Data Processing Addendum

Last Updated September 2024.

 

This Data Processing Addendum (this “DPA“) is made as of the date set forth in the Agreement.

This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is Processed by the Company under the Agreement.

1. Definitions

1.1 For the purposes of this DPA, the following terms shall have their respective meanings set forth below and other capitalized terms used but not defined in this DPA have the same meanings as set forth in the Agreement:

(a) “Agreement” means the legal agreement entered into between Company and Client, to which this DPA is attached or incorporated by reference providing for the provision by Company to Client of the Services.

(b) “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data pursuant to Data Protection Laws.

(c) “Data Protection Laws” means all applicable national, international, provincial, federal, state and local laws and regulations relating to data protection, data privacy, data security, or the Processing of Personal Data, including (where applicable) EU Data Protection Legislation, the California Consumer Privacy Act (“CCPA”) (California Civil Code §§ 1798.80, et seq.), and any other provincial or state privacy laws that may take effect during the term of the Agreement.

(d) “Data Subject” has the meaning given in the GDPR.

(e) “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

(f) “EU Data Protection Legislation” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“) (as amended, replaced or superseded).

(g) “Personal Data” means any information relating to an identified or identifiable natural person.

(h) “Processing” has the meaning given in the GDPR and includes any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(i) “Processor” means an entity which Processes Personal Data on behalf of the Controller.

(j) “Security Incident” means a confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored or otherwise processed by Company.

(k) “Sensitive Data” means (a) racial or ethnic origin; (b) political opinions; (c) religious or philosophical beliefs; (d) trade union membership; (e) genetic data; (f) biometric data for the purpose of uniquely identifying a natural person; (g) data concerning health; (h) data concerning a natural person’s sex life; (i) sexual orientation; and (ii) without limiting the foregoing, any additional information that falls within the definition of “special categories of data” under EU Data Protection Legislation or Data Protection Laws.

(l) “Services” has the meaning ascribed to it in the Agreement.

(m) “Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as at the Effective Date or any subsequent version thereof released by the European Commission (which will automatically apply).

(n) “Client” means the party who entered into the Agreement with Company and any successor of same. The person agreeing to this DPA represents and warrants that he or she is authorized to enter into the DPA on behalf of the party, entity, or organization using the Services.

2. Relationship with Agreement

2.1 Except as amended by this DPA, the Agreement will remain in full force and effect.

2.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will control with respect to the subject matter of the DPA.

2.3 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
General Data Protection Obligations

General Data Protection Obligations

3. Roles and responsibilities

3.1 Parties’ Roles. With respect to the Processing of Personal Data, Client, as Controller or Processor, as applicable, appoints Company, as a Processor or Sub-processor, as applicable, to Process the Personal Data described in Annex A on Client’s behalf. The Parties agree that, for the purposes of the Agreement and this DPA, if applicable, Company is a “service provider” and Client is a “business” consistent with the definitions under the CCPA.

3.2 Purpose Limitation. Company shall Process the Personal Data for the purposes described in Annex A and only in accordance with Client’s lawful, written instructions, except where otherwise required by applicable law. The Agreement and this DPA sets out Client’s complete instructions to Company in relation to the Processing of the Personal Data and any Processing required outside of the scope of these instructions will require prior written agreement between the parties. Client acknowledges that Company shall have a right to Process Personal Data in order to provide the Services to Client, fulfill its obligations under the Agreement, and for legitimate purposes relating to the operation, support and/or use of the Services including but not limited to billing, account management, technical maintenance and support, product development, and sales and marketing. Under no circumstances will Company rent or sell Personal Data.

3.3 Prohibited Data. Unless the Processing of Sensitive Data is otherwise permitted by Data Protection Laws or Client obtains Company’s prior written consent, Client will not provide (or cause to be provided) any Sensitive Data to Company for Processing under the Agreement, and Company will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, the obligations of Company under this DPA will not apply to Sensitive Data unless the Processing of Sensitive Data is permitted by Data Protection Laws, the Client is compliant with the requirements of Processing Sensitive Data in accordance with Data Protection Laws, and Client has obtained Company’s prior written consent.

