Last Modified: June 1, 2023

In light of GDPR and the CCPA, this Data Protection Addendum, including its Schedule (this “Addendum”) amends and forms a part of the Master Services Agreement, by and between C[i] and Client for the purchase of Services (the “MSA”) to reflect the parties’ agreement with regard to the Processing of Client Personal Data. Capitalized terms used and not defined herein shall have the meanings ascribed to such terms in the MSA.

1.  Protection of Personal Data.

1.1. For the purposes of this Addendum and the MSA, C[i] is the Processor of Client Personal Data in the provision of C[i]’s Services under the MSA and Client is the Controller.  The details of the Processing activities governed by this Addendum are set forth on Schedule 1 below.

1.2. With respect to Client Personal Data to which GDPR and/or CCPA applies, C[i] shall (and shall ensure that a natural person acting under its authority shall):

1.2.1.  Process Client Personal Data only in accordance with Client’s documented instructions, which are to provide the Services in accordance with this Addendum and/or the MSA, unless otherwise required to comply with applicable law;

1.2.2.  Ensure that persons authorized to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

1.2.3. Implement reasonably appropriate technical and organizational security measures to ensure a level of security reasonably appropriate to the risk, taking into account, at C[i]’s discretion, the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;

1.2.4.  To the extent required by applicable law, assist Client (a) with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators taking into account the nature of processing and the information available to C[i] and (b) by implementing appropriate technical and organizational measures, taking into account the nature of the processing, for the fulfillment of Client’s obligation to respond to requests for exercising the data subject’s rights under the GDPR or CCPA, as applicable, and assist Client with responding to data subjects exercising their rights to notice, choice, access, and privacy-related complaint resolution regarding their Client Personal Data, provided that Client provides C[i] with prompt notice of thereof;

1.2.5.  At Client’s discretion and at Client’s cost, take reasonable measures to (a) delete or return all Client Personal Data to Client following the termination of the MSA and (b) delete existing copies, unless any applicable law requires C[i] to continue to store any Personal Data and/or copies thereof; notwithstanding the foregoing and anything to the contrary contained herein, C[i] shall have no obligation to delete or return Client Personal Data to Client for so long as retention of Client Personal Data is necessary for the purposes for which Personal Data is processed by C[i], including, inter alia, the provision of Services;

1.2.6.  Where required under applicable law, provide Client with all information reasonably necessary to demonstrate compliance with this Addendum, and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, provided that (a) such audits and inspections will not occur more than once every calendar year, (b) Client will provide C[i] with reasonable advance notice of any such audit or inspection, (c) any such audit or inspection shall be at Client’s sole cost and expense, and (d) any such audit or inspection will be subject to a written confidentiality agreement; and

1.2.7.  Immediately inform Client if, in C[i]’s opinion, an instruction infringes CCPA or the GDPR or other EU or member state data protection provision. 

1.3.  C[i] certifies that it will not “sell” or “share” (as defined in the CCPA) the Client Personal Data, or retain, use, or disclose the Client Personal Data for any purpose other than as permitted under this Addendum and in accordance with the MSA.

1.4.  Client agrees that C[i] may use the suppliers set forth in Schedule 2 of this Addendum to help satisfy its obligations under the MSA (the “Authorized Subprocessors”).  Schedule 2 may be updated periodically and Client may from time to time request an updated list of subprocessors from C[i].  Any new subprocessor engaged by C[i] after the date of this Addendum that Client has not objected to in writing (including email) shall be an Authorized Subprocessor herein.  Where an Authorized Subprocessor fails to fulfill its data protection obligations, C[i] will remain liable to Client for the performance of such Authorized Subprocessor’s obligations, provided, however, that C[i]’s total liability with respect thereto shall be limited to the caps set forth in the MSA.

1.5.  C[i] shall promptly investigate all allegations of unauthorized access to, use or disclosure of Client Personal Data.  C[i] shall promptly notify Client after becoming aware of any Client Personal Data breach or in the event C[i] determines in its sole discretion that it can no longer abide by the terms of this Addendum.

