Updated October 23, 2019
This Data Processing Addendum (“DPA“) forms part of the terms and conditions of the Demandbase Master Cloud Agreement (“Agreement“) between the party identified as the “Customer” or “you” in the Agreement and Demandbase. Capitalized terms not defined in this DPA, shall have the meanings set forth in the Agreement.
Customer enters into this DPA and the Model Clauses (as applicable) on behalf of itself and, to the extent required under applicable EU Data Protection Law, in the name and on behalf of its Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates.
WHEREAS, in connection with the Service Demandbase provides to Customer, each party may process certain personal data, of which you or your Affiliates may be a controller pursuant to EU Data Protection Law; and
WHEREAS, the parties want to (i) ensure that both parties comply with EU Data Protection Law when processing such personal data; and (ii) ensure adequate safeguards are in place to protect such personal data when it is shared pursuant to the Agreement.
NOW THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
“Controller Model Clauses” means the Standard Contractual Clauses for controllers (2004) as approved by the European Commission and available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915.
“EEA” means for the purposes of this DPA, the member states of the European Economic Area, Switzerland and/or the United Kingdom.
“Model Clauses” means the Processor Model Clauses and Controller Model Clauses.
“Permitted Affiliate” means any Affiliate of Customer that is located in the EEA that is permitted to use the Service under the Agreement but is not a Customer under the Agreement, has not signed its own Order Form with Demandbase and is not a “Customer” as defined under the Agreement.
“Privacy Shield” means collectively the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017, respectively.
“Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced).
“Processor Data” means any Customer Data that is protected as “personal data” or “personally identifiable information” under EU Data Protection Law.
“Processor Model Clauses” means the Standard Contractual Clauses for processors as approved by the European Commission and available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.
“Security Documentation” means Demandbase’s security documentation currently available at https://support.demandbase.com/hc/en-us/articles/360000509903-Demandbase-Security-Practices (or such other URL as may be notified by Demandbase from time to time) or any other relevant security information, as made available by Demandbase.
“Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Processor Data transmitted, stored or otherwise processed by Demandbase and/or its Sub-processors in connection with the provision of the Service. “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Processor Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Sub-processor” means any third party processor engaged by Demandbase or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Demandbase Affiliates but shall exclude any Demandbase employee or consultant.
The terms “controller“, “data subject“, “personal data“, “processor” “processing” and “supervisory authority” shall have the meaning given to them in EU Data Protection Law and “process“, “processes” and “processed” shall be interpreted accordingly.
2.1 Scope. This DPA applies where and only to the extent that either party processes personal data that is subject to EU Data Protection Law in connection with the Service provided to Customer pursuant to the Agreement.
2.2 Role of the Parties. The parties agree that in connection with the Service: (i) Customer is the controller of Processor Data (to the extent it includes personal data) and Demandbase shall process Processor Data only as a processor on behalf of Customer, as further described in Annex A of this DPA; and (ii) each party is a controller of any other personal data it processes in connection with the Service, which shall be processed by each party in accordance with and as permitted by the Agreement and EU Data Protection Law.
3.1 Processor Obligations: The terms in this Section 3 (Processor Terms) will apply to any Processor Data set out in Annex A processed by Demandbase as a processor on behalf of Customer in the provision of the Service.
3.2 Processing Instructions: As a processor, Demandbase shall process Processor Data only for the purposes described in this DPA and only in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement sets out the Customer’s complete and final instructions to Demandbase in relation to the processing of Processor Data and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. Demandbase shall notify Customer in writing, unless prohibited from doing so under EU Data Protection Law, if it becomes aware or believes that any data processing instruction from Customer violates applicable EU Data Protection Law.
3.3 Appointment of Sub-processors
(a) Authorized Sub-processors. Customer agrees that Demandbase may engage Sub-processors to process Processor Data on Customer’s behalf. The Sub-processors currently engaged by Demandbase and authorized by Customer are listed at https://support.demandbase.com/hc/en-us/articles/360000384823-Demandbase-Sub-Processor-List (or such other successor URL as may be notified by Demandbase from time to time). Demandbase shall notify Customer if it makes any changes to its Sub-processors at least 10 days prior to any such change by sending an email to the email address designated by the Customer to receive notifications.