3.4 Description of Processing. A description of the nature and purposes of the Processing, the types of Personal Data, categories of Data Subjects, and the duration of the Processing are set out further in Annex A.

3.5 Compliance. Client shall be responsible for ensuring that:

(a) Client has complied, and will continue to comply, with Data Protection Laws, in Client’s use of the Services and Client’s own Processing of Personal Data, including by providing notice and obtaining all consents and rights necessary under Data Protection Laws for Company to process Personal Data; and

(b) Client has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Company for Processing in accordance with the terms of the Agreement and this DPA.

4. Data Security

4.1 Security. Company shall implement and maintain appropriate technical and organizational measures designed to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Notwithstanding the above, Client agrees that Client is responsible for Client’s secure use of the Services, including securing Client’s account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to backup Personal Data.

4.2 Access to Client’s Salesforce Instance. Client acknowledges that Client (and not Company) is solely responsible for the appropriate configuration of the security settings, and backup of Personal Data in Client’s Salesforce instances. Client will implement and maintain appropriate technical and organizational controls to ensure the security and confidentiality of the Personal Data in its care or control. Company shall ensure that access provided by the Client is only given to those Company employees who are required to access Client’s Salesforce instances for the purpose of providing the Support Services.

4.3 Security Exhibit. The technical and organizational security measures which Company shall have in place under the Agreement are set out at Annex B to this DPA.

5. Additional security

5.1 Confidentiality of Processing. Company shall ensure that any person that it authorizes to Process the Personal Data shall be subject to a duty of confidentiality materially similar to the confidentiality obligations in the Agreement (whether a contractual or a statutory duty).

5.2 Security Incidents. Upon becoming aware of a Security Incident caused or contributed to by Company, Company shall notify Client without undue delay, but in any event less than 72 hours after having become aware of the Security Incident, and shall provide such timely information as Client may reasonably require, including to enable Client to fulfil any data breach reporting obligations under Data Protection Laws. Company shall take appropriate and commercially reasonable steps to investigate and mitigate the effects of such a Security Incident on the Personal Data under this Agreement. Excluding the notification requirement above, this Section 5.2 does not apply to Security Incidents that are caused or contributed to by Client, including Client’s employees, partners, subcontractors, or agents.

6. International Transfers

To the extent that the Processing of Personal Data by Company involves the export of such Personal Data to a third party in a country or territory outside the EEA, such export shall be:

(a) to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission;

(b) to a third party that is a member of a compliance scheme recognized as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission; or

(c) governed by the Standard Contractual Clauses with Client as exporter and Company as importer.

Client agrees that this DPA constitutes Client’s written authorization for Company and its sub-processors to Process Personal Data anywhere in the world where Company or its sub-processors maintain data Processing operations, in accordance with applicable Data Protection Laws.

7. Sub-Processing

7.1 Sub-Processors. Client agrees that this DPA constitutes Client’s written authorization for Company to engage sub-processors (collectively, “Sub-processors”) to Process the Personal Data on Company’s behalf, including Sub-processors currently engaged by Company who are listed here: https://tractioncomplete.com/sub-processors/ Company will notify Client, via email address provided by Client and post an updated list of Sub-processors on a website identified by Company to Client, of any new Sub-processor being appointed, by electronic means or other commercially reasonable means.

7.2 Objection to Sub-Processors. Client may object in writing to the appointment of an additional Sub-processor within five (5) calendar days after receipt of Company’s notice in accordance with the mechanism set out at Section 7.1 above, if the Client believes, acting reasonably, that the additional Sub-processor may cause harm to the Client business. In the event that Client objects on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Company will, at its sole discretion, either not appoint such Sub-Processor, or permit Client to suspend or terminate the Services in accordance with the termination provisions of the Agreement. In the event that Client suspends or terminates the Services in accordance with the preceding sentence, Client shall immediately pay all Fees owing up to and including the termination date. Company shall return the proportional amount of any prepaid Fees for the remainder of the term following the date of termination.

7.3 Sub-processor obligations. Where a Sub-processor is engaged by Company as described in this Section 7, Company shall:

(a) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to substantially similar or better levels of data protection obligations with respect to protection of Personal Data as those specified herein and in such a manner that the processing will meet the requirements of applicable Data Protection Laws; and

(b) remain responsible for any breach of the DPA caused by a Sub-processor.

