Data Processing Addendum
Master Services Agreement
This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement (the “MSA”) by and between Impartner, Inc. (“Impartner”) and the customer indicated on an order form (“Order Form”) between Impartner and its customer (“Customer,” or “Data Controller”) which references the MSA. This DPA, the Order Form, the MSA, as well as any exhibits attached hereto or thereto, shall be referred to collectively herein as the “Agreement.”
This DPA reflects the parties’ agreement with regard to the Processing of Personal Data. All capitalized terms in this DPA have the meaning assigned to them in the Order Form, MSA, and any other exhibits or addenda attached thereto, unless expressly defined otherwise in this DPA. In the event of any conflict/s between the Order Form, MSA, and DPA, unless expressly indicated otherwise, the order of precedence shall be: (i) DPA, (ii) Order Form, (iii) MSA. Any exhibits will be incorporated by reference and shall take the precedence of the document to which it has been addended.
In the course of providing the Service to Customer pursuant to the Agreement, Impartner may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
- Customer is a Controller or Processor of certain Personal Data and wishes to appoint Impartner as a Processor or sub- processor to Process this Personal Data on Customer’s behalf.
- The parties have entered into this DPA to ensure that Impartner conducts such data Processing in accordance with Customer’s instructions and Applicable Data Protection Law requirements, and with full respect for the fundamental data protection rights of the Data Subjects whose Personal Data will be
In this DPA, the following terms shall have the following meanings. Other capitalized terms used in this DPA are defined in the context in which they are used or shall have the meanings given such terms in the Order Form or MSA.
“Applicable Data Protection Law” shall mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”) and any data protection laws in any European Union Member State including laws implementing such Regulation, (ii) the California Consumer Privacy Act of 2018 (“CCPA”), including any regulations promulgated thereunder, as amended from time to time; (iii) the UK GDPR, and (iv) any other applicable data protection law.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EU Standard Contractual Clauses” / “EU SCCs” means Module Two of the standard contractual clauses for the transfer of Personal Data, in accordance with Applicable Data Protection Law, to Controllers and Processors established in Third Countries, the approved version of which is in force at the date of signature of this Agreement that are in the European Commission’s Decision 2021/914 of 4 June 2021, as such standard contractual clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, and as may be amended or replaced by the European Commission from time to time, and as further defined in clause 4 of this DPA.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
“Processing” (and “Process“) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Supervisory Authority(ies)” shall carry the meaning of that term in the GDPR.
“UK Standard Contractual Clauses” / “UK SCCs” means the standard contractual clauses for controllers to processors approved by the European Commission by way of Commission Decision C(2010)593, as amended by the UK Information Commissioner’s Office for use in a UK context, available on the date of this Agreement at https://ico.org.uk/media/for-organisations/documents/2618973/uk-sccs-c-p-202012.docx, and as may be amended or replaced by the Information Commissioner’s Office or/and Secretary of State from time to time.
- Relationship of the parties. Customer appoints Impartner as a Processor, or service provider, to Process the Personal Data that is the subject matter of the Agreement (the “Data“). Accordingly, the parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Impartner is the Processor. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. Customer hereby represents and warrants that Customer complies with the requirements in the Applicable Data Protection Law in collecting and transferring the data to Impartner and permitting Impartner to act as a processor of the Data. Customer agrees that it will not disclose any special categories of personal information to Impartner.
- Purpose limitation. Customer hereby instructs Impartner to Process Personal Data and to transfer Personal Data to any country or territory as necessary for the provision of the Service and consistent with the Agreement. Customer’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of the Data and the means by which Customer acquires the Impartner shall Process the Data as a Processor only as necessary to perform its obligations under the Agreement, and in accordance with the documented instructions of Customer (the “Permitted Purpose“), except where otherwise required by any EU (or any EU Member State) law applicable to Impartner, in which case Impartner shall to the extent permitted by Applicable Data Protection Law inform Customer of that legal requirement before the relevant Processing of that Data. In no event shall Impartner Process the Data for its own purposes or those of any third party except as set forth in the Agreement. Impartner shall also inform Customer if in its opinion an instruction of Customer infringes or violates Applicable Data Protection Law. Impartner shall not sell the Data, nor process, retain, use, or disclose the Data (i) for any purposes other than the Permitted Purpose, or (ii) outside of the direct business relationship between Impartner and Customer.