2.  Cross-Border Transfers. In the event that Client is subject to the GDPR or the Privacy and Data Protection Laws of Switzerland and the transfer of Client Personal Data to C[i] would be restricted in the absence of the SCCs:

2.1.  The parties agree that the SCCs shall be incorporated into this Addendum with Client as the “data exporter” and C[i] as the “data importer.”

2.2.  Regarding certain provisions in the EU SCCs, the parties agree as follows: (i) the parties agree to Clause 7; (ii) regarding Clause 8.5, the Client agrees that C[i] may retain the Client Personal Data at the end of the provision of Services; (iii) the parties choose OPTION 2 in Clause 9(a) with notification of intended changes to subprocessors set at 30 days prior to engagement; (iv) the parties do not agree to the optional provisions of Clause 11(a); (v) the parties choose OPTION 1 in Clause 17 and the Member State shall be Ireland; and (vi) the parties agree that the Member State in Clause 18(b) shall be Ireland.

2.3.  Regarding certain provisions in the UK SCCs, the parties agree as follows: Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK SCCs in accordance with Section 19 is the importer.

2.4.  If an Alternative Transfer Mechanism is made available by C[i], then the SCCs shall be automatically terminated and such transfer shall be subject to the Alternative Transfer Mechanism.

3.  Client Requirements.  Client shall, in its use of the C[i] Solution, process Personal Data in accordance with the requirements of any applicable data protection laws and regulations and comply with all protection, security and other obligations prescribed by applicable privacy and data protection laws. For the avoidance of doubt, Client shall have sole responsibility for the accuracy, quality and legality of all Client Personal Data and Client’s instructions for C[i]’s processing of Client Personal Data shall comply with all applicable privacy and data protection laws.

4.  Miscellaneous.  Except as expressly set forth in this Addendum, the MSA shall remain in full force and effect in accordance with its terms.  In the event of any conflict between the terms and provisions of this Addendum and those of the MSA, the terms and provisions of this Addendum shall prevail and supersede those of the MSA to the extent of the conflict.  This Addendum shall be governed by and construed and interpreted in accordance with the laws of the State of New York without regard to principles of conflicts of law.  Any action based on or alleging a breach of this Addendum must be brought in a state or federal court in New York County, New York, and the Parties consent to the exclusive jurisdiction of such courts.

5.  Definitions.  Capitalized terms which are not defined in this Addendum shall have the meaning provided in the MSA.

“Adequate Country” mans a third country has been designated by the European Commission as ensuring an adequate level of protection.

“Alternative Transfer Mechanism” means a solution, other than the SCCs, that enables the lawful transfer of Personal Data to a third country in accordance with GDPR.

“CPPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.

“Client Personal Data” means Personal Data of End Users (i) that Client provides to C[i] in connection with Client’s use of the C[i] Solution or (ii) for which Client is otherwise a Controller.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.

“Personal Data” means information relating to an identified or identifiable natural person (a “data subject”).

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

“SCCs” means ” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”), and (ii) where the Privacy and Data Protection Laws of the UK apply, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK SCCs”).

Schedule 1

Nature and Purpose of Processing

C[i] will process Client Personal Data as necessary to perform the services pursuant to the MSA, as further specified by Client in its use of the C[i] Solution.

Duration of Processing

Subject to the terms of this Addendum, C[i] will process Client Personal Data for the duration of the MSA, unless otherwise agreed upon in writing.

Types of Personal Data

Client may submit Personal Data to the C[i] Solution, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited, to the following categories of Personal Data:

·                 First and last name

·                 Title

·                 Position

·                 Contact information (company, email, phone, physical business address)

·                 ID data

·                 Professional life data

·                 Personal life data

·                 Connection data

·                 Localization data

Schedule 2

Subprocessors

1.      Okta (identity and access management)

2.     SendGrid (email delivery service) 

3.    AWS (infrastructure/cloud hosting services)

4. Snowflake (cloud hosting services)

SCC ANNEX I

A.    List of Parties

Controller:

Name:

Address:

Contact person’s name, position and contact details:

Processor:

Name: Cross Commerce Media, Inc. (dba Collective[i])

Address: 450 Park Avenue South, 3rd Floor, New York, NY 11217

Contact person’s name, position and contact details: Janis Foo, VP Legal & Operations, jfoo@collectivei.com and Legal@collectivei.com

B.    Description of the processing

Nature and Purpose of Processing

C[i] will process Client Personal Data as necessary to perform the services pursuant to the MSA, as further specified by Client in its use of the C[i] Solution.

