Information on behalf of a Controller. For the purposes of this DPA, Provider acts as Customer’s Processor (or “service provider” or “processor” as those terms are defined under Applicable Privacy Laws) when Processing Customer Personal Information on Customer’s behalf.
    7. “Security Incident” means a confirmed or reasonably suspected unauthorized access to or disclosure of Customer Personal Information, or other compromise of the security, confidentiality, or integrity of Customer Personal Information Processed by Provider in connection with the Services, excluding unsuccessful attempts or activities that do not compromise the security of Customer Personal Information (such as unsuccessful login attempts, pings, port scans, or denial-of-service attacks that do not result in access).
    8. “Sensitive Data” means categories of Personal Information that are subject to enhanced or special protection under Applicable Privacy Laws, including health data, biometric identifiers, financial account numbers, precise geolocation, information about children, and any other data categorized as “sensitive” by Applicable Privacy Laws.
    9. “Sub-processor” means any third party engaged by Provider to Process Customer Personal Information on behalf of Customer.
  2. Roles and Scope
    1. Roles. Customer is the Controller of Customer Personal Information. Provider acts as Customer’s Processor when processing Customer Personal Information. Provider will Process Customer Personal Information solely on behalf of Customer and only as described in the Agreement and this DPA.
    2. Instructions. Customer is responsible for ensuring that its instructions to Provider regarding the Processing of Customer Personal Information comply with Applicable Privacy Laws. The parties agree that the Agreement (including this DPA), together with Customer’s use of the Services in accordance with the Agreement, constitute Customer’s complete and final instructions to Provider for the Processing of Customer Personal Information. Customer may issue additional written instructions during the applicable Service Term, provided that such instructions are: (a) consistent with the Agreement; (b) technically feasible; and (c) lawful. Provider will promptly notify Customer if Provider determines that Customer’s instructions violate Applicable Privacy Laws.
    3. Compliance with Instructions and Purpose Limitation. Provider will Process Customer Personal Information only for the purposes described in the Agreement and this DPA, or as otherwise documented within Customer’s lawful instructions, except where Processing is required by Applicable Privacy Laws. Provider is not responsible for compliance with any data protection or privacy laws that apply solely to Customer or Customer’s industry and that are not generally applicable to processors performing substantially similar services. Where legally permitted, Provider will notify Customer if Provider is required by applicable law to Process Customer Personal Information in a manner that conflicts with Customer’s instructions.
    4. Description of Processing. The subject matter, nature, and purpose of the Processing, the types of Customer Personal Information, the categories of Data Subjects, and the duration of the Processing are described in the Agreement and applicable Order Forms and further detailed in Exhibit A (Description of Processing) to this DPA. The parties may update Exhibit A as reasonably necessary to reflect changes to Customer’s use of the Services, provided such updates remain consistent with the Agreement.
    5. Sensitive Data. Customer determines, through its configuration and use of the Services, the types of Customer Data that Customer transmits or Processes within the Services. Customer is responsible for ensuring that appropriate safeguards, notices, consents, and security controls are in place prior to transmitting or Processing any Sensitive Data (as defined under Applicable Privacy Laws) via the Services. Unless expressly agreed in writing, the Services are not designed to Process Sensitive Data subject to heightened protections under Applicable Privacy Laws (including, where applicable, health information, financial account numbers, biometric identifiers, precise geolocation, children’s data, or other categories designated as sensitive), and Provider is not a “business associate” under HIPAA and will not enter into a business associate agreement absent a separate written agreement. To the extent Customer chooses to submit Sensitive Data, such Processing will be subject to the scope limitations, restrictions, and safeguards described in this DPA and any additional mutually agreed terms between the parties.
    6. Restrictions on Processing. Provider will not:
      1. sell or share Customer Personal Information, or otherwise Process Customer Personal Information for Provider’s own purposes or for any purpose other than providing the Services;
      2. retain, use, or disclose Customer Personal Information for any purpose other than to perform the Services or as permitted under the Agreement, this DPA, or Applicable Privacy Laws;
      3. retain, use, or disclose Customer Personal Information outside the direct business relationship between Customer and Provider;