- Details of the Processing. Annex 1 to this DPA sets out certain information regarding Impartner’s Processing of the Data as required by Article 28(3) of the GDPR. Either party may make reasonable amendments to Annex 1 by written notice to the other party from time to time as such party reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this Section 3) confers any right or imposes any obligation on any party to this
- International transfers. Impartner shall not transfer any Personal Data of European Economic Area (“EEA“) / UK Data Subjects (nor permit such Personal Data to be transferred) outside of the EEA / UK unless (i) it has first obtained Customer’s prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission / UK authorities have decided provides adequate protection for Personal Data, or to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed the Standard Contractual Clauses adopted or approved by the European Commission / UK Secretary of State or the UK Information Commissioner (and approved by the UK Parliament). Customer hereby consents to the transfer of Personal Data to Impartner in the United States and the parties agree that the EU / UK Standard Contractual Clauses will apply to any such transfer, as appropriate.
a. The EU SCCs shall be deemed incorporated in this Agreement as follows:
- Clause 7 of the EU SCCs, the “Docking Clause (Optional)”, shall be deemed incorporated;
- in Clause 9 of the EU SCCs, the Parties choose Option 2, ‘General Written Authorisation’, with a time period of 10 days;
- the optional wording in Clause 11 of the EU SCCs shall be deemed not incorporated;
- in Clause 17 of the EU SCCs, the Data Exporter and Data Importer agree that the EU SCCs shall be governed by the laws of the Netherlands and choose Option 1 to this effect;
- in Clause 18 of the EU SCCs, the Data Exporter and Data Importer agree that any disputes shall be resolved by the courts of the Netherlands;
- Annexes I.A, I.B, I.C, II and III of the EU SCCs shall be deemed completed with the information set out in Annex 1, Annex 2 and Annex 3 to this DPA.
b. Where the UK SCCs apply (i.e., for transfers from UK to countries, which were not recognized as providing adequate protections by UK authorities), they will be deemed incorporated in this Agreement as follows:
- in Clause 9 of the UK SCCs, the Parties agree that UK SCCs shall be governed by the laws of the United Kingdom.
- in Clause 12 of the UK SCCs, the Optional “Indemnification” and “Priority of standard contractual clauses” Clauses are deemed not incorporated;
- Annex 1 and 2 of the UK SCCs shall be deemed completed with the information set out in Annex 1 and Annex 2 of this DPA; and
- in light of the obligations of the parties under UK SCCs, read in light of the Schrems II judgment issued by the Court of Justice of the European Union on July 16, 2020 (“Schrems II”), in regard to the transfer of personal data by Data Exporter from the UK to Data Importer located outside the UK in countries, which were not granted an adequacy decision by the UK Secretary of State (“Third Country”), parties hereby warrant to honour the supplementary safe-guards, as outlined in Annex 4 to UK SCCs, which forms its integral part. For the avoidance of doubt, this clause shal be referred to as the Supplementary Safeguards clause. In case of conflict between this Supplementary Safeguards Clause, and the UK SCCs, the UK SCCs shall prevail.
- Confidentiality of Processing. Impartner shall ensure that any person that it authorizes to Process the Data (including Impartner’s staff, agents and subcontractors) (an “Authorized Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Data who is not under such a duty of confidentiality. Impartner shall ensure that all Authorized Persons Process the Data only as necessary for the Permitted
- Security. Impartner shall implement appropriate technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”). Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include those listed in Appendix
a. Impartner may subcontract any processing of the Data to a third-party subcontractor (“Sub-Processor“) in accordance with Applicable Data Protection Law. A list of Impartner’s current Sub-processors for the Licensed Services is available here (the “List”). Impartner may provide a mechanism to subscribe to notifications of new authorized Sub-Processors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing authorized Sub-Processors to access or participate in the processing of Personal Data, Impartner will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Impartner within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Impartner from offering the Services to Customer.
b. If Customer reasonably objects to an engagement in accordance with Section 7(a), and Impartner cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Impartner. Discontinuation shall not relieve Customer of any fees owed to Impartner under the Agreement.
- Cooperation and Data Subjects’ rights. Impartner shall provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Impartner, Impartner shall promptly inform To the extent legally permitted, Customer shall be responsible for any costs arising from Impartner’s provision of the assistance described in this paragraph. Communications pertaining to the foregoing shall be sent to [email protected]
- Data Protection Impact Assessment. If Impartner believes or becomes aware that its Processing of the Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Customer and provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
- Security incidents. Upon becoming aware of a Security Incident, Impartner shall inform Customer without undue delay after becoming aware of the Security Incident, and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfill its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Impartner shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer apprised of all developments in connection with the Security Incident.
