Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Agreement (as defined in the applicable Order Form, Master Subscription and Services Agreement, or other applicable agreement) entered into by Validity and Customer.
- Capitalized terms used but not defined below or in Attachment 1 to this DPA will have the meanings set forth in the Agreement.
- ROLES OF THE PARTIES
- The parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, Customer is the “Controller” or “Business” and Validity is the “Processor” or “Service Provider” (in each instance, to the extent applicable in and as defined by Data Protection Law(s)).
- DATA PROCESSING AND PROTECTION
- Limitations on Use. Validity will Process Personal Data only: (i) in a manner consistent with documented instructions from Customer (including with regard to transfers of Personal Data to a third country), which will include Processing as authorized or permitted under the Agreement )including as specified in Attachment 2 to this DPA); and (ii) as required by Data Protection Law, provided that Validity will inform Customer (unless prohibited by such Data Protection Law) of the applicable legal requirement before Processing pursuant to such Data Protection Law.
- No Sale or Share of Personal Data. Customer and Validity hereby acknowledge and agree that in no event shall the transfer of Personal Data from Customer to Validity pursuant to the Agreement constitute a sale of Personal Data or transfer of Personal Data for valuable consideration to Validity, and that nothing in the Agreement shall be construed as providing for the sale or transfer of Personal Data for valuable consideration to Validity. Validity will not (and shall ensure its Subprocessors do not) retain, sell, share, use, combine with personal data from another person, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services for which Customer has engaged Validity or as otherwise permitted under applicable Data Protection Law. “Sell”, “sale”, and “share” shall have the meanings given to them in applicable Data Protection Law(s).
- Confidentiality. Validity will ensure that persons authorized by Validity to Process any Personal Data are subject to appropriate confidentiality obligations.
- Security. Validity will implement measures designed to protect Personal Data that meet or exceed applicable requirements under Data Protection Law, including, as applicable, requirements under Article 32 of the GDPR. These measures include technical and organizational measures, such as the use of firewalls, access control protocols, business continuity measures, penetration tests, and patch management protocols. Additional information regarding our security controls can be provided upon email request to [email protected].
- Return or Disposal. Upon written request to [email protected], Validity will delete or return (and delete existing copies of) all Personal Data after the end of the provision of Services (to the extent Personal Data is still in Validity’s possession) unless Data Protection Law requires the storage of such Personal Data by Validity, in which case Validity will only further retain and process such Personal Data for the limited duration and purposes required by such Data Protection Law.
- Customer Obligations. Customer is responsible for ensuring its compliance with all necessary transparency and lawfulness requirements under Data Protection Law for the Processing of the Personal Data, including obtaining any necessary consents and authorizations prior to the earlier of (i) Processing Personal Data via Validity’s Services or (ii) transfer of any Personal Data to Validity. Customer will not Process any Personal Data via the Services that includes any special categories of Personal Data, as described in Article 9 of the GDPR, or any other Personal Data that may be subject to heightened data security obligations, such as data subject to U.S. breach notification obligations or any protected health information.
- Notices. As required by Data Protection Laws, (i) Validity will promptly notify Customer if (in Validity’s opinion) an instruction given by Customer to Validity violates applicable Data Protection Law; and (ii) Validity will notify Customer if Validity can no longer comply with its obligations under this DPA and, upon said notification and to the extent unauthorized use of Personal Data has occurred, Customer may take reasonable and appropriate steps to stop and remediate said unauthorized use of Customer’s Personal Data.
- Data Subject’s Rights Assistance. Taking into account the nature of the Processing, Validity will reasonably assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising any individual’s privacy or data protection rights provided under Data Protection Law, including rights laid down in Chapter III of the GDPR.
- Security and Assistance. Taking into account the nature of Processing and the information available to Validity, Validity will reasonably assist Customer in ensuring compliance with its security obligations under Article 32 of the GDPR..
- Personal Data Breach Notice and Assistance. Validity will notify Customer of any Personal Data Breach without undue delay after becoming aware of such Personal Data Breach. Taking into account the nature of Processing and the information available to Validity, Validity will assist Customer in ensuring compliance with Customer’s notification obligations under Data Protection Law in connection with any Personal Data Breach, including in ensuring compliance with Customer’s obligations pursuant to Articles 33 and 34 of the GDPR.
- Data Protection Impact Assessment Assistance. Taking into account the nature of Processing and the information available to Validity, Validity will assist Customer in ensuring compliance with the obligations under Articles 35 and 36 of the GDPR.
- Upon Customer’s request, Validity will make available to Customer information necessary to demonstrate Validity’s compliance with this DPA, in the form of an ISO 27001/27018 certificate, SOC 2 attestation report, or compliance summary report. These materials will be deemed the confidential information of Validity under the Agreement. If Customer reasonably believes Validity is in material breach of this DPA or if required by a supervisory authority, then, as a reasonable and appropriate step to ensure that Personal Data use is consistent with the DPA and subject to the terms of this Section 5, Customer may conduct an on-site audit (at its expense) of Validity’s systems and procedures as may be necessary to verify Validity’s compliance with this DPA. Customer will provide no less than 30 days’ advance notice of its request for any such on-site audit and will cooperate in good faith with Validity to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party). Any such on-site audit must occur during Validity’s normal business hours and be conducted by a nationally recognized independent auditor. The auditor conducting such audit will (and Customer will be responsible for ensuring that the auditor will): (a) comply with reasonable and applicable on-site policies and procedures provided by Validity, (b) sign a standard confidentiality agreement with Validity, and (c) not unreasonably interfere with Validity’s business activities. Customer will provide written communication of any audit findings to Validity, and the results of the audit will be the confidential information of Validity. Customer shall reimburse Validity for any time expended to support or facilitate any such on-site audit at Validity’s then-current professional services rates, which Validity will provide to Customer upon request.