      4. combine Customer Personal Information with Personal Information that Provider receives from or on behalf of another person or entity or collects from Provider’s own interactions with a Data Subject, except (i) as permitted by Applicable Privacy Laws to perform a business purpose, or (ii) to provide, maintain, secure, or improve the Services;
      5. Process, transfer, modify, amend, or alter Customer Personal Information except in accordance with Customer’s lawful instructions or as required by Applicable Privacy Laws;
      6. disclose Customer Personal Information to any third party except to authorized Sub-processors or as otherwise permitted under this DPA or required by Applicable Privacy Laws; or
      7. engage in any Processing that would cause Provider to qualify as a “business” or “controller” with respect to Customer Personal Information under Applicable Privacy Laws.
      8. Provider certifies that it understands and will comply with the restrictions set out in this Section.
  3. Provider Personnel.
    1. Limited Access. Provider will ensure that access to Customer Personal Information is limited to its and its Affiliates’ personnel who have a legitimate need to access such information in order to perform Provider’s obligations under the Agreement and this DPA.
    2. Confidentiality Obligations. Provider will ensure that all personnel who have access to Customer Personal Information are bound by written confidentiality obligations that are no less protective than those in the Agreement. Such obligations will survive termination of the personnel’s engagement with Provider.
    3. Training. Provider will ensure that personnel who Process Customer Personal Information receive appropriate training regarding their responsibilities under Applicable Privacy Laws and this DPA, including training relating to information security, confidentiality, and the proper handling of Customer Personal Information.
    4. Reliability and Integrity. Provider will take commercially reasonable steps to ensure the reliability and integrity of personnel who have access to Customer Personal Information.
    5. Least-Privilege Access Controls. Provider will ensure that personnel access Customer Personal Information only on a need-to-know basis and solely to the extent required to perform their job responsibilities and Provider’s obligations under the Agreement and this DPA.
  4. Security
    1. Security Program. Provider will maintain an information security program with administrative, technical, and physical safeguards appropriate to the nature of the Services and the types of Customer Personal Information Processed. Provider’s security program is designed to protect Customer Personal Information against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, disclosure, or access. Provider may update its security program from time to time, provided such updates do not materially reduce the overall level of protection for Customer Personal Information.
    2. Security Measures. Without limiting Section 4.1, Provider will implement and maintain measures as may be described further in Exhibit B (Security Measures) that include, as appropriate:
      1. access controls and authentication measures;
      2. encryption of Customer Personal Information in transit and at rest where technically feasible;
      3. network and perimeter security measures;
      4. protections against malicious code;
      5. regular testing and evaluation of security procedures; and
      6. personnel training consistent with Section 3.
    3. Security Incidents. Provider will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Security Incident involving Customer Personal Information Processed by Provider under the Agreement. Such notice will include information reasonably sufficient to allow Customer to meet its obligations under Applicable Privacy Laws, to the extent known to Provider at the time of notification.
    4. Following a Security Incident, Provider will:
      1. promptly investigate the Security Incident;
      2. take reasonable steps to contain, mitigate, and remediate its effects; and
      3. provide Customer with updates as necessary to keep Customer informed of material developments.
    5. Provider’s obligations in this Section apply only to Security Incidents involving Customer Personal Information Processed within the Services and do not apply to incidents caused by Customer, Customer’s users, or third parties outside Provider’s systems.
    6. Cooperation. Customer is responsible for determining whether to notify regulators, Data Subjects, or other third parties regarding a Security Incident, and for making any such notifications, unless otherwise required by Applicable Privacy Laws. Provider will provide reasonable cooperation and assistance to Customer in relation to any Security Incident to the extent required for Customer to comply with its obligations under Applicable Privacy Laws, taking into account the nature of the Processing and the information available to Provider.