This includes:

●      With respect to C[i]’s data or predictive analytics service, Processing Client Personal Data to return analytics and forecasting results to Client based on the Client Personal Data; and

●      With respect to C[i]’s contact unification service, Processing Client Personal Data to return updated and completed contact information concerning individuals contained within the Client Personal Data.

Duration of Processing

Subject to the terms of this Addendum, C[i] will process Client Personal Data for the duration of the MSA, unless otherwise agreed upon in writing.

Types of Personal Data

Client may submit Personal Data to the C[i] Solution, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited, to the following categories of Personal Data:

●      First and last name

●      ID data

●      Professional life data (company, title, position, contact information (company, email, phone, physical business address))

●      Personal life data (contact information (email, phone, address))

●      Connection data

●      Localization data

SCC ANNEX II

Technical and organisational measures including technical and organisational measures to ensure the security of the data

Introduction

C[i] represents and warrants that it has developed, implemented and will maintain a comprehensive, written information security program that requires the implementation of administrative, physical and technical safeguards to protect Client Personal Data against unauthorized or inappropriate use, access or transmission. C[i] shall ensure that all such safeguards, including the manner in which Client Personal Data is collected, accessed, used, stored, processed, disposed of and disclosed, are no less rigorous than industry standards that comply with applicable data protection laws, as well as the terms and conditions of this Agreement.

Security Program Requirements

C[i]’s written information security program will require that C[i] apply the same level of security to Client Personal Data as C[i] would provide for its own proprietary, sensitive and confidential information.  Such program will include, at a minimum, and C[i] agrees to: (i) implement access controls, including appropriate authentication and credential protocols be maintained as well as limiting access to only authorized representatives who have a need to access in order to carry out their obligations under the Agreement; (ii) safeguard the physical location and infrastructure of any database or record storage area; (iii) safeguard the transmission or transport of any records, including appropriate encryption standards for electronic transmission; (iv) maintain a cyber-incident mitigation strategy, including identify root cause analysis, internal escalations and risk assessment and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (v) maintain a cyber-incident response plan; (vi) maintain a records retention policy, which ensures secure storage and destruction, in accordance with the requirements of the Agreement or instructions from Client; (vii) ensure the pseudonymization or encryption of Client Personal Data where appropriate.

Duration of access shall be restricted to the minimum time for which access is required.  C[i] shall use safeguards to protect against any compromise, unauthorized access or other damage to Client’s network and to secure its networks and IT environments associated with the services being provided to Client.

Oversight of Compliance

C[i] shall regularly, but not less than annually, evaluate, test and monitor the effectiveness of its written information security program and shall promptly adjust and/or update as reasonably warranted by the results of such evaluation, testing, and monitoring. 

C[i] shall provide a controls audit report and remediation effort, such as a SOC 2 Type 2 reports or information security audit as applicable to the services being provided, which has been performed within the past year by an independent third-party.  The audit shall include an assessment of C[i]’s applicable general controls and security processes and procedures to ensure compliance with applicable laws, regulations and industry standards.  

Security Breach

C[i] shall promptly notify Client of any security breach. C[i] shall immediately remedy any security breach and prevent any further security breach in accordance with applicable privacy rights, laws, regulations and standards.

C[I] shall cooperate fully with Client in the investigation and response to any security breach, including the name and contact information for C[i]’s primary security contact who shall be available to assist Client during reasonable days and times as a contact in resolving obligations associated with a security breach. 

Handling of Personal Data

Unless otherwise agreed in advance by Client in writing, all Client Personal Data shall be encrypted during storage, transmission, and processing, using standards consistent with industry standards.