Terminus Data Processing Addendum

This Data Processing Addendum, including the Standard Contractual Clauses referenced herein (“DPA”), amends and supplements any existing and currently valid Terminus Service Agreement (the “Agreement”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and Terminus Software, Inc. (together with subsidiary(ies) and affiliated entities, collectively “Terminus”). Defined terms used herein but not otherwise defined shall have the meanings set forth in the Agreement(s).

1.0 Purpose of the DPA. This DPA is intended to reflect the Parties’ agreement with regard to the Processing of data, including Personal Data in connection with the provision of Ad, Email and Chat Experience services to Customer pursuant to the Agreement, but excluding Terminus’ Prospect Engine (the “Services”).

2.0 Definitions. For the purpose of this DPA, these terms shall mean the following:

2.1 “Applicable Laws” shall mean all applicable federal, state and foreign data protection, privacy and data security laws, as amended from time to time, as well as applicable regulations and formal directives intended by their nature to have the force of law, including, without limitation, the European Data Protection Laws and Applicable State Privacy Laws but excluding, without limitation, consent decrees.

2.2 “Applicable State Privacy Laws” shall mean individually and collectively, as applicable, those laws and regulations of the states within the United States that govern the transfer, sharing or sale to a third party of the personal information or personal data of consumers or individuals (as such transfers and data are defined in the applicable law), that are currently in effect or that become effective in the future, including, but not limited to, the California Consumer Privacy Act of 2018, as updated by the California Privacy Rights Act of 2020 (“CCPA”), the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Iowa Data Privacy Law, and the Indiana Data Privacy Law, and in each case, any amendments, final regulations, and successor legislation.

2.3 “Authorized Personnel” means (a) Terminus’ employees who have a need to know or otherwise access Personal Data for the purposes of performing applicable Services; and (b) Terminus’ contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable Terminus to perform its obligations under this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of this DPA.

2.4 “European Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data for the Services under the Agreement, including (where applicable) the GDPR and UK GDPR.

2.5 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

2.6 “Personal Data” means any data relating to an identified or identifiable person that is submitted to, or collected by, Terminus in connection with the Services or in connection with the provision of the Services to or on behalf of Customer, when such data is protected as “personal data” or “personally identifiable information” or a similar term under Applicable Laws.

2.7 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

2.8 “Security Breach” means any negligent act or omission by Terminus that materially compromises the security, confidentiality, or integrity of Personal Data where such compromise of the Personal Data meets the definitions of both “personal data” (or like term) and “security breach” (or like term) under Applicable Law(s) governing the particular circumstances.

2.9 “Standard Contractual Clauses” means (i) where GDPR applies, the model clauses (Module 2, where Customer is controller and Terminus is processor, or Module 3 where Customer is a transfer processor and Terminus is a sub-processor) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, the approved version of which is set out in the European Commission’s Implementing Decision on June 4, 2021 set forth at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).  (The Annexes to the EU SCCs are set out in Exhibit A, and the Appendices to the UK SCCs are attached hereto as Exhibit B.)

2.10 “Sensitive Data” for purposes of Annex I means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; or data concerning a person’s sex life or sexual orientation.

2.11 “UK GDPR” means the GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018, as amended (if applicable) by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, and the Data Protection Act 2018.

3.0 Processing and Transfer of Personal Data.

3.1 Terminus shall process Personal Data in accordance with Customer’s written instructions provided during the term of this DPA. In the event Terminus reasonably believes there is a conflict with any Applicable Laws and Customer’s instructions, Terminus will inform Customer promptly and the Parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.

3.2 For purposes of this Section 3.2, the terms “aggregate consumer information,” “deidentified,” “process,” “processor,” “sell,” “service provider,” and “share” shall have the meanings ascribed to them in the Applicable State Privacy Laws.

(a) Terminus is acting as a service provider or processor to Customer and will not (i) “sell” or “share” Personal Data, (ii) combine the Personal Data with any other Personal Data, unless expressly instructed by Customer for a specific purpose, and sole benefit of Customer, in the Services, or (iii) retain, use, or disclose Personal Data for any purpose (including any commercial purpose) other than for the specific purpose of Terminus’ performance of the Services under the Agreement.