    7. Customer Responsibilities. Customer is responsible for maintaining the security and confidentiality of Customer’s access credentials, for configuring the Services in accordance with Provider’s instructions and documentation, and for ensuring appropriate safeguards when transmitting Customer Personal Information to the Services. Provider is not responsible for security incidents or unauthorized access caused by Customer’s failure to secure its systems, credentials, or networks.
  5. Subprocessors
    1. Authorization. Customer authorizes Provider to engage Subprocessors to Process Customer Personal Information as reasonably necessary to provide, maintain, secure, and support the Services. Provider will remain responsible for the acts and omissions of its Subprocessors to the same extent Provider is responsible for its own acts and omissions under the Agreement.
    2. Provider will ensure that each Subprocessor is bound by a written contract that:
      1. requires the Subprocessor to Process Customer Personal Information only on Provider’s behalf and only for the purposes permitted under this DPA and the Agreement;
      2. imposes data-protection obligations that are no less protective of Customer Personal Information than those in this DPA; and
      3. requires the Subprocessor to implement appropriate technical and organizational security measures consistent with this DPA.
    3. Due Diligence. Provider will conduct appropriate due diligence to ensure that Subprocessors have the capability to meet their contractual obligations and maintain appropriate security and privacy protections.
    4. Subprocessor List and Notifications. Provider will maintain a list of current Subprocessors and make it available to Customer upon request or by publishing it online. Provider will provide Customer with at least thirty (30) days’ prior notice of any new Subprocessor, by email to Customer’s designated privacy contact or by updating the published list and notifying subscribers through Provider’s standard notification mechanism. Customer may object to a new Subprocessor on reasonable data-protection grounds within the notice period.
    5. Objections. If Customer objects to a new Subprocessor on reasonable grounds relating to data protection, the parties will discuss in good faith to find a mutually acceptable resolution. If no resolution is reached, Customer may terminate the affected portion of the Services with written notice, and Provider will refund any prepaid Fees for the terminated portion.
  6. Data Subject Rights Assistance
    1. Customer Responsibilities. Customer is responsible for responding to requests from individuals (Data Subjects) to exercise their rights under Applicable Privacy Laws, including rights of access, deletion, correction, and opt-out. Provider will not respond directly to any Data Subject request relating to Customer Personal Information unless expressly instructed to do so by Customer or required by Applicable Privacy Laws.
    2. Notice of Requests Received by Provider. If Provider receives a Data Subject request relating to Customer Personal Information, Provider will promptly (and in no event later than is reasonably required by Applicable Privacy Laws) notify Customer, unless legally prohibited from doing so. Provider may respond to the Data Subject only to confirm receipt and indicate that the request has been forwarded to Customer.
    3. Provider Assistance. To the extent Customer is unable to fulfill a Data Subject request through the self-service features of the Services, Provider will, upon Customer’s request and to the extent reasonably possible, assist Customer in responding to such request. Provider will provide such assistance taking into account the nature of the Processing and the information available to Provider. If such assistance requires effort beyond standard functionality or support, Customer will reimburse Provider’s reasonable costs.
    4. Limitations. Provider has no obligation to fulfill or respond to any Data Subject request where:
      1. Customer has not provided necessary details;
      2. the request pertains to data that Provider does not Process on behalf of Customer;
      3. fulfilling the request would violate Applicable Privacy Laws; or
      4. the data is not Customer Personal Information within the meaning of this DPA.
  7. Return or Deletion of Customer Personal Information.
    1. During the Term. At any time during the Term, Customer may instruct Provider to return or delete Customer Personal Information. Provider will comply with Customer’s instruction within a reasonable period, subject to:
      (a) technical limitations;
      (b) Provider’s continued need to Process Customer Personal Information to perform the Services for the remainder of the applicable Service Term where Customer has not also terminated the Services; and
      (c) Provider’s need to maintain data necessary to operate the Services or comply with law (e.g., audit logs, billing records).
    2. End of Term. Upon termination or expiration of the Agreement, or upon Customer’s written request, Provider will, at Customer’s option:
      1. return Customer Personal Information in a commonly used, machine-readable format;
      2. delete Customer Personal Information; or
      3. both return and delete it,