(b) Sub-processor Obligations. Demandbase shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect Processor Data to the standard required by EU Data Protection Law; and (ii) remain responsible for Demandbase compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Demandbase to breach any of its obligations under this DPA.
(c) Objection to Sub-processors. Customer may object in writing to Demandbase’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Demandbase promptly in writing within 5 calendar days of receipt of any notice provided by Demandbase in accordance with Section 3.3(a). Such notice shall explain the reasonable grounds for the objection. In the event Customer objects to a Sub-processor, the parties shall discuss Customer concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Demandbase will, at its sole discretion, either (i) not appoint Sub-processor; or (ii) permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
3.4 Deletion on Termination. Upon termination or expiry of the Agreement, Demandbase shall as soon as reasonably practicable, delete all Processor Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Demandbase is required by applicable law to retain some or all of the Processor Data, or to Processor Data it has archived on back-up systems, which Processor Data Demandbase shall securely isolate and protect from any further processing and delete in accordance with its deletion practices, except to the extent required by applicable Law.
3.5 Security Audits. Customer acknowledges that Demandbase is audited against System and Organization Controls (SOC) 2 or similar recognised information security audit standards. Upon written request, Demandbase shall supply to Customer (on a confidential basis) a summary of its current audit report(s) (“Report”), so that Customer can verify Demandbase’s compliance with the audit standards against which it has been assessed and this DPA. In addition, Demandbase shall provide written responses (on a confidential basis) to all reasonable written requests for information made by Customer related to its processing of Processor Data (including responses to information security and audit questionnaires that are strictly necessary to confirm Demandbase’s compliance with this DPA), provided that Customer shall not exercise this right more than once in any 12 month rolling period.
3.6 Security Incident Response. Upon becoming aware of a Security Incident, Demandbase shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.
3.7 Data Protection Impact Assessment. To the extent Demandbase is required under EU Data Protection Law and/or Customer does not already have access to the relevant information, Demandbase shall provide reasonably requested information regarding Demandbase’s processing of Processor Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by EU Data Protection Law.
3.8 Security and Audits. Demandbase shall implement appropriate technical and organizational security measures as required by EU Data Protection Law to protect the Processor Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the personal data and to preserve the security and confidentiality of the Processor Data in accordance with the Security Documentation (“Security Measures”). Demandbase shall ensure that any person who is authorized by Demandbase to process Processor Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
3.9 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Demandbase may update or modify its Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Customer.
4.1 For clarity and without prejudice to Section 5 (Customer Obligations) in the Agreement, Customer shall ensure that its privacy policies included on the Customer Properties: (i) clearly identify the controller(s) of the Website Data, including details of Demandbase; (ii) provide a conspicuous link to or description of how to access a relevant choice mechanism, including how to opt-out of Demandbase Tags; and (iii) include any other information required to comply with the transparency requirements of EU Data Protection Law.
4.2 For further clarity, where Customer is required to obtain consent on behalf of Demandbase to the collection and processing of Website Data and/or the use of Demandbase Tags, Customer represents and warrants that it shall at all times maintain and make operational on Customer Properties a mechanism for (i) obtaining and recording such consent; and (ii) that enables such consent to be withdrawn, in accordance with EU Data Protection Law. Customer agrees to provide such consent records to Demandbase promptly upon request.
5.1 Processing Locations. Demandbase may transfer and process personal data to and in the United States (as applicable) and anywhere else in the world where its Affiliates or its Sub-processors maintain data processing operations. Demandbase shall at all times ensure such transfers are made in compliance with the requirements of EU Data Protection Law and this DPA.