8. Cooperation

8.1 Cooperation and Data Subjects’ rights. Company shall, taking into account the nature of the Processing, provide commercially reasonable assistance to Client, insofar as this is possible, to enable Client to respond to requests from a Data Subject seeking to exercise their rights under Data Protection Laws in the event Client does not have the ability to implement such requests without Company’s assistance. In the event that such request is made directly to Company, Company shall, unless prohibited by law, promptly inform Client of the same, or otherwise direct such Data Subject to Client. To the extent legally permitted, Client shall be responsible for any costs arising from Company’s provision of such assistance.

8.2 Data Protection Impact Assessments. Company shall, to the extent required by EU Data Protection Legislation and at Client’s sole expense, taking into account the nature of the Processing and the information available to Company, provide Client with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Client are required to carry out under Data Protection Laws.

9. Security reports and audits

9.1 The parties acknowledge that Company will comprehensively assess the adequacy of its data Processing, including the security of the systems and premises used by Company to provide data Processing services.

9.2 The parties further acknowledge that these audits:

(a) are performed at least once each year;

(b) are conducted with all due and necessary independence and professionalism; and

(c) are fully documented in an audit (“Report”).

9.3 At Client’s written request and at Client’s sole expense, Company will (on a confidential basis) provide Client with a summary of the Report so that Client can verify Company’s compliance with the audit standards against which it has been assessed, and this DPA.

9.4 Company will further provide written responses (on a confidential basis) to reasonable requests for information made by Client, no more than once per year, including responses to information security and audit questionnaires that are necessary to confirm Company’s compliance with this DPA.

9.5 While it is the parties’ intention to rely on the provision of the Report and written responses provided under Sections 9.3 and 9.4 above to verify Company’s compliance with this DPA, Company shall permit Client (or Client’s appointed third party auditors, which must be reasonably acceptable to Company), at Client’s sole expense, to carry out an audit of Company’s Processing of Personal Data under the Agreement following a Security Incident suffered by Company, or upon the instruction of a data protection authority, to determine Company’s compliance with this DPA. Client must give Company no less than thirty (30) days prior written notice of such intention to audit, conduct the audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Company’s operations. Any such audit shall be subject to Company’s security and confidentiality terms and guidelines. Following completion of the audit, upon request, Client will promptly provide Company with a complete copy of the results of that audit. Notwithstanding the foregoing, Company will not be required to disclose any proprietary or privileged information, including to Client or any of Client’s auditors, agents, or vendors.

10. Deletion / return of data

Following the termination or expiration of the Agreement, or upon Client’s written request, Company shall delete and make irretrievable Client Data in Company’s possession or control, including any Personal Data therein, unless European Union law or Member State law requires or permits further storage of such Client Data and/or other Personal Data. Notwithstanding the preceding, Company shall cease Processing and delete all Client Data after the conclusion of any then-final term of the Agreement or when otherwise no longer required to provide Client the applicable Services, whichever is sooner. Company shall, upon request from Client, certify the deletion of Client Data. Additionally, upon Client’s written request, Company shall return any Client Data or other Personal Data retained by Company to Client.

11. European-Specific Provisions

The following provisions shall apply to the extent Client is: (i) located in the European Union/European Economic Area; or (ii) located outside the European Union/European Economic Area and subject to the GDPR:

11.1 GDPR. To the extent Company Processes Personal Data on behalf of Client, it shall do so in accordance with the requirements of GDPR directly applicable to Company in the provision of its Services.

11.2 Standard Contractual Clauses. The Standard Contractual Clauses shall apply in addition to the DPA for any transfers of Personal Data from the European Union, the European Economic Area and/or their member states and/or Switzerland to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories. The Standard Contractual Clauses shall be structured as follows: (i) Module Two (Controller to Processor) terms shall apply and Modules One, Three, and Four shall be deleted in their entirety; (ii) Clause 7 shall be deleted in its entirety and the Parties may add additional entities to this DPA by executing an additional copy of this DPA; (iii) in Clause 9, Option 2 shall apply (as detailed in Section 5 of this DPA); (iv) the optional language in Clause 11 shall be deleted in its entirety; (v) in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; and (vii) the Annexes of the EU Standard Contractual Clauses shall be populated with the information set out in the Schedules to this DPA.