(b) To the extent that Terminus reserves rights under the Agreement to “aggregate” or “aggregated” Personal Data, Terminus agrees that the CCPA definition of aggregate consumer information” applies to such Personal Data and Terminus will process such Personal Data accordingly.

(c) To the extent that Terminus reserves rights under the Agreement to “de-identified,” “anonymized,” or “anonymous” Personal Data, Terminus agrees that the CCPA definition of deidentified” applies to such Personal Data and Terminus will process such Personal Data accordingly.

3.3 The Parties acknowledge and agree that processing of the Personal Data will occur in the United States and perhaps other jurisdictions outside the residence of the data subjects (as disclosed in Annex III with respect to the location of Terminus’ sub-processors), and Customer shall comply with all notice and consent requirements for such transfer and processing to the extent required by Applicable Laws. Customer consents to the use by Terminus of the sub-processors listed on Annex III to the EU SCCs.

4.0 European Data Protection Laws.

4.1 Transfers of European Personal Data.  Customer acknowledges and agrees that Terminus is headquartered in the United States and that Customer’s provision of Personal Data from the European Economic Area, Switzerland and the United Kingdom to Terminus for processing is a transfer of such Personal Data to the United States (among other locations outside the European Union).

4.1.1     All transfers of Customer Personal Data out of the European Union (“EU Personal Data”) to the United States and any other country not having received an adequacy decision by the European Commission under Article 45 of the GDPR, shall be governed by the EU SCCs. The terms of the EU SCCs, as modified by this Section 4.1.1, together with Annexes I, II and III which are set out in Exhibit A to this DPA, are incorporated in this DPA by this reference solely as required with respect to EU Personal Data for the Services.  The Parties agree to delete the optional provision in Clause 11 and choose Option 1 in Clause 17. The Parties agree that the blank lines in Clauses 17 and 18 shall state Republic of Ireland.

4.1.2     All transfers of Customer Personal Data out of the United Kingdom (“UK Personal Data”) to the United States and any other country not having received an adequacy decision by the UK regulatory authorities, shall be governed by the UK SCCs. The terms of the UK SCCs, as modified by this Section 4.1.2, are incorporated in this DPA by this reference solely as required with respect to UK Personal Data for the Services.

4.1.3     Switzerland Transfers. Where the application of the EU SCCs is required under Swiss data protection law for the transfer of Personal Data, the terms below will have the following substituted meanings: (a) “GDPR” means the Federal Act on Data Protection of 19 June 1992 (SR 235.1; “FADP”) and its  revised version of 25 September 2020; (b) “European Union”, “Union” or “Member States” means Switzerland, provided that the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 c; and (c) “supervisory authority” means the Federal Data Protection and Information Commissioner (“FDPIC”).

4.2 GDPR Contractual Requirements. Terminus shall: (a) assist, to a reasonable extent, the fulfillment of Customer’s obligations to respond to requests for exercising a data subject’s rights with respect to Personal Data under European Data Protection Laws, including Chapter III of GDPR; (b) assist, to a reasonable extent, Customer in complying with its obligations with respect to Personal Data pursuant to European Data Protection Laws, including Articles 32 to 36 of GDPR; (c) make available to Customer information reasonably necessary to demonstrate compliance with its obligations as a processor specified in European Data Protection Laws, including Article 28 of GDPR; (d) maintain a record of all categories of processing activities carried out on behalf of Customer in accordance with European Data Protection Laws, including Article 30(2) of the GDPR; and (e) cooperate, on request, with any EU, UK or Swiss supervisory authority in the performance of the Services under the Agreement.

4.3 Sub-processors. Customer grants a general authorization to Terminus to appoint its affiliates as sub-processors, and a specific authorization to Terminus and its affiliates to appoint as sub-processors the entities set out in Annex III of the Standard Contractual Clauses, and for the sub-processing activities described thereon. Where a sub-processor fails to fulfil its data protection obligations, Terminus shall remain liable for the performance of the sub-processor’s obligations. Should Terminus add or remove any sub-processors from the entities set out in Annex III, Terminus shall provide Customer with at least thirty (30) days advance notice of such change.  If Customer objects to Terminus’ appointment of a third party sub-processor on reasonable grounds relating to the protection of personal data then the Customer and Terminus will work together in good faith to mutually agree on an alternative. Where no such alternative can be agreed, the Parties may mutually elect to suspend or terminate this Agreement, and any such termination shall not be considered a breach of the Agreement by either Party.

5.0 Compliance with Data Protection Laws.

5.1 Representation and Warranty. Customer represents and warrants on behalf of itself and any advertising agency acting on Customer’s behalf, that the Personal Data provided to Terminus for processing under the Agreement and this DPA is collected and/or validly obtained and utilized by Customer (and any advertising agency acting on Customer’s behalf) in compliance with all Applicable Laws, including without limitation the disclosure, informed affirmative consent and targeted advertising provisions of the CCPA and European Data Protection Laws, including without limitation Chapter II of the GDPR.

5.2 Data Security. Terminus will utilize commercially reasonable efforts to protect the security, confidentiality and integrity of the Personal Data transferred to it using reasonable administrative, physical, and technical safeguards, including the security standards set forth on Schedule 1 of the Agreement.  Notwithstanding the generality of the foregoing, Terminus shall: (a) not use or disclose Personal Data for any purpose other than those purposes instructed or permitted by Customer; (b) only use and disclose Personal Data in a manner and to the extent permitted in this DPA or as otherwise agreed between the Parties and observe all limitations as to such use or disclosure as Customer may notify to Terminus; (c) employ reasonable administrative, physical and technical safeguards (including commercially reasonable safeguards against worms, Trojan horses, and other disabling or damaging codes) to afford protection of the Personal Data in accordance with Applicable Laws as would be appropriate based on the nature of the Personal Data; (d) utilize commercially reasonable efforts to keep the Personal Data reasonably secure and in an encrypted form, and use industry standard security practices and systems applicable to the use of Personal Data to prevent, and take prompt and proper remedial action against unauthorized access, copying, modification, storage, reproduction, display or distribution of Personal Data; (e) cease to retain documents containing Personal Data, or remove the means by which Personal Data can be associated with particular individuals reasonably promptly after it is reasonable to assume that (i) the specified purposes are no longer being served by Terminus’ retention of Personal Data, and (ii) retention is no longer necessary for legal or business purposes; and (f) upon receiving a request from Customer to correct an error or omission in the Personal Data about the individual that is in the possession or under the control of Terminus, correct the Personal Data as soon as reasonably practicable.

5.3 Authorized Personnel; Sub-processors. Terminus shall ensure that Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with obligations consistent with those contained in this DPA. In addition, Terminus is authorized to use the sub-processors set out in Annex III of the Standard Contractual Clauses provided that Terminus shall enter into an agreement with the sub-processor containing data protection obligations that are consistent with the obligations under this DPA.

5.4 Security Breaches. Terminus will promptly, without undue delay, after becoming aware of a Security Breach (a) notify Customer of the Security Breach; (b) investigate the Security Breach; (c) provide Customer with details about the Security Breach; and (d) take reasonable actions to prevent a recurrence of the Security Breach.  Terminus agrees to cooperate in Customer’s handling of the matter by: (i) providing reasonable assistance with Customer’s investigation; and (ii) making available relevant records, logs, files, data reporting, and other materials related to the Security Breach’s effects on Customer, as required to comply with Applicable Laws.

5.5 Data Subject Requests. Terminus will cooperate with Customer to address data subject rights and requests afforded by Applicable Laws.

6.0 Audits and Certifications. Within thirty (30) days of Customer’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement (unless such information is reasonably required to be disclosed as a response to a data subject’s inquiries under Applicable Laws), Terminus shall make available to Customer (or a mutually agreed upon third-party auditor) information regarding Terminus’ compliance with the obligations set forth in this DPA, including reasonable documentation (such as a SOC 2 report).

7.0 Miscellaneous.

7.1 In the event of any conflict or inconsistency between this DPA and Applicable Laws, Applicable Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the processing of Personal Data.

