See why Palo Alto Networks selected LeanData to orchestrate their buying groups motion.

Read the full success story
Request a demo
    HomeData Processing Addendum

Data Processing Addendum


Last Updated: June 03, 2024

This Data Processing Addendum (“Addendum”) supplements the Master Subscription and Professional Services Agreement and any Order Forms (collectively, the “Agreement”) entered into by and between __ (“Controller”) and LeanData, Inc. (“Processor”). Any terms not defined in this Addendum shall have the meaning set forth in the Agreement. In the event of a conflict between the terms and conditions of this Addendum and the Agreement, the terms and conditions of this Addendum shall supersede and control.

1. Definitions

  • 1.1. “Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person without additional information unavailable to any third party other than Authorized Subcontractors.
  • 1.2.“Authorized Employee” means an employee of Processor who has a need to know or otherwise access Personal Data to enable Processor to perform their obligations under this Addendum or the Agreement.
  • 1.3.“Authorized Individual” means an Authorized Employee or Authorized Subcontractor.
  • 1.4. “Authorized Subcontractor” means a third-party subcontractor, agent, reseller, or auditor who has a need to know or otherwise access Personal Data to enable Processor to perform its obligations under this Addendum or the Agreement, and who is authorized to do so under this Addendum.
  • 1.5. “CCPA” means the California Consumer Privacy Act of 2018, as updated from time to time.
  • 1.6. “CPRA” means the California Privacy Rights Act of 2020, as updated from time to time.
  • 1.7. “Data Subject” means an identified or identifiable person to whom Personal Data relates.
  • 1.8. “Instruction” means a direction, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Controller to Processor and directing Processor to Process Personal Data.
  • 1.9. “European Data Protection Legislation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data of EU data subjects and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) and other data protection laws of the EU, its Member States, Switzerland, Iceland, Liechtenstein and Norway and the United Kingdom (as such laws may be enacted after the UK’s exit from the EU), applicable to the processing of Personal Data under the Agreement.
  • 1.10. “Global Data Protection Legislation” means the European Data Protection Legislation, CCPA, CPRA, and LGPD, as applicable to the processing of Personal Data.
  • 1.11. “LGPD” means the Brazilian General Data Protection Law.
  • 1.12. “Personal Data” means any information relating to Data Subject which Processor Processes on behalf of Controller other than Anonymous Data, and includes Sensitive Personal Information.
  • 1.13. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • 1.14. “Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
  • 1.15. “Services” shall have the meaning set forth in the Agreement.
  • 1.16. “Sensitive Personal Information” means a Data Subject’s (i) government-issued identification number (including social security number, driver’s license number or state-issued identification number) or email address; (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; (iii) biometric or health data; or (iv) where designated by applicable European Union member state law, Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or sexual activity, or trade union membership.
  • 1.17. “Standard Contractual Clauses” means : (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) and (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs”).
  • 1.18. “Supervisory Authority” means an independent public authority which is established by a member state of the European Union, Iceland, Liechtenstein, or Norway.

2. Processing of Data

  • 2.1. The rights and obligations of the Controller with respect to this Processing are described herein. Controller shall, in its use of the Services, at all times Process Personal Data, and provide instructions for the Processing of Personal Data, in compliance with EU Directive 95/46/EC (the “Directive”), and the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”). Controller is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Processor by or on behalf of Controller, (ii) the means by which Controller acquired any such Personal Data, and (iii) the instructions it provides to Processor regarding the Processing of such Personal Data.
  • 2.2. Processor shall Process Personal Data only (i) for the purposes set forth in the Agreement, (ii) in accordance with the terms and conditions set forth in this Addendum and any other documented instructions provided by Controller, and (iii) in compliance with the Directive, and the GDPR.
  • 2.3. The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Appendix A to this Addendum.
  • 2.4. Processor shall comply with all Instructions provided by Controller with respect to the return or disposal of Personal Data, to the extent they are not in conflict with the terms and conditions of this Addendum or the laws of the European Union or European Union member states. At any time during the term of the Agreement at Controller’s written request, or upon the termination or expiration of the Agreement for any reason, Processor shall, and shall instruct all Authorized Individuals to, promptly and securely dispose of all copies of Personal Data located on any systems, networks, or servers on which data processing actively takes place, and certify in writing to Controller that such Personal Data has been disposed of securely. All Personal Data shall be securely disposed of within a period of one (1) year following the termination or expiration of the Agreement or such other period as instructed by Controller, in accordance with Processor’s retention policy and except as required by applicable laws.

3. Authorized Employees

  • 3.1. Processor shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee.
  • 3.2. Processor shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Processor, any Personal Data except in accordance with their obligations in connection with the Services. 
  • 3.3. Processor shall take commercially reasonable steps to limit access to Personal Data to only Authorized Individuals.

4. Authorized Subcontractors

  • 4.1. Controller acknowledges and agrees that Processor may from time to time engage third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.
  • 4.2. Processor shall notify Controller in writing ten (10) days before engaging any third party other than Authorized Subcontractors to access or participate in the Processing of Personal Data. Controller may object to such an engagement in writing within ten (10) days of receipt of the aforementioned notice by Controller. 
  • 4.3. If Controller objects to an engagement in accordance with Section 4.2, Processor shall promptly provide Controller with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Processor, in its sole discretion, cannot provide any such alternative(s), or if Controller does not agree to any such alternative(s) if provided, Processor may terminate this Addendum and the Agreement between the parties without penalty.  In addition, Controller shall be entitled to a pro rata refund of any prepaid fees attributable to the post-termination period. 
  • 4.4. If Controller does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Processor, such third party will be deemed an Authorized Subcontractor for the purposes of this Addendum. 
  • 4.5. Processor shall ensure that all Authorized Subcontractors have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement by Processor, any Personal Data both during and after their engagement with Processor.
  • 4.6. Processor shall, by way of contract or other legal act under European Union or European Union member state law (including without limitation approved codes of conduct and standard contractual clauses), ensure that every Authorized Subcontractor is subject to obligations regarding the Processing of Personal Data that are no less protective than those to which the Processor is subject under this Addendum. 
  • 4.7. Processor shall be liable to Controller for the acts and omissions of Authorized Subcontractors to the same extent that Processor would itself be liable under this Addendum had it conducted such acts or omissions.

5. Security of Personal Data

  • 5.1. Processor shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Data, including protections against the accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of or access to Personal Data.

6. Transfers of Personal Data

  • 6.1. Any transfer of Personal Data made subject to this Addendum from member states of the European Union, Iceland, Liechtenstein, Norway, Switzerland or the United Kingdom to any countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of these countries shall, to the extent such transfer is subject to such laws and regulations, be undertaken by Processor through the Standard Contractual Clauses as described in Section 13.3 and 13.4 of this Addendum. 

7. Rights of Data Subjects

  • 7.1. Processor shall, to the extent permitted by law, promptly notify Controller upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). 
  • 7.2. Processor shall, at the request of the Controller, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Controller in complying with Controller’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Controller is itself unable to respond without Processor’s assistance and (ii) Processor is able to do so in accordance with all applicable laws, rules, and regulations. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.

8. Actions and Access Requests

  • 8.1. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor. Processor shall make available to the Controller information to demonstrate compliance with its processing obligations (such as making available Article 30 GDPR Records of Processing Activity, if requested by Controller.
  • 8.2. Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.

9. Demonstration of Compliance; Audits.

  • 9.1. Processor will maintain records sufficient to demonstrate its compliance with its obligations under this DPA and retain such records for a period of three (3) years after the termination of the Agreement (“Documentation”). Processor also uses external auditors to verify the adequacy of its security measures.  This audit (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or substantially equivalent standards; (c) will be performed by independent third party security professionals at Processor’s selection and expense; and (d) will result in the generation of a confidential audit report (“Audit Report”).  Upon Controller’s request, no more than once per year, Processor will provide (on a confidential basis) Controller with a summary of the Documentation and Audit Reports so that Controller can verify Processor’s compliance with this DPA.
  • 9.2. To the extent Controller’s audit requirements under the Standard Contractual Clauses or Data Protection Laws cannot reasonably be satisfied through Section 9.1 above, Controller may audit Processor’s systems and facilities to verify compliance with this DPA. Controller agrees to exercise any such right only through use of an independent, accredited third-party audit firm that is acceptable to Processor. The audit will occur during Processor’s regular business hours. The auditor(s) may be required to execute reasonable confidentiality obligations with Processor. Before the commencement of the audit, Controller and Processor will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit Processor to unreasonably delay performance of the audit.  To the extent needed to perform the audit, Processor will make the processing systems, facilities and supporting documentation relevant to the processing of Personal Data by Processor and its Sub-Processors available.  Controller will be responsible for the costs and fees of any such audits or inspections.  If the audit report generated as a result of Controller’s audit includes any finding of material non-compliance with this DPA or applicable law, Controller will share such audit report with Processor and, after Processor’s verification of the issue, Processor will promptly cure the non-compliance.    