11.3 Alternative Data Transfer Mechanism. For the avoidance of doubt, should the transfer mechanism identified in Section 11.2 above be deemed invalid by a Supervisory Authority or court with applicable authority, the Parties shall endeavor in good faith to negotiate an alternative mechanism (if available and required) to permit the continued transfer of Personal Data.

12. Brazil-Specific Provisions

Where Company’s Services involve Processing of Personal Data of Data Subjects who are residents of the Federal Republic of Brazil, Company shall: (a) provide its Services under the express obligations imposed by the LGPD on a Data Processor for the benefit of a Data Controller; and (b) as required under Articles 33 through 36 of the LGPD, transfer Personal Data on the basis of the Standard Contractual Clauses, as modified in accordance with the LGPD.

13. California-Specific Provisions

Within this Section 13, any capitalized term not defined in the DPA shall have the meaning given in the CCPA. The following provisions shall apply to the extent that the Company: (i) has a presence in California; or (ii) is located outside of California but remains subject to the CCPA:

13.1 California Privacy Rights. To the extent Company Processes Personal Data on behalf of Client, it shall do so in accordance with the requirements of CCPA directly applicable to Company in the provision of its Services.

13.2 Affirmations. Company shall: (a) provide an appropriate level of privacy protection as required by CCPA; (c) notify Client if it can no longer meet its obligations under CCPA; (d) grant Client the right, subject to the Section 9 of the DPA (Security reports and audits), to take reasonable and appropriate steps to ensure that Company’s use of Personal Data is consistent with Company’s privacy and security obligations under the Agreement and CCPA; and (e) cooperate with Client, upon Client’s request with advanced notice, to determine reasonable and appropriate steps to stop and remediate unauthorized use of Client Data.

13.3 Restrictions. Company shall not sell Client Data or otherwise retain, share, use, combine (with another source), or disclose Client Data for any purpose (including a commercial purpose) except where permitted under the Agreement or Data Protection Laws and Regulations, pursuant to a direct business relationship with Client, and/or as a Service Provider pursuant to a Business Purpose (i.e., to provide, operate, support, develop, and secure the Services (each a “Business Purpose”)).

14. Transfers from the United Kingdom

To the extent Company processes Personal Data on behalf of Client and/or Data Subjects who are residents of the United Kingdom, it shall, where applicable: (a) provide its Services in accordance with its obligations under the UK Addendum, which is incorporated into this DPA by reference; and (b) as required by applicable law, transfer and process Personal Data on the basis of the Standard Contractual Clauses, as modified in accordance with the UK Addendum. The UK Addendum shall be structured as follows: (1) Table 1 shall be populated by the information in Annex A of the DPA; (2) Table 2 shall be populated by the information in Section 7.3 of the DPA; (3) Table 3 shall be populated by Section 7 and Annex A of the DPA; and (4) in Table 4, either the Importer or the Exporter may terminate this Addendum.

15. Transfers from the Switzerland

To the extent Company processes Personal Data on behalf of Client and/or Data Subjects who are residents of Switzerland, Client shall, as required by applicable law, protect, transfer, and process Personal Data on the basis of the Standard Contractual Clauses, which are incorporated into this DPA by reference. Where this section applies, the Standard Contractual Clauses shall be modified as follows: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FADP; (ii) references to “EU,” “Union,” and “Member State” shall be amended to include Switzerland; (iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; (iv) the term “member state” as used in Standard Contractual Clauses shall not be interpreted to exclude Data Subjects in Switzerland from exercising applicable rights (e.g., in their habitual place of residence); and (v) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the Swiss courts having appropriate jurisdiction.

ANNEX A
DESCRIPTION OF PROCESSING

LIST OF PARTIES Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union
Name: Customer and its Authorized Affiliates.
Address:
Contact person’s name, position and contact details:
Activities relevant to the data transferred under these clauses: Performance of the Services pursuant to the Agreement and as further described in the Documentation.
Signature and date:

Role: For the purposes of SCC Module 2 Customer and/or its Authorized Affiliate is a Controller. For the purposes of SCC Module 3 Customer and/or its Authorized Affiliate is a Processor.

Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection

Name: Traction Complete Technologies Inc. Attention: Privacy Team, PO Box 44156 RPO Kensington Sq, Burnaby, B.C., V5B 4Y2, Canada
Contact person’s name, position and contact details: Ernesto Valdes, CTO, contact@tractioncomplete.com

Activities relevant to the data transferred under these clauses: Performance of the Services pursuant to the Agreement and as further described in the Documentation.

Signature and date:

Role: Processor

Nature and purposes of Processing

Company is a Canadian provider of an application on the Salesforce.com platform distributed through the Salesforce AppExchange. The Processing will involve any such Processing that is necessary to provide the Services for the purposes set out in the Agreement, or as otherwise agreed between the parties (the “Permitted Purposes”).

Categories of Data Subjects

Any categories of individuals whose data Client gives Company access to for the Permitted Purposes.

Categories of data

The Personal Data concerns the following categories of data for the Data Subjects:

• Any Personal Data that Client chooses to include in Client’s instance of the Services.

The Personal Data transferred to Company for Processing is determined and controlled by Client in Client’s sole discretion.

Special categories of data (if appropriate)

Company does not intentionally collect or Process any special categories of data in the provision of the Services.

Client may request that Company Process Sensitive Data if the Client is permitted to do so, and is compliant with Data Protection Laws.

Duration of Processing

The Personal Data will be Processed for the term of the Agreement, or as otherwise required by Data Protection Laws.

COMPANY SECURITY MEASURES

1. Network-Level Controls

(a) Company will use host-based firewall(s) to protect hosts/infrastructure handling Personal Data.

2. Server-Level Controls

(a) Intentionally deleted as they are not applicable.

3. Services Development Controls

(a) Company will implement operating system hardening for hosts/infrastructure handling Personal Data. Operating system hardening includes, but is not limited to, the following configurations: strong password authentication/use of keys, inactivity time-out, disabling or removal of unused or expired accounts and services, turning off unused ports, and log management. In addition, Company will implement access control
(b) Company will perform patch management on systems that host or handle Personal Data. Company will implement critical patches within vendor recommended time frames on systems that host or handle Personal Data within a reasonable period of time.
(c) Company will, at a minimum, assess system-level vulnerabilities on a monthly basis and address critical vulnerabilities within a reasonable period of time.
(d) Company will employ a comprehensive antivirus or endpoint security solution for endpoints which handle Personal Data.

(e) Company will maintain documentation on overall application architecture and Services security audits. This documentation is maintained as part of Company’s Salesforce, Process flows, and security review standard procedures.
(f) Company will employ secure programming guidelines and protocols in the development of the Services. .
(g) Company will regularly perform patch management on applications that host or handle Personal Data. Company will implement critical patches within vendor recommended timeframes on all applications that host or handle Personal Data, within a reasonable period of time.
(h) Company will perform code reviews and maintain records of reviewers performed for changes to the Services.
(i) The Services has been approved by and continues to be subject to Salesforce’s security review.

(f) Company will employ change management standards for applications hosting or handling Personal Data.

4. Data-Level Controls
(a) Company will use strong encryption (e.g. TLS) for transmission of Personal Data that is considered Confidential Information unless otherwise directed in writing by the Client.
(b) Data backups of Personal Data will be encrypted at rest and while in transit. All of Company’s databases are also encrypted at rest.

5. End User Computing Level Controls

(a) Company will employ an end point security or antivirus solution for end user computing devices that handle Personal Data.
(b) Company will ensure that end user computing devices that handle Personal Data are encrypted.
(c) Company will ensure that access to systems that host or handle personal data is controlled by, including but not limited to, the following configurations: strong password authentication/multi factor authentication.
(d) Company will implement critical patches on systems that host or handle Personal Data within a reasonable period of time after the patch is identified.

6. Compliance Controls

(a) Company will make a good faith effort to operate within the parameters of Company’s then-current information security policy.
(b) Notwithstanding any of the foregoing, Company will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures.