Traction Complete Technologies Inc.
DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “DPA“) is made as of the date set forth in the Agreement.
This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is Processed by TCT under the Agreement, whether the Personal Data is that of the Client.
1.1 For the purposes of this DPA, the following terms shall have their respective meanings set forth below and other capitalized terms used but not defined in this DPA have the same meanings as set forth in the Agreement:
(a) “Affiliate” has the meaning ascribed to it in the Agreement.
(b) “Agreement” means the legal agreement entered into between TCT and Client, to which this DPA is attached or incorporated by reference, for the provision by TCT to Client of the Services and Support Services.
(c) “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data pursuant to Data Protection Laws.
(d) “Data Protection Laws” means any and all applicable national, international, provincial, federal, state and local laws and regulations relating to data protection, data privacy, data security, or the Processing of Personal Data, including (where applicable) EU Data Protection Legislation, the California Consumer Privacy Act (“CCPA”) (California Civil Code §§ 1798.80, et seq.), and any other provincial or state privacy laws that may take effect during the term of the Agreement.
(e) “Data Subject” has the meaning given in the GDPR.
(f) “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
(g) “EU Data Protection Legislation” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“) (as amended, replaced or superseded).
(h) “Personal Data” means any information relating to an identified or identifiable natural person.
(i) “Processing” has the meaning given in the GDPR and includes any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(j) “Processor” means an entity which Processes Personal Data on behalf of the Controller.
(k) “Security Incident” means confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data caused by TCT’s acts or omissions.
(l) “Sensitive Data” means (a) racial or ethnic origin; (b) political opinions; (c) religious or philosophical beliefs; (d) trade union membership; (e) genetic data; (f) biometric data for the purpose of uniquely identifying a natural person; (g) data concerning health; (h) data concerning a natural person’s sex life; (i) sexual orientation; and (ii) without limiting the foregoing, any additional information that falls within the definition of “special categories of data” under EU Data Protection Legislation or Data Protection Laws.
(m) “Services” has meaning ascribed to it in the Agreement.
(n) “Support Services” means the Services support as detailed in Appendix A of the Agreement.
(o) “Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as at the Effective Date or any subsequent version thereof released by the European Commission (which will automatically apply).
(p) “Client” means the party who entered into the Agreement with TCT and any successor of same. The person agreeing to this DPA represents and warrants that he or she is authorized to enter into the DPA on behalf of the party, entity, or organization using the Services or Support Services.
2. Relationship with Agreement
2.1 Except as amended by this DPA, the Agreement will remain in full force and effect.
2.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will control with respect to the subject matter of the DPA.
2.3 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
General Data Protection Obligations
3. Roles and responsibilities
3.1 Parties’ Roles. With respect to the Processing of Personal Data provided by Client, Client as Controller or Processor, as applicable, appoints TCT, as a Processor or Sub-processor, as applicable, to Process the Personal Data described in Annex A on Client’s behalf. The Parties agree that, for the purposes of the Agreement and this DPA, if applicable, TCT is a “service provider” and Client is a “business” consistent with the definitions under the CCPA.
3.2 Purpose Limitation. TCT shall Process the Personal Data for the purposes described in Annex A and only in accordance with Client’s lawful, written instructions, except where otherwise required by applicable law. The Agreement and this DPA sets out Client’s complete instructions to TCT in relation to the Processing of the Personal Data and any Processing required outside of the scope of these instructions will require prior written agreement between the parties. Client acknowledges that TCT shall have a right to Process Personal Data in order to provide the Services and Support Services to Client, fulfill its obligations under the Agreement, and for legitimate purposes relating to the operation, support and/or use of the Services such as billing, account management, technical maintenance and support, product development, and sales and marketing. Under no circumstances will TCT rent or sell Personal Data.
3.3 Prohibited Data. Unless the Processing of Sensitive Data is otherwise permitted by Data Protection Laws or Client obtains TCT’s prior written consent, Client will not provide any Sensitive Data to TCT for Processing under the Agreement, and TCT will have no liability whatsoever for Sensitive Data provided by Client, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, the obligations of TCT under this DPA will not apply to Sensitive Data unless the Processing of Sensitive Data is otherwise permitted by Data Protection Laws and Client has obtained TCT’s prior written consent. The parties agree that the Client may request that TCT Process Sensitive Data if the Client is permitted to do so under Data Protection Laws.
3.4 Description of Processing. A description of the nature and purposes of the Processing, the types of Personal Data, categories of Data Subjects, and the duration of the Processing are set out further in Annex A,
3.5 Compliance. Client shall be responsible for ensuring that:
(a) Client has complied, and will continue to comply, with Data Protection Laws, in Client’s use of the Services and Support Services and Client’s own Processing of Personal Data, including by providing notice and obtaining all consents and rights necessary under Data Protection Laws for TCT to process Personal Data;
(b) Client has, and will continue to have, the right to transfer, or provide access to, the Personal Data to TCT for Processing in accordance with the terms of the Agreement and this DPA.
4. Data Security
4.1 Security. TCT shall implement and maintain appropriate technical and organizational measures designed to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Notwithstanding the above, Client agrees that Client is responsible for Client’s secure use of the Services and Support Services, including securing Client’s account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to back up Personal Data.
4.2 Access to Client’s Salesforce Instance. Client acknowledges that Client (and not TCT) is solely responsible for the appropriate configuration of the security settings in their respective Salesforce instances and their respective Services considering the Personal Information Processed. Client will implement and maintain appropriate technical and organizational controls to ensure the security and confidentiality of the Personal Data in their respective care or control, including in the provisioning and removal of access for TCT employees their respective Salesforce instances. TCT shall ensure that access provided by the Client is only given to those TCT employees who are required to access Client’s Salesforce instances for the purpose of providing the Support Services.