unless Provider is required by Applicable Privacy Laws to retain some or all Customer Personal Information.

    1. Backup and Archival Copies. Notwithstanding Customer’s deletion instruction, Provider may retain Customer Personal Information in standard backup or archival systems maintained for disaster recovery or business continuity purposes, provided that such copies:
      1. are not actively Processed;
      2. remain subject to this DPA; and
      3. are securely overwritten or deleted in accordance with Provider’s standard data retention schedule.
    2. Retention Required by Law. If Provider is legally required to retain Customer Personal Information beyond termination of the Agreement, Provider will continue to ensure the confidentiality, security, and limited Processing of such retained data, and will Process it only as necessary to comply with the legal requirement.
  1. Regulatory Cooperation
    1. Assistance with Data Protection Impact Assessments. To the extent required by Applicable Privacy Laws, Provider will, upon Customer’s request and taking into account the nature of the Processing and the information available to Provider, provide reasonable assistance to Customer in connection with: (a) data protection impact assessments (“DPIAs”) or similar risk assessments; and (b) consultations with supervisory authorities or regulators relating to Customer’s use of the Services.
    2. Limitations. Provider’s obligations under this Section apply only to Processing of Customer Personal Information performed by Provider on Customer’s behalf under the Agreement and are subject to Provider’s confidentiality and security obligations, including protections for Provider’s own confidential information, trade secrets, systems, and data.
  2. Cross-Border Transfers.
    1. Customer Personal Information may be transferred, stored, or accessed in the United States or Canada as necessary to provide the Services. Each party will ensure that any such cross-border transfers comply with Applicable Privacy Laws, including any requirements relating to notice, consent, or contractual safeguards.
    2. To the extent Customer requires the transfer of Customer Personal Information to or from jurisdictions outside the United States or Canada, the parties will implement appropriate transfer mechanisms as required under Applicable Privacy Laws. If Customer requires the use of Standard Contractual Clauses, the parties will execute the separate SCC DPA (Data Processing Addendum with Standard Contractual Clauses) provided by Provider.
    3. Nothing in this Section requires Provider to operate or store Customer Personal Information in a specific geographic location unless expressly agreed in writing in the Agreement or an applicable Order Form. To the extent Provider engages a Subprocessor located outside the United States or Canada to Process Customer Personal Information, Provider will implement the transfer mechanisms required by Applicable Privacy Laws and ensure that the Subprocessor is bound by data-protection obligations consistent with Section 5.
  3. Changes in Law
    1. Required Modifications. If either party believes that changes to this DPA are necessary to comply with Applicable Privacy Laws, that party may notify the other in writing. The parties will work together in good faith to negotiate and implement any modifications reasonably required to address such legal changes.
    2. Cooperation. Provider will make reasonable adjustments to its Processing and its obligations under this DPA to enable Customer to comply with its own obligations under Applicable Privacy Laws, provided that such adjustments:
      1. relate solely to Provider’s role as Processor;
      2. are technically feasible; and
      3. do not impose obligations on Provider that are not generally applicable to processors providing substantially similar services.
    3. Additional Agreements. If Customer requires additional agreements or lawful transfer mechanisms (such as Standard Contractual Clauses, UK Addendum, or similar instruments) for international transfers or to address changes in Applicable Privacy Laws, Provider will enter into such agreements where reasonably required and mutually agreed by the parties and to the extent applicable to Provider’s Processing of Customer Personal Information.
  4. Audit Rights
    1. Demonstrating Compliance. Upon Customer’s reasonable request, Provider will make available information necessary to demonstrate Provider’s compliance with this DPA, which may include:
      1. responses to reasonable security or privacy questionnaires;
      2. summaries of Provider’s internal or external audits; or
      3. copies of independent third-party audit reports or certifications (e.g., SOC 2, ISO 27001), to the extent Provider makes such reports available to its customers.
    2. Audit Process. If the information provided under Section 11.1 is insufficient for Customer to meet its obligations under Applicable Privacy Laws, Customer may conduct an audit of Provider’s compliance with this DPA. Any such audit must:
      1. be requested with at least thirty (30) days’ prior written notice;
      2. occur no more than once in any twelve (12) month period (unless required more frequently by a regulator or following a confirmed Security Incident);
      3. be conducted during normal business hours;
      4. not unreasonably disrupt Provider’s operations; and
      5. be limited to records, systems, and facilities relevant to Provider’s Processing of Customer Personal Information.
    3. On-Site Audits. Customer must first exhaust the information available under this Section before requesting an on-site audit. On-site audits may only be performed:
      1. by Customer or a mutually agreed independent third party that is not a competitor of Provider; and
      2. under reasonable confidentiality obligations no less protective than the Agreement.
    4. Customer will bear its own costs associated with any audit. If an audit requires Provider to incur costs that are not included in Provider’s standard compliance program (such as extensive engineering time, supervision costs, or costs associated with third-party resources), Customer will reimburse Provider’s reasonable out-of-pocket costs.
    5. Limitation. No audit may:
      1. access data belonging to Provider’s other customers;
      2. access Provider’s proprietary information, trade secrets, or internal HR records; or
      3. compromise Provider’s or its Subprocessors’ security, confidentiality, or availability controls.
    6. Provider may object to any auditor it reasonably believes is not independent, is a competitor, or poses a security or confidentiality risk. In such cases, Customer must appoint a different auditor.
  5. Liability
    1. Limitation of Liability. The limitations, exclusions, and caps on liability set out in the Agreement apply to this DPA and to all claims, losses, and liabilities arising out of or relating to the Processing of Customer Personal Information, and nothing in this DPA — including any assistance, deletion, return, security, audit, or transfer obligation — increases either party’s liability or creates indemnification obligations or remedies beyond those expressly set out in the Agreement.
    2. Any claims brought under or in connection with this DPA must be brought by the parties to the Agreement and not by any third party, including Data Subjects. No third party has rights or standing to enforce this DPA.
  6. Conflict. If there is a conflict between this DPA and the Agreement, this DPA will control solely with respect to the Processing of Customer Personal Information. If a conflict arises between this DPA and Applicable Privacy Laws, Applicable Privacy Laws will control. All other terms of the Agreement remain unchanged and in full force.
  7. Duration. This DPA will remain in effect for as long as Provider Processes Customer Personal Information on behalf of Customer under the Agreement. Termination or expiration of the Agreement will not relieve either party of its obligations under this DPA with respect to Customer Personal Information Processed prior to such termination or expiration, including obligations relating to confidentiality, deletion, return, and security.
  8. Acceptance and Incorporation. This DPA forms part of the Agreement only where required under Applicable Privacy Laws or where expressly agreed by the parties, including by executing an Order Form that incorporates this DPA. Customer may also accept this DPA by signing or electronically accepting it separately when requested or made available by Provider. If Customer purchases the Services through an authorized partner or reseller, this DPA applies only where required and agreed for Customer’s use of the Services.

