This Exhibit A will apply if Ignitium receives, processes, or otherwise has access to any Customer Data. Unless defined below, capitalized terms not defined in these Data Protection Requirements will have the meaning ascribed to them in the Agreement to which this Exhibit is attached.
1. Privacy and Security of Customer Data.
Ignitium will, at all times, comply with its obligations under Applicable Law related to its processing of Customer Data, and will not process Customer Data in a manner that will, or is likely to, result in Customer breaching its obligations under Applicable Law. Ignitium will also implement and maintain all appropriate technical, administrative, physical, and organizational measures (including, at a minimum, the Minimum Security Measures in Annex II below) required to (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Customer Data; and (ii) prevent unauthorized or unlawful processing of, accidental loss of, disclosure or destruction of, or damage to, Customer Data.
2. Processing of Customer Data.
Ignitium will only process Customer Data in accordance with the terms of this Agreement.
3. Hashed Customer Data.
If Ignitium receives, processes, or otherwise has access to Customer Data in hashed or otherwise obfuscated format, Ignitium will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Customer Data unless Customer instructs Ignitium to do so; and (ii) only share the Customer Data in the format Ignitium received it from Customer.
Ignitium acknowledges that Customer may disclose this Exhibit A and any other relevant data protection and privacy provisions to the U.S. Department of Commerce, the Federal Trade Commission, European data protection authority(ies), or any other judicial or regulatory body upon their request.
5. No Information Selling.
Ignitium acknowledges and confirms its understanding that Ignitium: (i) does not and will not receive any Customer Data as consideration for any Services or other items that Ignitium provides to Customer under this Agreement; (ii) is prohibited from selling and will not sell any Customer Data as the term “sell” is defined in the California Consumer Privacy Act of 2018, as may be amended from time to time (“CCPA”); and (iii) will only collect, retain, disclose, or use Customer Data solely as necessary to perform the Services for the benefit of Customer. Ignitium represents and warrants that Ignitium understands the rules, requirements, and definitions of the CCPA and agrees to refrain from taking any action that would cause any transfers of Customer Data to or from Ignitium to qualify as “selling personal information” under the CCPA.
6. Complaint Handling.
Ignitium will, unless prohibited by Applicable Law, inform Customer promptly, and in any event within two business days, of any enquiry, legal process, or complaint received from a data subject or supervisory, judicial, legal, or government authority relating to Customer Data (“Data Inquiry”) and will not respond to the Data Inquiry unless required by law or expressly authorized by Customer. If Customer is unable to or does not receive a protective order or other remedy for the Data Inquiry, Ignitium may disclose only that portion of Customer Data that it is legally required to disclose and will use reasonable efforts to ensure the disclosed Customer Data is handled in accordance with the Agreement and accorded confidential treatment.
Ignitium will provide reasonable cooperation and assistance to Customer as Customer may reasonably require to allow Customer to respond to, object to, or challenge any Data Inquiry and to comply with its obligations under Applicable Law, including in relation to data security, data breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfillment of data subjects’ rights, and any enquiry, notice, or investigation by a supervisory authority.
8. Data Breach.
8.1. Notification. In accordance with Applicable Law, Ignitium will notify Customer without undue delay and, where feasible, no more than 48 hours after becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed or controlled by Ignitium or its Subcontractors (including Subprocessors) (a “Data Breach”). Ignitium will also provide Customer with a description of the Data Breach, the type of data that was the subject of the Data Breach, and (to the extent known to Ignitium) the categories of data subjects affected, as soon as that information can be collected or otherwise becomes available. Ignitium will cooperate with any reasonable request made by Customer relating to the Data Breach.
8.2. Communication. Ignitium may not issue, publish, or make available to any third party any press release or other communication concerning a Data Breach without Customer’s prior approval.
EU AND UK DATA PROTECTION REQUIREMENTS
Version: November 1, 2022
1. Scope, Order of Precedence and Parties
This Data Processing Addendum (“DPA”) applies to the Processing of Personal Data by Ignitium on Your behalf when providing Ignitium’s cloud and any related professional services (“Services”) and is entered into between Ignitium, LLC (“Ignitium”) and the customer-user entity identified below (“You”). The Services are described in the relevant Order Form entered between the Parties and are subject to the Master Services Agreement to which this DPA is an addendum signed between the Parties for the Services (collectively, the “Agreement”). In the event of a conflict between the terms of the Master Services Agreement and this DPA, the terms of this DPA shall control. In the event of a conflict between the terms of this DPA and the EU and UK Standard Contractual Clauses, the terms of the EU and UK Standard Contractual Clauses shall control.