4.3 Security Exhibit. The technical and organizational security measures which TCT shall have in place under the Agreement are set out at Annex B to this DPA.
5. Additional security
5.1 Confidentiality of Processing. TCT shall ensure that any person that it authorizes to Process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty).
5.2 Security Incidents. Upon becoming aware of a Security Incident caused or contributed to by TCT, TCTshall notify Client without undue delay and shall provide such timely information as Client may reasonably require, including to enable Client to fulfil any data breach reporting obligations under Data Protection Laws TCT shall take appropriate and commercially reasonable steps to investigate and mitigate the effects of such a Security Incident on the Personal Data under this Agreement. Excluding the notification requirement above, this Section 5.2 does not apply to security incidents that are caused by Client, including Client’s employees, partners, subcontractors, or agents.
6. International Transfers
To the extent that the Processing of Personal Data by Company involves the export of such Personal Data to a third party in a country or territory outside the EEA, such export shall be:
(a) to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission;
(b) to a third party that is a member of a compliance scheme recognized as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission, such as, but not limited to the Privacy Shield; or
(c) governed by the Standard Contractual Clauses with Client as exporter and Company as importer.
Client agrees that this DPA constitutes Client’s written authorization for TCT and its sub-processors to Process Personal Data anywhere in the world where TCT or its sub-processors maintain data Processing operations.
7.1 Sub-Processors. Client agrees that this DPA constitutes Client’s written authorization for Company to engage Affiliates and third party sub-processors (collectively, “Sub-processors“) to Process the Personal Data on Company’s behalf, including Sub-processors currently engaged by Company who are listed here: https://www.tractioncomplete.com/sub-processors. Company will notify Client, via email address provided by Client and post an updated list of Sub-processors on a website identified by Company to Client, of any new Sub-processor being appointed, by electronic means or other reasonable means.
7.2 Objection to Sub-Processors. Client may object in writing, stating Client’s reasonable grounds for the objection, to the appointment of an additional Sub-processor within five (5) calendar days after receipt of Company’s notice in accordance with the mechanism set out at Section 7.1 above. In the event that Client objects on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Company will, at its sole discretion, either not appoint such Sub-Processor, or permit Client to suspend or terminate the Services in accordance with the termination provisions of the Agreement. In the event that Client suspends or terminates the Services in accordance with the preceding sentence, Client shall immediately pay all fees and costs then owing and all fees and costs incurred by Company as a result of the termination.
7.3 Sub-processor obligations. Where a Sub-processor is engaged by TCT as described in this Section 7, TCT shall:
(a) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; and
(b) remain responsible for any breach of the DPA caused by a Sub-processor.
8.1 Cooperation and Data Subjects’ rights. TCT shall, taking into account the nature of the Processing, provide commercially reasonable assistance to Client, insofar as this is possible, to enable Client to respond to requests from a Data Subject seeking to exercise their rights under Data Protection Laws in the event Client does not have the ability to implement such requests without TCT’s assistance. In the event that such request is made directly to TCT, TCT shall, unless prohibited by law, promptly inform Client, as applicable of the same. To the extent legally permitted, Client shall be responsible for any costs arising from TCT’s provision of such assistance.
DESCRIPTION OF PROCESSING
Nature and purposes of Processing
TCT is a Canadian provider of an application on the Salesforce.com platform distributed through the Salesforce AppExchange. Along with the Services, TCT will provide the Support Services to both the Client. The Personal Data Processing will involve any such Processing as necessary to provide the Services and Support Services or otherwise as consented to by the Client (“Permitted Purposes”).
Categories of Data Subjects
Any categories of individuals whose data Client gives TCT access to pursuant the Permitted Purposes above.
Categories of data
The Personal Data concerns the following categories of data for the Data Subjects: any Personal Data that Client chooses to include in Client’s Salesforce instance.
The Personal Data transferred to Company for Processing is determined and controlled by Client in Client’s sole discretion.
Special categories of data (if appropriate)
TCT does not intentionally collect or Process any special categories of data in the provision of the Services or Support Services.
The parties agree that the Client may request that TCT Process Sensitive Data if the Client is permitted to do so under Data Protection Laws.
Duration of Processing
The Personal Data will be Processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
TCT SECURITY MEASURES
1. Network-Level Controls. Intentionally deleted as they are not applicable.
2. Server-Level Controls. Intentionally deleted as they are not applicable.
3. TCT Services Development Controls
(a) TCT will maintain documentation on overall application architecture and Services security audits. This documentation is maintained as part of our Salesforce security review standard procedures.
(b) TCT will employ secure programming guidelines and protocols in the development of the Services. Developers are knowledgeable in both OWASP standard security guidelines (OWASP top ten) and Salesforce platform security standards.
(c) TCT will perform code reviews and maintain records of reviewers performed for changes to the Services.
(d) The Services has been approved by and continues to be subject to Salesforce’s security review.
4. Data-Level Controls. Intentionally Deleted as they are not applicable.
5. End User Computing Level Controls
a. TCT will employ an end point security or antivirus solution for end user computing devices that handle Personal Data.
b. TCT will ensure that end user computing devices that handle Personal Data are encrypted.
c. TCT will ensure that access to systems that host or handle personal data is controlled by, including but not limited to, the following configurations: strong password authentication/multi factor authentication.
d. TCT will implement critical patches on systems that host or handle Personal Data within a reasonable period of time after the patch is identified.
6. Compliance Controls
a. TCT will make a good faith effort to operate within the parameters of TCT’s then-current information security policy.
b. Notwithstanding any of the foregoing, TCT will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures when Processing Personal Data of Client.
LAST UPDATED: 4 December 2023