5.2 Transfer Mechanism. The parties agree that where Customer transfers personal data protected by EU Data Protection Law to Demandbase located in a country that does not provide an adequate level of protection for personal data (as described in EU Data Protection Law), Demandbase shall make available the following mechanisms:
(a) Privacy Shield: Where Demandbase is certified under the Privacy Shield: (i) the parties acknowledge and agree that Demandbase will be deemed to provide adequate protection (within the meaning of EU Data Protection Law) for such data by virtue of having self-certified its compliance with Privacy Shield; (ii) Demandbase agrees to process such data in compliance with the Privacy Shield Principles; (iii) if Demandbase is unable to comply with this requirement, Demandbase shall inform Customer and it shall, upon notice from Customer, cease processing or take other reasonable and appropriate steps to remediate (if remediable) any processing until such time as the processing meets the level of protection as is required by the Privacy Shield Principles.
(b) Model Clauses: To the extent the transfer mechanism identified in Section 5.2(a) above does not apply to the transfer and/or is invalidated, Demandbase agrees to abide by and process: (i) Processor Data in in compliance with the Processor Model Clauses; and (ii) any personal data for which Demandbase is a controller, in compliance with the Controller Model Clauses. The parties further agree that the Model Clauses (where applicable) are incorporated in full into this DPA and for the purposes of the descriptions in the Model Clauses: (i) Demandbase agrees that it is the “data importer” and Customer is the “data exporter”; (ii) for the purposes of the Processor Model Clauses: (a) Annexes A of this DPA and the Security Measures shall replace Appendixes 1 and 2 of the Processor Model Clauses respectively; and (b) Annex B shall form Appendix 3 of the Processor Model Clauses.
5.3 It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA regarding the transfer of Personal data outside of the EEA, the Model Clauses shall prevail to the extent of such conflict. The parties further agree this DPA (with any commercially sensitive information redacted) may be shared with the US Department of Commerce on request.
6.1 The parties shall, on request, provide each other with all reasonable and timely assistance and co-operation (at their own expense) to enable the other party to comply with its obligations under EU Data Protection Law, including in order to enable the other party to respond to: (i) any request from a data subject to exercise any of its rights under EU Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) in relation to personal data processed hereunder; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of personal data hereunder (collectively “Correspondence”).
6.2 Each party shall promptly inform the other if it receives any Correspondence directly from a data subject in connection with the processing of personal data, where the Correspondence relates to the processing conducted by the other party; provided however, that where Demandbase is acting as a processor under this DPA, it shall not respond directly to any Correspondence unless good faith efforts to contact and involve Customer have failed and/or failure to respond may result in liability for Demandbase under applicable EU Data Protection Law.
6.3 Customer further acknowledges that the Service provides Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict personal data processed by Customer within the Service, which Customer may use to assist it in connection with its obligations under EU Data Protection Law. Demandbase shall provide the assistance and co-operation described in Section 6.1 to the extent that Customer is unable to independently access the relevant personal data within the Service. To the extent legally permitted, Customer shall be responsible for any costs related to Demandbase’s provision of such services.
7.1 Demandbase and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA and all data processing agreements between Customer, Permitted Affiliates and Demandbase, whether in contract, tort, or under any other theory of liability, is subject to Section 15 (Limitations of Liability) in the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all data processing agreements together.
7.2 Demandbase and its Affiliates’ total liability for all claims from Customer and all Permitted Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all data processing agreements established under this DPA or the Agreement, including by Customer and all Permitted Affiliates, and shall not be understood to apply individually and severally to Customer and/or to any Permitted Affiliate that is a contractual party to any such DPA. Each reference to the DPA herein means this DPA including its appendices, attachments, or terms incorporated by reference.
8. Permitted Affiliates
8.1 When a Permitted Affiliate becomes a party to the DPA, then such Permitted Affiliate shall be entitled to exercise its rights and remedies available under this DPA to the extent required under applicable EU Privacy Law. However, if applicable EU Data Protection Law requires the Permitted Affiliate to directly exercise a right or remedy against Demandbase directly by itself, the parties agree that to the extent permitted under law: (i) only the Customer that is the contracting entity to the Agreement shall exercise any such right or seek any such remedy on behalf of the Permitted Affiliate; and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA in a combined manner for all of its Permitted Affiliates together, instead of doing so separately for each Permitted Affiliate. The Customer that is the contracting entity is responsible for coordinating all communication with Demandbase under the DPA and be entitled to make and receive any communication related to this DPA on behalf of its Permitted Affiliates.