- Deletion or return of Data. Upon termination or expiry of the Agreement, Impartner shall (at Customer’s election) destroy or return to Customer all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for Processing). This requirement shall not apply to the extent that Impartner is required by any EU (or any EU Member State) law to retain some or all of the
- Audit. Impartner will submit to audits and inspections in relation to the Processing of Data, at Customer’s sole cost and expense, and will provide Customer with whatever information it needs to ensure that they are both meeting their obligations under Article 28 of GDPR. Customer agrees that its requests to audit Impartner may be satisfied by Impartner presenting up- to-date attestations, reports or extracts from independent bodies, including without limitation external or internal auditors, Impartner’s data protection officer, data protection or quality auditors or other mutually agreed to third parties) or certification by a regulatory body by way of an IT security or data protection audit. Customer shall not exercise its audit rights under this DPA more than once per year, and no such audit may be exercised in a manner that (i) disrupts Impartner’s normal business operations, or (ii) causes Impartner to breach any obligation of confidentiality to another customer or to any other third party, whether imposed by regulation or
- Sub-processor Audits. Customer may not audit Impartner’s sub-processors without Impartner’s and Impartner’s sub- processor’s prior agreement. Customer agrees that its requests to audit sub-processors may be satisfied by Impartner or Impartner’s sub-processors presenting up-to-date attestations, reports or extracts from independent bodies, including without limitation external or internal auditors, Impartner’s data protection officer, the IT security department, data protection or quality auditors or other mutually agreed to third parties) or certification by way of an IT security or data protection audit. Onsite audits at sub-processors premises may be performed by Impartner or a mutually agreed to auditor under a confidentiality agreement acting on behalf of
- Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the
- Processing for Statistical Purposes. Impartner may Process Data for statistical purposes following the termination or expiration of the Any such Processing shall be subject to appropriate safeguards, as provided in Article 89 of the GDPR, for the rights and freedoms of the Data Subject. Those safeguards will ensure that technical and organizational measures are in place in particular in order to ensure respect for the principal of data minimization. Those measures may include pseudonymization or that the Processing does not permit the identification of Data Subjects.
a. Headings. Headings in this DPA are for convenience of reference only and will not constitute a part of or otherwise affect the meaning or interpretation of this
b. Entire Agreement. This DPA (including all schedules and appendices thereto) and the Agreement constitute the entire agreement between the parties relating to the subject matter of this DPA and supersede all prior agreements, understandings, negotiations and discussions of the parties in relation to the subject matter of this
c. Severability. The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability will affect only such phrase, clause or provision, and the rest of this DPA will remain in full force and effect.
d. Notices. Any notice or other communication under this DPA given by either party to the other will be deemed to be properly given if given in writing and delivered (i) in person, (ii) by electronic mail to the email addresses agreed to between the parties, or (iii) in accordance with the Notice provision of the Agreement. Either party may from time to time change its address for notices under this Section by giving the other party notice of the change in accordance with this Section.
e. Third-party Rights. The provisions of this DPA will endure to the benefit of and will be binding upon the parties and their respective successors and
f. Counterparts. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Execution of an Agreement incorporating the terms of this DPA shall be deemed to be execution of this DPA including all attachments.
g. Governing Law. This Addendum will be governed by and construed in accordance with the governing law of the Agreement, without regard to its conflict of laws principles, except to the extent that Applicable Data Protection Law(s) require otherwise, in which event this DPA will be governed in accordance with Applicable Data Protection.
h. Signatures. The Parties’ signatures on an Order Form referencing an MSA which incorporates this DPA shall constitute their signatures to this DPA.
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
A. LIST OF PARTIES
- Data exporter(s):
Name: Party identified as Customer in the DPA
Address: The address listed on page 1 of the Order Form
Contact Person’s name, position and contact details: Listed on page 1 of the Order Form
Activities relevant to the data transferred under EU/UK SCCs: Primary business point of contact for relationship with Data Importer.
Signature and date: Reflected in DPA
Role (controller/processor): Controller
- Data importer:
Name: Impartner, Inc.
Address: 10619 South Jordan Gateway Suite 200, South Jordan, UT 84095
Contact Person’s name, position and contact details: Shane Walters, Impartner Privacy Officer, [email protected]
Activities relevant to the data transferred under EU/UK SCCs: Responsible for Data Importer’s data privacy program
Signature and date: Reflected in DPA
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose Personal Data is transferred:
Customer may provide Impartner, or allow Impartner access to, Personal Data associated with the following categories of Data Subjects:
- Employees, agents, advisors, subcontractors or contact persons of Customer;
- Customer’s clients, channel partners, prospects, business partners, and vendors (who are natural persons);
- Other authorized users of the Services.
