This Data Transfer Agreement, including the Standard Contractual Clauses referenced herein (“DTA”), amends and supplements any existing and currently valid Terminus Service Agreement (the “Agreement”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and Terminus Software, Inc. (together with subsidiary(ies) and affiliated entities, collectively “Terminus”) solely with respect to the provision of Supplementary Data, as defined in the Agreement. Defined terms used herein but not otherwise defined shall have the meanings set forth in the Agreement(s).
1.0 Purpose of the DTA. This DTA is intended to reflect the Parties’ agreement with regard to the Processing of Supplementary Data in connection with Customer’s use of the Customer Data Platform Services (the “CDP Services”) pursuant to the Agreement.
2.0 Definitions. For the purpose of this DTA, these terms shall mean the following:
2.1 “Applicable Laws” shall mean all applicable federal, state and foreign data protection, privacy and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, including, without limitation, the European Data Protection Laws and the CCPA but excluding, without limitation, consent decrees.
2.2 “CCPA” means the California Consumer Privacy Act.
2.3 “European Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data for the Services under the Agreement, including (where applicable) the GDPR.
2.4 “European Personal Data” means Personal Data which is, or has been, subject to the European Data Protection Laws.
2.5 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
2.6 “Personal Data” means any data relating to an identified or identifiable person that is submitted to, or collected by, Terminus in connection with the Services or in connection with the provision of the Services to or on behalf of Customer, when such data is protected as “personal data” or “personally identifiable information” or a similar term under Applicable Laws.
2.7 “Personal Data Breach” means any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to Personal Data where such compromise of the Personal Data meets the definitions of both “personal data” (or like term) and “security breach” (or like term) under Applicable Laws governing the particular circumstances.
2.8 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.9 “Standard Contractual Clauses” means (i) where GDPR applies, the model clauses (Module 1) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, the approved version of which is set out in the European Commission’s Implementing Decision on June 4, 2021 set forth at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en (“EU SCCs”) and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”). (The Appendices to the UK SCCs are attached hereto as Exhibit B.)
2.10 “Supervisory Authority” has the meaning set forth under the GDPR.
2.11 “UK GDPR” means the GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018.
3.0 Processing Personal Data. The Parties acknowledge that in connection with the Agreement, Terminus may provide or make available to Customer Supplementary Data that may contain Personal Data. Customer shall Process such data: (i) for the purposes described in the Agreement; and/or (ii) as may otherwise be permitted under Applicable Laws. Each Party will Process the copy of the Personal Data in its possession or control as an independent controller (not as a joint controller with the other Party).
4.0 International Transfers. Where European Data Protection Laws apply the European Personal Data, neither Party shall Process any European Personal Data (nor permit any European Personal Data to be Processed) in a territory outside of the EU, United Kingdom, and/or Switzerland (as applicable) unless it has taken such measures as are necessary to ensure the transfer complies with applicable European Data Protection Laws (as applicable). To the extent Terminus transfers European Personal Data to Customer, Customer agrees to comply with the obligations of data importer as set out in the Standard Contractual Clauses and acknowledges that Terminus will be a data exporter under such clauses. The Parties agree that they will provide additional information about the transfer and will co-operate, without delay, where this is required by a Supervisory Authority in any EEA Member State, the United Kingdom, and/or Switzerland.
5.0 Compliance with Applicable Laws.
5.1. Each Party shall separately comply with its obligations under Applicable Laws and this Data Transfer Agreement when Processing Personal Data. Neither Party shall be responsible for the other Party’s compliance with Applicable Laws. In particular, each Party shall be individually responsible for ensuring that its Processing of the Personal Data is lawful, fair, and transparent, and shall make available to Data Subjects a privacy statement that fulfils the requirements of Applicable Laws.
5.2. Customer shall implement and maintain all appropriate technical and organizational measures to protect any copies of the Personal Data in its possession or control from (i) accidental or unlawful destruction, and (ii) loss, alteration, or unauthorized disclosure or access and to preserve the security and confidentiality of such Personal Data. Notwithstanding the generality of the foregoing, Customer shall: (a) employ reasonable administrative, physical, and technical safeguards (including commercially reasonable safeguards against worms, Trojan horses, and other disabling or damaging codes) to afford protection of the Personal Data in accordance with applicable Data Protection Law(s) as would be appropriate based on the nature of the Personal Data; and (b) utilize its best efforts to keep the Personal Data reasonably secure and in an encrypted form, and use industry standard security practices and systems applicable to the use of Personal Data to prevent, and take prompt and proper remedial action against, unauthorized access, copying, modification, storage, reproduction, display, or distribution of Personal Data.