10. Personal Data Breach.

  • 10.1. In the event of a Personal Data Breach, Processor shall, without undue delay (in case longer than forty-eight hours from detection), inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control).
  • 10.2. In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.
  • 10.3. The obligations described in this Section 10 shall only apply to a Personal Data Breach that results from the actions or omissions of Processor.

11. Limitation of Liability

  • 11.1. The limitation of liability section of the Agreement shall apply to this Addendum.

12. CCPA Compliance.

Processor and Controller shall comply, when applicable, with their respective obligations under the CCPA.

  • 12.1. As used in this section 12, “personal information,” “consumer,” “sell,” “business purpose,” “commercial purpose,” and “verifiable consumer request” will have the meaning given to those terms in the CCPA.
  • 12.2. General. The parties acknowledge and agree that: (i) Processor does not receive Personal Information, or access to it, as valuable consideration for providing services to Controller under the Agreement and (ii) Processor shall collect, receive, access, retain, use, disclose, or otherwise process Personal Information on behalf of Controller solely for the business purpose of providing the services to Controller and in accordance with the terms and conditions of this DPA (see Appendix A).
  • 12.3. Data processing obligations. Processor shall not, directly or indirectly: (i) sell Personal Information; (ii) collect, access, retain, use, disclose, or otherwise process Personal Information: (a) for any purpose other than for the specific business purpose of performing the services specified in the Agreement and Appendix A of this DPA; (b) for a commercial purpose other than providing Controller the services specified in the Agreement and Appendix A of this DPA; or (c) outside the direct business relationship between Controller and Processor; or (iii) attempt to or actually re-identify any previously aggregated, de-identified, or anonymized Personal Information and Processor shall contractually prohibit permitted downstream data recipients from attempting to or actually re-identifying such data.
  • 12.4. Certification. Processor certifies that it understands the foregoing restrictions in subsection 12.3 and will comply with them.
  • 12.5. Subcontractors. The parties agree that, to the extent permitted under the Agreement, Processor may use subcontractors to provide all or part of the services, provided that, to the extent any such engagement involves the collection, access, retention, use, disclosure, or other processing of Personal Information: (i) Processor shall provide Controller with a list that includes: (a) the name, address and contact information of each such subcontractor; (b) the type(s) of services provided by each such subcontractor; and (c) the categories of Personal Information disclosed, made available or otherwise processed by each such subcontractor; (ii) Processor does not make any disclosures to any subcontractor that would be considered a sale under the CCPA; (iii) Processor ensures that the arrangement between each subcontractor and Processor is governed by a written contract that includes terms substantially similar, but no less restrictive, as those set forth in this section about CCPA compliance; and (iv) Processor remains fully liable to Controller for each subcontractor’s performance of the obligations set forth in these sections about CCPA compliance. A Current list of subcontractors is in Appendix B attached hereto.
  • 12.6. Assistance with CCPA obligations. Processor shall: (i) upon Controller’s written request, reasonably assist Controller in fulfilling Controller’s obligation to respond to a verifiable consumer request under the CCPA; and (ii) if Processor receives a verifiable consumer request related to any Personal Information, immediately notify Controller in writing and shall not respond to any such verifiable consumer request, except as may be instructed by Controller in writing or as required by applicable law.
  • 12.7. Subpoenas and Court Orders. If Processor receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Information, Processor shall not disclose any information but shall immediately notify Controller in writing of such request, and reasonably cooperate with Controller if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
  • 12.8. Data Protection Impact Assessments (“DPIA’s”). To the extent Processor is required under Applicable Laws, Processor will assist Controller to conduct a DPIA and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to data subjects.

13. GDPR Compliance.

Controller and Processor shall comply, when applicable, with their respective obligations under the GDPR.