9.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict, as it relates to the subject matter of this DPA.
9.2 This DPA shall be deemed a part of and incorporated into the Agreement so that references in the Agreement to “Agreement” shall be interpreted to include this DPA.
9.3 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by EU Data Protection Law.
1. Duration: The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of Processor Data by Demandbase in accordance with the terms of the Agreement
2. Categories of data: Customer may submit Processor Data to Demandbase, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to: (i) clients and prospects of Customer (each a “Client”); and (ii) employees and/or contractors of Customer that Customer allows to use the Service on its behalf (each a “User”).
3. Special categories of data (prohibited): Customer is prohibited under the Agreement from submitting Prohibited Data (which includes special category data) to the Service.
4. Categories of data subjects. Customer may submit Processor Data to Demandbase, the extent of which is determined and controlled by Customer in its sole discretion and may vary depending on the Service but which may include, but is not limited to:
identification and contact data (name, address, title, contact details); employment details (employer, job title, geographic location, area of responsibility, employer financial information); or any other personal data elements contained within Customer Data that Customer chooses to input into the Service.
5. Nature and Purposes of processing: (i) processing to provide the Service in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; (iii) processing initiated by Customer in its use of the Service; and (iv) processing to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the “Purpose”)
6. Processing operations: Personal data transferred will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:
1. Storage and other processing necessary to provide, maintain and improve the Service (as applicable) provided to Customer; and/or
2. Disclosures in accordance with the Agreement and/or as compelled by applicable laws.
This Annex B forms part of and is added to the Processor Model Clauses that are incorporated into this DPA. All defined terms used in this Annex B shall have the meaning given to them in the Processor Model Clauses unless otherwise defined in this Annex.
This Appendix 3 sets out the parties’ interpretation of their respective obligations under specific Clauses identified below. Where a party complies with the interpretations set out in this Appendix, that party shall be deemed by the other party to have complied with its commitments under the Clauses.
For the purposes of this Appendix, “DPA” means the Data Processing Addendum in place between data importer and data exporter and to which these Clauses are incorporated and “Agreement” shall have the meaning given to it in the DPA.
Clause 4(h) and 8: Disclosure of these Clauses
1. Data exporter agrees that these Clauses constitute data importer’s Confidential Information as that term is defined in the Agreement and may not be disclosed by data exporter to any third party without data importer’s prior written consent unless permitted pursuant to Agreement. This shall not prevent disclosure of these Clauses to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8.
Clause 5(a): Suspension of data transfers and termination:
1. The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.
2. The parties acknowledge that if data importer cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract.
3. If the data exporter intends to suspend the transfer of personal data and/or terminate these Clauses, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).
4. If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of personal data immediately. The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.
Clause 5(f): Audit:
1. Data exporter acknowledges and agrees that it exercises its audit right under Clause 5(f) by instructing data importer to comply with the audit measures described in the DPA.
Clause 5(j): Disclosure of subprocessor agreements
1. The parties acknowledge the obligation of the data importer to send promptly a copy of any onward subprocessor agreement it concludes under the Clauses to the data exporter.
2. The parties further acknowledge that, pursuant to subprocessor confidentiality restrictions, data importer may be restricted from disclosing onward subprocessor agreements to data exporter.
Notwithstanding this, data importer shall use reasonable efforts to require any subprocessor it appoints to permit it to disclose the subprocessor agreement to data exporter.
3. Even where data importer cannot disclose a subprocessor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably requires in connection with such subprocessing agreement to data exporter.
Clause 6: Liability
1. Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.
Clause 11: Onward subprocessing
1. The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” the data exporter may provide a general consent to onward subprocessing by the data importer.
2. Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward subprocessors. Such consent is conditional on data importer’s compliance with the requirements set out in Section 3.3 (Appointment of Sub-processors) of the DPA.