5.3. Each Party will promptly, without undue delay, after becoming aware of a Personal Data Breach (a) notify the other Party of the Personal Data Breach; (b) investigate the Personal Data Breach; (c) provide the other Party with details about the Personal Data Breach; and (d) take reasonable actions to prevent a recurrence of the Personal Data Breach. The Parties agree to cooperate together in the handling of the matter by: (i) providing reasonable assistance in the investigation of the Personal Data Breach; and (ii) making available relevant records, logs, files, data reporting, and other materials related to the Personal Data Breach’s effects, as may be required to comply with Applicable Laws.
5.5 Data Subject Requests. Each Party will cooperate with the other to address data subject rights and requests afforded by Applicable Laws.
6.1 In the event of any conflict or inconsistency between this DTA and Applicable Laws, Applicable Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DTA and the terms of the Agreement, the terms of this DTA shall prevail solely to the extent that the subject matter concerns the Processing of Personal Data.
6.2 To the extent that it is determined by any data protection authority that the Agreement or this DTA is insufficient to comply with Applicable Laws or changes to Applicable Laws, Customer and Terminus agree to cooperate in good faith to amend the Agreement or this DTA or enter into further mutually agreeable data processing agreements in an effort to comply with all Applicable Laws.
6.3 Each Party’s liability arising out of or related to this DTA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DTA” means this DTA including its exhibits and appendices.
6.4 This DTA is without prejudice to the rights and obligations of the Parties under the Agreement which shall continue to have full force and effect. This DTA only applies to the extent Terminus provides Supplementary Data to Customer. This DTA together with the Agreement is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter.
Exhibit A: Data Transfer Agreement
Annexes to Standard Contractual Clauses
A. LIST OF PARTIES
Data exporter(s): The data exporter is Terminus, with contact details for Terminus and its representative and the activities relevant to the data being transferred as set forth in the Agreement and the applicable Order Form for Services.
Data importer(s): The data importer is Customer, with contact details regarding the Customer and its representative and the activities relevant to the data being transferred as set forth in the Agreement and the applicable Order Form for Services.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data exporter may submit Personal Data to Customer, the extent of which is determined by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: Prospective customers and current or former customers of products and services provided by data importer.
Categories of personal data transferred
Data exporter may submit Personal Data to Customer, the extent of which is determined by Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data: (a) First and last name; (b) Title; (c) Position; (d) Employer; (e) Contact information (company, email, phone, physical business address).
Sensitive data transferred (if applicable)
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
For the term of the Agreement.
Nature of the processing
As described in the Agreement and the applicable Order Form
Purpose(s) of the data transfer and further processing
To utilize Terminus’ Services as set forth in the Agreement and the applicable Order Form.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the term of the Agreement plus a period of approximately 30 to 60 days unless the Customer requests a longer period of time during which to elect to have Personal Data returned to Customer.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As necessary to enable Terminus to perform the Services described in the Agreement and the applicable Order Form and for the term of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE ONE: Transfer controller to controller
The competent supervisory authority/ies in accordance with Clause 13 shall be the Irish Data Protection Commission.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The data importer will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as described in this DTA.
EXHIBIT B: APPENDICES TO UK SCC – CONTROLLER TO CONTROLLER
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
|Start date||The Effective Date of the Agreement|
|The Parties||Exporter (who sends the Restricted Transfer)||Importer (who receives the Restricted Transfer)|
|Parties’ details||See Exhibit A EU SCC, Annex I.A.||See Exhibit A EU SCC, Annex LA.|
|Key Contact||Contact details regarding the Exporter and its representative is set forth in the Agreement and the applicable Order Form for Services.||Contact details regarding the Importer and its representative is set forth in the Agreement and the applicable Order Form for Services.|
Table 2: Selected SCCs, Modules and Selected Clauses
|Addendum EU SCCs||The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information is set forth herein in this DPA|
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
|Annex 1A: List of Parties: See Exhibit A EU SCC, Annex I.A.|
|Annex 1B: Description of Transfer: See Exhibit A EU SCC, Annex I.B.|
|Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit A EU SCC, Annex II.|
|Annex III: List of Sub processors (Modules 2 and 3 only): See Exhibit A EU SCC, Annex III.|
Table 4: Ending this Addendum when the Approved Addendum Changes
|Ending this Addendum when the Approved Addendum changes||Amendments shall follow the amendment procedures as set forth in the Agreement.|
Part 2: Mandatory Clauses
|Mandatory Clauses||Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.|