Exhibit A: Description of Processing

This Exhibit describes the subject matter and details of Provider’s Processing of Customer Personal Information under the DPA.

1. Subject Matter of the Processing

Processing of Customer Personal Information as necessary to provide, maintain, support, secure, and improve the Services under the Agreement and any applicable Order Forms.

2. Duration of the Processing

For the Term of the Agreement and as long as Provider Processes Customer Personal Information on behalf of Customer, including any retention permitted under the Agreement or required by Applicable Privacy Laws.

3. Nature and Purpose of the Processing

The Processing includes the following activities, as applicable to the Services purchased by Customer:

  • Hosting and storage of Customer Personal Information
  • Transmission of Customer Personal Information
  • Access, retrieval, and display
  • Organization, structure, and use
  • Analysis, reporting, and service-related analytics
  • Authentication and authorization
  • Logging, monitoring, and security operations
  • Backup and archival for business continuity
  • Customer support and troubleshooting
  • Configuration, maintenance, and administration of the Services
  • Any other Processing strictly necessary to perform the Services in accordance with the Agreement

4. Types of Customer Personal Information

Depending on Customer’s configuration and use of the Services, Customer Personal Information may include:

  • Business contact information (names, titles, roles, business email addresses, phone numbers)
  • Account and authentication information
  • Device and usage information
  • Communication content submitted through the Services
  • Transactional or support interaction details
  • Any other Customer Personal Information submitted, transmitted, or stored by Customer within the Services

Sensitive Data:
Customer may choose to submit Sensitive Data, but the Services are not designed to Process Sensitive Data unless expressly agreed in writing. Any Sensitive Data submitted is subject to the restrictions and safeguards described in this DPA.

5. Categories of Data Subjects

May include:

  • Customer’s employees, contractors, and personnel
  • Customer’s end users or clients
  • Customer’s prospective leads or contacts
  • Individuals whose information is processed by Customer through its use of the Services
  • Any other individuals whose Personal Information Customer submits to the Services

6. Processing Instructions

Provider will Process Customer Personal Information only:
(a) as necessary to provide the Services;
(b) in accordance with the Agreement and DPA;
(c) as documented by Customer’s written instructions; and
(d) as required by Applicable Privacy Laws.

EXHIBIT B – SECURITY MEASURES

Provider maintains an information security program designed to protect Customer Personal Information against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, or disclosure. The following categories of safeguards will be implemented, as appropriate:

1. Organizational Controls

  • Information security program appropriate to the nature of the Services
  • Regular risk assessments and security reviews
  • Policies governing acceptable use, access control, encryption, and incident response
  • Independent audits or certifications (e.g., SOC 2, as applicable)
  • Vendor and Subprocessor security evaluations
  • Personnel training on security and privacy responsibilities

2. Access Controls

  • Role-based and least-privilege access
  • Authentication and authorization controls
  • Multi-factor authentication where applicable
  • Logging of access to systems containing Customer Personal Information
  • Regular access reviews
  • Immediate removal of access upon personnel termination or job change

3. Physical and Environmental Security

  • Secure data center facilities with physical access controls
  • Environmental safeguards (HVAC, power redundancy, fire suppression)
  • Surveillance, monitoring, and visitor management
  • Asset disposal and media sanitization policies

4. Network and System Security

  • Firewalls, intrusion detection/prevention, and network segmentation
  • Patch management and vulnerability remediation
  • Anti-malware and endpoint protection
  • Secure configuration management
  • Encryption of Customer Personal Information in transit using TLS or equivalent security
  • Encryption of Customer Personal Information at rest where technically feasible

5. Operational Controls

  • Secure software development lifecycle (SDLC) practices
  • Code review and testing
  • Backup and recovery procedures
  • Business continuity and disaster recovery plans
  • Monitoring and logging of system activity
  • Regular penetration testing or vulnerability assessments

6. Incident Response

  • Documented incident response plan
  • Processes for detection, investigation, containment, and remediation
  • Notification to Customer without undue delay following confirmation of a Security Incident