  • 13.1. Roles of the Parties. The parties agree that for the purposes of this Section 13, Controller is a “Controller” and Processor is a “Processor” as those terms are defined in the GDPR.
  • 13.2. Data Controller Instructions. Notwithstanding anything in the Agreement to the contrary, Processor will only Process Personal Information on documented instructions from Controller, including with regard to transfers of Personal Information to a third country or an international organization, unless required to do so by applicable law to which Processor is subject. Processor will promptly inform Controller if following Controller’s instructions would result in a violation of Applicable Law or where Processor must disclose Personal Information in response to a legal obligation (unless the legal obligation prohibits Processor from making such disclosure). For avoidance of doubt, Controller’s documented instructions include the Agreement and this DPA. 
  • 13.3. Cross-Border Transfers Mechanisms–EU.  The parties agree that the if provision of the service under the Agreement will require transfer of European Data outside of Europe to countries which are not recognized by the European Commission as providing an adequate level of protection of Personal Information, the parties acknowledge and agree that such transfers will be made pursuant to the transfer mechanisms outlined in Module Two of the EU SCCs.
  • Specifically: (1) in Clause 7, the optional docking clause will not apply; (2) in Clause 9, Option 2 will apply, subject to Section 13.5 of this DPA; (3) in Clause 11, the optional language will not apply; (4) in Clause 17, the EU SCCs will be governed by the laws of Ireland; (5) in Clause 18(b), disputes will be resolved before the courts of Ireland.

In Annex I, Part A-List of Parties:

Data Exporter:  Controller (as listed in the Agreement) 

Contact Details:  Controller’s contact details listed in the Agreement 

Data Exporter Role:  As outlined in Section 13.1 of this DPA.

Signature & Date:  By entering into the DPA, Controller is deemed to have signed the SCCs incorporated herein, including the Annexes, as of the Effective Date.

Data Importer: LeanData, Inc. 

Address: 2901 Patrick Henry Dr, Santa Clara, CA 95054 

Contact person’s name, position and contact details: Kelvin Cheung, CISO, [email protected]

Data Importer Role: As outlined in Section 13.1 of this DPA.

Signature & Date: By entering into the DPA, LeanData is deemed to have signed the SCCs, incorporated herein, including the Annexes, as of the Effective Date.

In Annex I, Part B–Description of Transfer
Categories of Data Subjects: May include Controller’s employees, contacts and customers that appear as Leads and Contacts in Controller’s Salesforce database, and prospects that complete webforms to be scheduled via LeanData BookIt.

Categories of Personal Information: See Appendix A for a chart listing the Controller Personal Information processed by Processor hereunder. 

Frequency of Transfer:  Transfers may be continuous for the duration of the Agreement.

Nature of Processing:  The nature of processing is as set forth in the Agreement. 

Purposes of the Data Transfer and Further Processing: The purpose of transfer may include performance of Service, fraud detection, compliance with applicable laws, and any other purpose set forth in the Agreement or this DPA. 

Subcontractors. The parties agree upon a  general authorization to engage Sub-processors to process European Data on Controller’s behalf. Upon Controller’s request, Processor will provide a list of Sub-Processors processing European Data. If the Controller objects to the appointment of a Sub-Processor, it must notify the Processor within thirty (30) days of such notice and the Processor will work in good faith with the Controller to find an alternative solution.

Data Retention Period:  The data importer will retain the data as described in Section 2.4 of this DPA. 

In Annex I, Part C-Supervisory Authority 

In accordance with Clause 13(a) of the EU SCCs, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated shall act as competent supervisory authority.  Where the data exporter is not established in the an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2)  and has appointed a representative pursuant to Article 27 of the GDPR, the supervisory authority of the member state where the representative is established shall act as the competent supervisory authority.  Where the data exporter is not established in the an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2)  and has not appointed a representative pursuant to Article 27 of the GDPR, the Irish Data Protection Commission shall act as the competent supervisory authority. Where the data exporter is established in the UK,  the Information Commissioner’s Office shall act as the competent supervisory authority. 

Data Retention Period: The data importer will retain the data as described in Section 2.4 of this DPA.

