This Data Transfer Agreement, including the Standard Contractual Clauses referenced herein (“DTA”), amends and supplements any existing and currently valid Terminus Service Agreement (the “Agreement”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and Terminus Software, Inc. (together with subsidiary(ies) and affiliated entities, collectively “Terminus”) solely with respect to the provision of Supplementary Data, as defined in the Agreement. Defined terms used herein but not otherwise defined shall have the meanings set forth in the Agreement(s).
1.0 Purpose of the DTA. This DTA is intended to reflect the Parties’ agreement with regard to the Processing of Supplementary Data in connection with Customer’s use of Terminus’ Prospect Engine (the “Prospect Engine”) pursuant to the Agreement.
2.0 Definitions. For the purpose of this DTA, these terms shall mean the following:
2.1 “Applicable Laws” shall mean all applicable federal, state and foreign data protection, privacy and data security laws, as amended from time to time, as well as applicable regulations and formal directives intended by their nature to have the force of law, including, without limitation, the European Data Protection Laws and Applicable State Privacy Laws but excluding, without limitation, consent decrees.
2.2 “Applicable State Privacy Laws” shall mean individually and collectively, as applicable, those laws and regulations of the states within the United States that govern the transfer, sharing or sale to a third party of the personal information or personal data of consumers or individuals (as such transfers and data are defined in the applicable law), that are currently in effect or that become effective in the future, including, but not limited to, the California Consumer Privacy Act of 2018 as updated by the California Privacy Rights Act of 2020 (“CCPA”), the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Iowa Data Privacy Law, and the Indiana Data Privacy Law, and in each case, any amendments, final regulations, and successor legislation.
2.3 “European Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data in connection with the Prospect Engine under the Agreement, including (where applicable) the GDPR and the UK GDPR.
2.4 “European Personal Data” means Personal Data which is, or has been, subject to the European Data Protection Laws.
2.5 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
2.6 “Personal Data” means any data relating to an identified or identifiable person that is submitted to, or collected by, Terminus in connection with the provision of the Prospect Engine to or on behalf of Customer, when such data is protected as “personal data” or “personally identifiable information” or a similar term under Applicable Laws.
2.7 “Personal Data Breach” means any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to Personal Data where such compromise of the Personal Data meets the definitions of both “personal data” (or like term) and “security breach” (or like term) under Applicable Laws governing the particular circumstances.
2.8 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.9 “Standard Contractual Clauses” means (i) where GDPR applies, the model clauses (Module 1) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, the approved version of which is set out in the European Commission’s Implementing Decision on June 4, 2021 set forth at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri =CELEX:32021D0914&locale=en (“EU SCCs”) and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”). (The Annexes to the EU SCCs are set out on Exhibit A, and the Appendices to the UK SCCs are attached hereto as Exhibit B.)
2.10 “Supervisory Authority” has the meaning set forth under the GDPR.
2.11 “UK GDPR” means the GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018, as amended (if applicable) by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and the Data Protection Act 2018.
3.0 Processing Personal Data. The Parties acknowledge that in connection with the Agreement, Terminus may provide or make available to Customer Supplementary Data that may contain Personal Data. Customer shall Process such data for the limited and specified purposes described in the Agreement or as otherwise agreed by the Parties. Customer shall not “sell” or “share” (as defined in the Applicable State Privacy Law), rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, any Supplementary Data unless it has received Terminus’ prior written consent. Customer shall comply with applicable obligations under Applicable State Privacy Laws and provide the same level of privacy protection as is required by Applicable State Privacy Laws. Each Party will Process the copy of the Personal Data in its possession or control as an independent controller (not as a joint controller with the other Party). Terminus may take reasonable and appropriate steps to help ensure that Customer uses the Supplementary Data in a manner consistent with Terminus’ obligations under Applicable Laws. Customer shall promptly notify Terminus if Customer determines it can no longer meet its obligations under Applicable Laws. Terminus may, upon reasonable notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Supplementary Data
4.0 International Transfers. Where European Data Protection Laws apply to European Personal Data, neither Party shall Process any European Personal Data (nor permit any European Personal Data to be Processed) in a territory outside of the EU, United Kingdom, and/or Switzerland (as applicable) unless it has taken such measures as are necessary to ensure the transfer complies with applicable European Data Protection Laws (as applicable). To the extent Terminus transfers European Personal Data to Customer, Customer agrees to comply with the obligations of data importer as set out in the Standard Contractual Clauses and acknowledges that Terminus will be a data exporter under such clauses. The Parties agree that they will provide additional information about the transfer and will co-operate, without delay, where this is required by a Supervisory Authority in any EEA Member State, the United Kingdom, and/or Switzerland.
4.1 All transfers of Customer Personal Data out of the European Union (“EU Personal Data”) to the United States and any other country not having received an adequacy decision by the European Commission under Article 45 of the GDPR, shall be governed by the EU SCCs. The terms of the EU SCCs, as modified by this Section 4.1, together with Annexes I and II which are set out in Exhibit A to this DTA, are incorporated in this DTA by this reference solely as required with respect to EU Personal Data for the Prospect Engine. The Parties agree that the blank lines in Clauses 17 and 18 shall state Republic of Ireland.
4.2 All transfers of Customer Personal Data out of the United Kingdom (“UK Personal Data”) to the United States and any other country not having received an adequacy decision by the UK regulatory authorities, shall be governed by the UK SCCs. The terms of the UK SCCs, as modified by this Section 4.2, are incorporated in this DTA by this reference solely as required with respect to UK Personal Data for the Prospect Engine.