3. Roles as Data Controller and Data Processor
For purposes of this DPA, You are the Data Controller of the Personal Data Processed by Ignitium in its performance of the Services under the terms of the Agreement. You are responsible for complying with your obligations as a Controller under Applicable Data Protection Laws governing your provision of Personal Data to Ignitium for the performance of the Services, including without limitation obtaining any consents, providing any notices, or otherwise establishing the required legal basis. Unless specified in the Agreement, You will not provide Ignitium with access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA, and you will limit Ignitium’s access to Personal Data as necessary to perform the Services.Ignitium is the Data Processor and service provider with respect to such Personal Data, except when You act as a Processor of Personal Data, in which case Ignitium is a sub-Processor. Ignitium is responsible for complying with its obligations under Applicable Data Protection Laws that apply to its Processing of Personal Data under the Agreement and this DPA.
4. Ignitium’s Purpose of Processing
Ignitium and any persons acting under its authority under this DPA, including sub-Processors and Affiliates as described in Section 6, will Process Personal Data only for the purposes of performing the Services in accordance with your written instructions as specified in the Agreement, this DPA (including Annex I of the EU Standard Contractual Clauses attached hereto) and in accordance with Applicable Data Protection laws. Ignitium will not disclose Personal Data in response to a subpoena, judicial or administrative order, or other binding instrument (a “Demand”) unless required by law. Ignitium will promptly notify You of any Demand unless prohibited by law and provide You reasonable assistance to facilitate Your timely response to the Demand. Ignitium may also Aggregate Personal Data as part of the Services in order to provide, secure and enhance Ignitium products and Services. Additional details related to Ignitium’s Processing activities may be specified in the Agreement.
Ignitium may provide Personal Data to Affiliates in connection with any anticipated or actual merger, acquisition, sale, bankruptcy, or other reorganization of some or all of its business, subject to the obligation to protect Personal Data consistent with the terms of this DPA.
5. Data Subjects and Categories of Personal Data
You determine the Personal Data to which You provide Ignitium access to in order to perform the Services. This may involve the Processing of Personal Data of the following categories of Your Data Subjects:
The Processing of Your Personal Data may also include the following categories of Personal Data:
Subject to the terms of this DPA, You authorize Ignitium to engage sub-Processors and Affiliates for the Processing of Personal Data. These sub-Processors and Affiliates are bound by written agreements that require them to provide at least the level of data protection required of Ignitium by the Agreement and this DPA. You may request Ignitium to perform an audit on a sub-Processor or to obtain an existing third-party audit report related to the sub-Processor’s operations to verify compliance with these requirements. You may also request copies of the data protection terms Ignitium has in place with any sub-Processor or Affiliate involved in providing the Services. Ignitium is responsible at all times for such sub-Processors’ and Affiliates’ compliance with the requirements of the Agreement, this DPA, and Applicable Data Protection Laws.
A list of sub-Processors and Affiliates, as well as a mechanism to obtain notice of any updates to the list, are available upon request by emailing email@example.com or visiting https://www.ignitium.com/dpa. At least fourteen (14) calendar days before authorizing any new sub-Processor to access Personal Data, Ignitium will update the list of sub-Processors and Affiliates.
The current list of sub-Processors is below:
Cloud Service Provider: analysis of people and accounts within Google Platform
Collaboration: lead tracking and enrichment
Cloud Service Provider: Email
SaaS: lead routing and process automation
BI: account and people analytics & presentation
SFDC Integration: CRM dataexport & loading
ABM Platform: account-based marketing, advertising, sales intelligence.
SaaS: Web personalization platform for hosting ungated experiences
SaaS: process automation
Where Ignitium is a Processor (and not a sub-Processor), the following terms apply:
7. International Transfer of Personal Data
Ignitium may transfer Personal Data to the United States and/or to other third countries as necessary to perform the Services, and you appoint Ignitium to perform any such transfer to process Personal Data as necessary to provide the Services. Ignitium will follow the requirements of this DPA regardless of where such Personal Data is stored or Processed.Where the Processing involves the international transfer of Personal Data under Applicable Data Protection Laws in the European Economic Zone or UK to Ignitium, Affiliates, or sub-Processors in a jurisdiction (i) that has not been deemed by the European Commission or UK Information Commissioner’s Office (“ICO”) to provide an adequate level of data protection, and (ii) there is not another legitimate basis for the international transfer of such Personal Data, such transfers are subject to either the EU Standard Contractual Clauses, the UK Standard Contractual Clauses, or other valid transfer mechanisms available under Applicable Data Protection Laws. For international transfers subject to:
For such purposes, You will act as the Data Exporter on Your behalf and on behalf of any of Your entities, Ignitium will act as the Data Importer on its own behalf and/or on behalf of its Affiliates. For purposes of Clause 7 of the New EU SCCs, any acceding entity shall enforce its rights through You. For purposes of Clause 9 of the Original EU SCCs, Swiss law shall apply to transfers subject to the Swiss Federal Data Protection Act and United Kingdom law shall apply to transfer subject to the UK GDPR.Where the Processing involves the international transfer of Personal Data under other Applicable Data Protection Laws to Ignitium, Affiliates, or sub-Processors, such transfers are subject to the data protection terms specified in this DPA and Applicable Data Protection Laws.