7.2 To the extent that it is determined by any data protection authority that the Agreement or this DPA is insufficient to comply with Applicable Laws or changes to Applicable Laws, Customer and Terminus agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with all Applicable Laws.

7.3 Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its exhibits and appendices.

7.4 This DPA is without prejudice to the rights and obligations of the Parties under the Agreement which shall continue to have full force and effect. This DPA only applies to the extent Terminus processes Personal Data on behalf of Customer. This DPA together with the Agreement is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter.

Exhibit A: Data Processing Addendum
Annexes to EU Standard Contractual Clauses
ANNEX I

A. LIST OF PARTIES

Data exporter(s): The data exporter is Customer, with contact details regarding the Customer and its representative and the activities relevant to the data being transferred as set forth in the Agreement and the applicable Order Form for Services.

Data importer(s): The data importer is Terminus, with contact details for Terminus and its representative and the activities relevant to the data being transferred as set forth in the Agreement and the applicable Order Form for Services.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data exporter may submit Personal Data to Terminus, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: the data exporter’s representatives and end-users including employees, contractors, business partners, collaborators, customers and prospective customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer Personal Data to users of the Services.

Categories of personal data transferred

Data exporter may submit Personal Data to Terminus, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data: (a) First and last name; (b) Title; (c) Position; (d) Employer; (e) Contact information (company, email, phone, physical business address); (f) ID data; (g) Professional life data; (h) Connection data; (i) Localisation data; (j) Chat Data from chat windows, chat rooms or other conversations and interactions through the Services; and (k) other data in an electronic form used by Customer in the context of the Services.

Sensitive data transferred (if applicable)

None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

For the term of the Agreement.

Nature of the processing

As described in the Agreement and the applicable Order Form

Purpose(s) of the data transfer and further processing

To utilize Terminus’ Services as set forth in the Agreement and the applicable Order Form.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the term of the Agreement plus a period of approximately 30 to 60 days unless the Customer requests a longer period of time during which to elect to have Personal Data returned to Customer.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As necessary to enable Terminus to perform the Services described in the Agreement and the applicable Order Form and for the term of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located shall act as competent supervisory authority.


ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Terminus will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data transferred to Processor as described in Section 5.2 of this DPA and at https://terminus.com/security/.


ANNEX III

LIST OF SUB-PROCESSORS

The data exporter has authorised the use of the following sub-processors:

Sub-processor name Permitted sub-processing activities​ Services Location
Amazon Web Services Cloud Hosting Services All services Virginia, USA
The Trade Desk Digital Advertising Ad Experiences California, USA
Salesforce CRM and Cloud Provider Email Experiences California, USA
Sendgrid Transactional and Reporting Emails Email Experiences Colorado, USA
Rocketseed Email Signature Management Email Experiences United Kingdom
Google Cloud Platform Cloud Hosting Services Customer Data Platform Services California, USA and Iowa, USA
Snowflake Cloud Hosting Services Customer Data Platform Services Ohio, USA
Bound Systems Usage Analytics Ad/Web Experiences Texas, USA

 

EXHIBIT B: APPENDICES TO UK SCCs – CONTROLLER TO PROCESSOR

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date The Effective Date of the Agreement
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details See Exhibit A EU SCCs, Annex I.A. See Exhibit A EU SCCs, Annex I.A.
Key Contact Contact details regarding the Customer and its representative is set forth in the Agreement and the applicable Order Form for Services. Contact details regarding Terminus and its representative is set forth in the Agreement and the applicable Order Form for Services.

 

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information is set forth herein in this DPA.

 

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Exhibit A EU SCCs, Annex I.A.
Annex 1B: Description of Transfer: See Exhibit A EU SCCs, Annex I.B.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit A EU SCCs, Annex II.
Annex III: List of Sub processors (Modules 2 and 3 only): See Exhibit A EU SCCs, Annex III.

 

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Amendments shall follow the amendment procedures as set forth in the Agreement.

 

Part 2: Mandatory Clauses

Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

 

updated as of 2023.10.23