In Annex I, Part C-Supervisory Authority
In accordance with Clause 13(a) of the EU SCCs, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated shall act as competent supervisory authority. Where the data exporter is not established in the an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2) and has appointed a representative pursuant to Article 27 of the GDPR, the supervisory authority of the member state where the representative is established shall act as the competent supervisory authority. Where the data exporter is not established in the an EU Member state, but falls within the territorial scope of the GDPR pursuant to Article 3(2) and has not appointed a representative pursuant to Article 27 of the GDPR, the Irish Data Protection Commission shall act as the competent supervisory authority. Where the data exporter is established in the UK, the Information Commissioner’s Office shall act as the competent supervisory authority.

In Annex II, Technical and Organizational Measures to Ensure The Security of Data
Processor will maintain administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of Personal Information as set forth in this DPA.

  • 13.4. Cross-Border Transfers Mechanisms–UK
    • With respect to  transfers of Personal Information protected by the UK GDPR, the EU SCCs will apply as set forth herein, with the following modifications:
    • Any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR; references to specific articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK GDPR;
    • References to “EU”, “Union” and “Member State law” are all replaced with “UK”; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Information Commissioner and the courts of England and Wales;
    • Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of England and Wales” and Clause 18 of the EU SCCs is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
  • 13.5. Sub-Processors. To the extent permitted under the Agreement, Processor may use Sub-processors to provide all or part of the services with the prior written consent of Controller upon at least 30 days prior written notice to Controller, provided that, to the extent any such engagement involves the collection, access, retention, use, disclosure, or other processing of Personal Information: (i) Processor shall provide Controller with a list that includes: (a) the name, address and contact information of each such Sub-processor; (b) the type(s) of services provided by each such Sub-processor; and (c) the categories of Personal Information disclosed, made available or otherwise processed by each such Sub-processor; (ii) the arrangement between each Sub-Processor and Processor is governed by a written contract that includes terms substantially similar, but no less restrictive, as those set forth in this section about GDPR compliance; and (iii) where a Sub-processor fails to fulfill its data protection obligations, Processor will remain fully liable to Controller for the performance of that Sub-processor’s obligations. Where Processor engages a Sub-processor for carrying out specific Processing activities on behalf of Controller, the same data protection obligations as set out in this DPA will be imposed on that Sub-processor by way of a contract or other legal act under EU, or Member State law, or the UK law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the applicable  data protection laws.
  • 13.6. Data Protection Impact Assessments (“DPIA’s”). Processor will cooperate to the extent reasonably necessary in connection with Controller’s requests related to data protection impact assessments and consultation with supervisory authorities as well as for the fulfillment of Controller’s obligation to respond to requests for exercising a data subject’s rights in Chapter III of the GDPR. In particular, (a) upon a request issued by a supervisory authority for records regarding Personal Information, Processor will cooperate to provide the supervisory authority with records related to Processing activities performed on Controller’s behalf, including information on the categories of Personal Information Processed and the purposes of the Processing, the use of Processors with respect to such Processing, any data disclosures or transfers to third parties and a general description of technical and organizational measures to protect the security of such data and (b) Processor has implemented and will maintain appropriate technical and organizational measures needed to enable Controller to respond to requests from data subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Information held by Processor. 
  1. This DPA may be executed in two or more counterparts, each of which shall be deemed an original and all of which taken together shall be deemed to constitute one and the same document. The parties may sign and deliver this DPA by facsimile or email transmission.

Appendix A

Details of Processing

Nature and Purpose of Processing: Processor shall host, maintain and otherwise process data only in connection with the provision of services pursuant to the terms of the Agreement and this Data Processing Addendum.

Duration of Processing: During the term of the Agreement.

Categories of Data Subjects: Controller’s employees, contacts and customers that appear as Leads and Contacts in Controller’s Salesforce database, and prospects that complete webforms to be scheduled via LeanData BookIt.

Type of Personal Data: Contact information.

Subject Matter: The subject matter and duration of the Processing of the Company Personal Data are set out in the Agreement and this Addendum.

Appendix B

LIST OF SUB-PROCESSORS

EXPLANATORY NOTE:

The Controller has authorized the use of the following sub-processors:

  1. Name: Salesforce
    Address: Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105
    Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Cloud provider
  2. Name: Heroku (owned by Salesforce)
    Address: Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105
    Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Cloud provider
  3. Name: New Relic
    Address: 188 Spear St, San Francisco, CA
    Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Application monitoring and logging
  4. Name: Amazon AWS
    Address: 410 Terry Avenue North, Seattle, WA
    Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Cloud services