8. Requests from Data Subjects
Ignitium will make available to You the Personal Data of Your Data Subjects and the ability to fulfill requests by Data Subjects to exercise one or more of their rights under Applicable Data Protection Laws in a manner consistent with Ignitium’s role as a Data Processor. Ignitium will provide reasonable assistance to assist with Your response.If Ignitium receives a request directly from Your Data Subject to exercise one or more of their rights under Applicable Data Protection Laws, Ignitium will direct the Data Subject to You unless prohibited by law.
Ignitium shall implement and maintain appropriate technical and organizational practices designed to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such security practices are set forth in Addendum II attached hereto. Ignitium seeks to continually strengthen and improve its security practices, and so reserves the right to modify the controls described herein. Any modifications will not diminish the level of security during the relevant term of Services.
Ignitium employees are bound by appropriate confidentiality agreements and required to take regular data protection training as well as comply with Ignitium corporate privacy and security policies and procedures.
10. Personal Data Breach
Ignitium shall notify You without undue delay after becoming aware of a Personal Data Breach involving Personal Data in Ignitium’s possession, custody, or control. Such notification shall at least: (i) describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Your Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) provide the name and contact details of the data protection officer or other contact where more information can be obtained; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. You will coordinate with Ignitium on the content of any public statements or required notices to individuals and/or supervisory authorities.
11. Your Instructions and Providing Information & Assistance
You may provide additional instructions to Ignitium related to the Processing of Personal Data that are necessary for You and Ignitium to comply with our respective obligations under Applicable Data Protection Laws as a Data Controller and Data Processor (or Processor and sub-Processor, as applicable). Ignitium will comply with Your instructions at no additional charge, provided that in the event that Your instructions impose costs on Ignitium beyond those included in the scope of Services under the Agreement, the parties agree to negotiate in good faith to determine the additional costs.
Ignitium will promptly inform You if it believes that Your instructions are not consistent with Applicable Data Protection Laws, provided that Ignitium shall not be obligated to independently inspect or verify Your Processing of Personal Data.
Ignitium will provide You with information reasonably necessary to assist You in enabling Your compliance with Your obligations under Applicable Data Protection Laws, including without limitation Ignitium’s obligations under the EU General Data Protection Regulation to implement appropriate data security measures, carry out a data protection impact assessment and consult the competent supervisory authority (taking into account the nature of Processing and the information available to Ignitium), and as further specified in this DPA.
12. Return and Deletion of Personal Data
Ignitium will, at Your choice, upon termination or expiration of the Agreement, either return all Personal Data to You, or securely dispose of it in accordance with Ignitium’s data retention policies, except for Personal Data Ignitium is required by law to retain. Ignitium will confirm in writing to You when it has securely disposed of or returned Your Personal Data.
The aggregate liability of either party towards the other party under or in connection with this DPA, the Agreement, or their subject matter, shall be limited to the greater of (i) USD $10,000 or (ii) the amount paid or payable by You to Ignitium under the Agreement in the twelve months immediately preceding the event giving rise to the claim.
14. Notification of Changes
Ignitium may make changes to this DPA from time to time. Ignitium will provide notice to You of any material changes to this DPA by posting a notice on Ignitium’s website, by sending an email notification to You, or by other reasonable means. You can review the most current version of this DPA at any time by visiting https://www.ignitium.com/dpa.
To monitor compliance with the terms and conditions of this DPA, Ignitium reserves the right to cooperate fully with you or the data protection authorities, including the right to conduct a data protection audit in line with the respective Applicable Data Protection Laws. You agree to reasonably cooperate with Ignitium in such audit and provide any information necessary for Ignitium to meet its audit obligations under Applicable Data Protection Laws.
The terms of this DPA shall continue in effect until the Agreement is terminated in accordance with the terms of the Agreement.
17. Governing Law
The terms and conditions of this DPA and any non-contractual obligations arising out of or in connection with them are governed by and interpreted in accordance with the laws of the State of California, excluding its conflict of law provisions. Each Party consents to the jurisdiction of the courts of Santa Clara County, California for the purpose of any suit, action, or other proceeding arising out of this DPA or the subject matter here of.
This DPA may be executed in two or more counterparts, each of which will be considered an original, but all of which together will constitute one and the same instrument.
Annexes to this DPA are included to provide additional information and will be part of this DPA. Ignitium and You shall comply with the terms of any Annexes included in this DPA.