Categories of Personal Data transferred:
The personal data transferred concern the following categories of data:
- Personal details, names, user names, passwords, email addresses of users
- Personal data within emails which identifies or may be reasonably linked or linkable to an individual
- Data Subjects’ metadata including sent, to, from, date, time, subject which may be considered Personal Data
- File attachments sent by Data Exporter or Data Exporter’s partners which may contain Personal Data
- Personal Data sent by users of their own accord in free text fields or in files uploaded
- Personal Data Information offered by users as part of support enquiries
- Technical operational data including without limitation IP addresses, logins, search queries; which may include Personal Data
- Other data added by Controller from time to time
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Data Exporter agrees that it will not disclose any special categories of Personal Data or Personal Data classified as “sensitive” (or similar classification) to Data Importer.
The frequency of the transfer
Data Exporter transfers Personal Data as often as necessary to adequately provide Services outlined in the Order Form and MSA. This may involve transfers in multiple instances, e.g., to update recipient lists at which Services are aimed.
Nature and purpose of the processing
Data Importer is engaged to provide the Services to Data Exporter which involve the Processing of Personal Data. The scope of the Services is set out in the Order Form and MSA, and the Personal Data will be Processed by Data Importer to deliver those Services and to comply with the terms of the Agreement and this DPA.
The period for which the personal data will be retained
The Personal Data will be retained per the requirements of the Agreement, and shall be as long as necessary to perform the Services.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Subject matter and nature of transfers to sub-processors are outlined in Annex 3 of the DPA, for each relevant sub-processor. Duration of transfers is same as the duration of transfers to the Data Importer.
C. COMPETENT SUPERVISORY AUTHORITY
For purposes of the EU SCCs, the competent supervisory authority is the Dutch Data Protection Authority, unless expressly agreed otherwise in the DPA.
Impartner’s Technical and Organisational Mesaures Including Technical and Organisational Measures to Ensure the Security of the Data is available here.
ANNEX 3: LIST OF SUB-PROCESSORS
The controller has authorised the use of sub-processors listed here.
ANNEX 4: SUPPLEMENTARY SAFEGUARDS
This Annex is integrated into the UK SCCs (hereinafter “Clauses”) by reference.
Pursuant to the Supplementary Safeguards Clause, parties to UK SCCs hereby warrant the following:
- In the event that Data Importer receives a request from any law enforcement authority of a Third Country for disclosure of personal data processed under these Clauses in such Third Country, it will use every reasonable effort to redirect such authority to request data directly from the relevant Data Exporter.
- In the event that Data Importer is served with legally binding requests by any law enforcement authority in Third Country for disclosure of personal data in such Third Country, it will notify the relevant Data Exporter without undue delay. Such notification shall include information available to Data Importer.
- In the event that the Data Importer in Third Country becomes aware of any direct access by local public authorities regarding such personal data, it will notify the relevant Data Exporter without undue delay. Such notification shall include relevant information available to Data Importer.
- If Data Importer is prohibited from notifying the relevant Data Exporter, it agrees to seek a waiver of the prohibition. Data importer agrees to document its efforts to seek such waiver in order to be able to demonstrate them upon reasonable request of Data Exporter.
- In case of any legally binding request as referred to in point 2 above, Data Importer will review the legality of the request for disclosure under laws of the relevant Third Country, notably whether such request remains within the powers granted to the requesting public authority, and to exhaust available remedies to challenge the request if it concludes that there are grounds under such laws to do so. When challenging a request, Data Importer shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits. Data importer shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are notwithstanding the obligations of Data Importer under the Clauses.
- In any case, Data Importer will provide the minimum amount of personal data permissible if responding to a request for disclosure, based on a reasonable interpretation of the request.
- Data importer will immediately notify relevant Data Exporter if, after having committed to these supplementary safeguards, and for the duration of the Clauses, Data Importer has a reason to believe that it has become subject to new/amended Third Country laws or a change in national enforcement practices that do not allow Data Importer to meet its obligations under the Clauses.
- Data importer has implemented appropriate technical and organisational measures to ensure compliance with the level of protection required under UK data protection laws in the context of a transfer of Personal Data to Third Countries under the Clauses to ensure a level of security appropriate to the risk, as outlined in Annex 2 to these Clauses.
- Data importer further certifies that:
a. it has not and for the duration of the Clauses will not purposefully create back doors or similar programming that could be used to access its system holding Personal Data processed under the Clauses, or purposefully create or change its business processes in a manner that facilitates undue access to such Personal Data or systems, and
b. local laws of the relevant Third Country of the Data Importer do not require it to create or maintain such back doors or business processes as outlined in the provision immediately above.