4.3 Where the application of the EU SCCs is required under Swiss data protection law for the transfer of Personal Data, the terms below will have the following substituted meanings: (a) “GDPR” means the Federal Act on Data Protection of 19 June 1992 (SR 235.1; “FADP”) and its revised version of 25 September 2020; (b) “European Union”, “Union” or “Member States” means Switzerland, provided that the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 c; and (c) “supervisory authority” means the Federal Data Protection and Information Commissioner (“FDPIC”).
5.0 Compliance with Applicable Laws.
5.1 Each Party shall separately comply with its obligations under Applicable Laws and this DTA when Processing Personal Data. Neither Party shall be responsible for the other Party’s compliance with Applicable Laws. In particular, each Party shall be individually responsible for ensuring that its Processing of the Personal Data is lawful, fair, and transparent, and shall make available to Data Subjects a privacy statement that fulfills the requirements of Applicable Laws.
5.2 Customer shall implement and maintain all appropriate technical and organizational measures to protect any copies of the Personal Data in its possession or control from (i) accidental or unlawful destruction, and (ii) loss, alteration, or unauthorized disclosure or access and to preserve the security and confidentiality of such Personal Data.
5.3 Each Party will promptly, without undue delay, after becoming aware of a Personal Data Breach (a) notify the other Party of the Personal Data Breach; (b) investigate the Personal Data Breach; (c) provide the other Party with details about the Personal Data Breach; and (d) take reasonable actions to prevent a recurrence of the Personal Data Breach. The Parties agree to cooperate together in the handling of the matter by: (i) providing reasonable assistance in the investigation of the Personal Data Breach; and (ii) making available relevant records, logs, files, data reporting, and other materials related to the Personal Data Breach’s effects, as may be required to comply with Applicable Laws.
5.4 Data Subject Requests. Each Party will cooperate with the other to address data subject rights and requests afforded by Applicable Laws.
6.0 Miscellaneous.
6.1 In the event of any conflict or inconsistency between this DTA and Applicable Laws, Applicable Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DTA and the terms of the Agreement, the terms of this DTA shall prevail solely to the extent that the subject matter concerns the transfer of Personal Data in connection with the Prospect Engine.
6.2 To the extent that it is determined by any data protection authority that the Agreement or this DTA is insufficient to comply with Applicable Laws or changes to Applicable Laws, Customer and Terminus agree to cooperate in good faith to amend the Agreement or this DTA or enter into further mutually agreeable data processing agreements in an effort to comply with all Applicable Laws.
6.3 Each Party’s liability arising out of or related to this DTA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DTA” means this DTA including its exhibits and appendices.
6.4 This DTA is without prejudice to the rights and obligations of the Parties under the Agreement which shall continue to have full force and effect. This DTA only applies to the extent Terminus provides Supplementary Data to Customer in connection with the Prospect Engine. This DTA together with the Agreement is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter.
Exhibit A: Data Transfer Agreement
Annexes to Standard Contractual Clauses
ANNEX I
A. LIST OF PARTIES
Data exporter(s): The data exporter is Terminus, with contact details for Terminus and its representative and the activities relevant to the data being transferred as set forth in the Agreement and the applicable Order Form for the Prospect Engine.
Data importer(s): The data importer is Customer, with contact details regarding the Customer and its representative and the activities relevant to the data being transferred as set forth in the Agreement and the applicable Order Form for the Prospect Engine.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data exporter may submit Personal Data to Customer, the extent of which is determined by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: Prospective, current or former customers of products and services provided by data importer.
Categories of personal data transferred
Data exporter may submit Personal Data to Customer, the extent of which is determined by Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data: (a) First and last name; (b) Title; (c) Position; (d) Employer; and (e) Contact information (company, email, phone, physical business address).
Sensitive data transferred (if applicable)
None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
For the term of Customer’s license to the Prospect Engine under the Agreement.
Nature of the processing
As described in the Agreement and the applicable Order Form for the Prospect Engine.
Purpose(s) of the data transfer and further processing
To utilize Terminus’ Prospect Engine as set forth in the Agreement and the applicable Order Form.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the term of Customer’s license to the Prospect Engine under the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As necessary to enable Customer to utilize the Prospect Engine described in the Agreement and the applicable Order Form for the term of Customer’s license to the Prospect Engine.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE ONE: Transfer controller to controller
The competent supervisory authority/ies in accordance with Clause 13 shall be the Irish Data Protection Commission.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The data importer will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as described in this DTA.
EXHIBIT B: APPENDICES TO UK SCC – CONTROLLER TO CONTROLLER
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | The Effective Date of Customer’s license to the Prospect Engine under the Agreement. | |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | See Exhibit A EU SCCs, Annex I.A. | See Exhibit A EU SCCs, Annex LA. |
Key Contact | Contact details regarding Terminus and its representative is set forth in the Agreement and the applicable Order Form for the Prospect Engine. | Contact details regarding Customer and its representative is set forth in the Agreement and the applicable Order Form for the Prospect Engine. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information is set forth herein in this DTA. |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: See Exhibit A EU SCCs, Annex I.A. |
Annex 1B: Description of Transfer: See Exhibit A EU SCCs, Annex I.B. |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit A EU SCCs, Annex II. |
Annex III: List of Sub processors (Modules 2 and 3 only): Not applicable for Module 1. |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Amendments shall follow the amendment procedures as set forth in the Agreement. |
Part 2: Mandatory Clauses
Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
updated as of 2023.10.23