- Customer authorizes Validity to use Subprocessors to Process Personal Data in connection with the provision of Services to Customer. Validity will provide Customer with a current list of Subprocessors promptly upon written request to [email protected]. Validity will notify Customer of any intended changes concerning the addition or replacement of its Subprocessors, and provide Customer with the opportunity to object to such changes. Customer will not object to any such change unless it has a reasonable belief that such change poses a materially new data protection risk to the Personal Data. Customer will notify Validity in writing of any such objection within 10 days of receipt of Validity’s written notice of the change or will waive its right to object. If Customer provides written notice of its objection within such period and Validity determines it cannot accommodate such objection, Validity may terminate the Agreement upon notice to Customer without liability. Validity will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Validity will remain liable for any acts or omissions of its Subprocessors.
- DATA TRANSFERS
- Validity may Process the Personal Data in the United States and other jurisdictions where its Subprocessors are located. With regard to transfers of Personal Data from the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom (UK) to a country which does not ensure an adequate level of data protection within the meaning of Data Protection Laws, to the extent such transfers are subject to such Data Protection Laws, such transfer will be made pursuant to the relevant approved transfer mechanisms in accordance with the below terms:
- To the extent that any transfer of Personal Data is subject to the GDPR (“Data Transfer”), the parties will conduct such Data Transfer in accordance with this Section 7(a). Any Data Transfer will be conducted pursuant to the EU SCCs (which will be deemed executed by the parties as of the Effective Date of this DPA), and the following terms will apply:
- Terms of Module 2 (Controller to Processor) of the EU SCCs apply to the extent Customer is a Controller and Validity is a Processor of the Personal Data;
- Terms of Module 3 (Processor to Processor) of the EU SCCs apply to the extent Customer is a Processor and Validity is a Subprocessor of the Personal Data;
- Any audits authorized under the EU SCCs will be conducted pursuant to Section 5 (Audits) of this DPA;
- The Docking Clause at Clause 7 of the EU SCCs shall apply;
- In relation to Clause 9 of the EU SCCs, Option 2: General Written Authorisation is selected; the process and time period for the addition or replacement of Subprocessors is described in Section 6 (Subprocessors) of this DPA;
- The optional clause at Clause 11 of the EU SCCs shall not apply;
- In relation to Clause 13 and Annex I. C of the EU SCCs, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority/ies;
- In relation to Clause 17 (Option 1 is selected) and Clause 18 of the EU SCCs, the Member State for purposes of governing law and jurisdiction shall be Ireland;
- Customer will be referred to as the “Data Exporter” and Validity will be referred to as the “Data Importer” in Annex I. A of the EU SCCs with relevant Customer name and address details from this DPA and Customer’s Agreement;
- Details in Attachment 2 (Scope of Processing) of this DPA will be used to complete Annex I. B of the EU SCCs;
- Section 3(d) (Security) of this DPA will be used to complete Annex II of the EU SCCs.
- To the extent that any transfer of Personal Data is subject to applicable UK Data Protection Laws, the relevant Module(s) of the EU SCCs (as set out in Section 7(a) above) as amended by the UK SCC Addendum will govern such transfers. For purposes of the UK SCC Addendum (which will be deemed executed by the parties as of the Effective Date of this DPA), the following terms will apply:
- For the purposes of Table 1 of the UK SCC Addendum:
- Customer will be referred to as the “Data Exporter” and Validity will be referred to as the “Data Importer” in such clauses with relevant Customer name and address details from this DPA and the Agreement; and
- The key contacts for the parties are specified in the Agreement.
- For the purposes of Table 2 of the UK SCC Addendum, Modules 2 and 3 of the EU SCCs shall apply, including the Appendix information and, clauses or optional clauses of the EU SCCs brought into effect for the purposes of this Addendum as outlined in relevant sections under 7(a) above.
- For the purposes of Table 3 of the UK SCC Addendum:
- The details about the parties as identified in the Agreement will be used to populate Annex 1.A of the UK SCC Addendum;
- Details in Attachment 2 (Scope of Processing) of this DPA will be used to complete the transfer details in Annex I.B of the UK SCC Addendum;
- Section 3(d) (Security) of this DPA will be used to complete Annex II of the UK SCC Addendum; and
- The general list of Subprocessors is available here and will be used to complete Annex III of the UK SCC Addendum.
- For the purposes of Table 4 of the UK SCC Addendum either party (Data Exporter, Data Importer) will be permitted to end the UK SCC Addendum as set out in the section 19 of the UK SCC Addendum.
- For the purposes of Table 1 of the UK SCC Addendum:
- To the extent that any transfer of Personal Data is subject to the FADP, the parties agree that the EU SCCs will extend and apply in accordance with the following adaptations:
- The FDPIC will be the competent supervisory authority in Annex I.C under Clause 13 of the EU SCCs, insofar as the data transfer is governed by the FADP;
- The applicable law for contractual claims and place of jurisdiction for actions between the parties under Clauses 17 and 18 of the EU SCCs shall be as set forth in the EU SCCs, provided that that the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 c.;
- The Clauses will also protect the data of legal entities until the entry into force of the revised FADP.
- The terms of this DPA will control to the extent there is any conflict between this DPA and the Agreement. Except as amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect.
- BY CLICKING I ACCEPT AND THEREBY ACCEPTING THESE TERMS (ONLY IF APPLICABLE), YOU WARRANT THAT YOU HAVE AUTHORITY TO SIGN AND EXECUTE THIS AGREEMENT ON BEHALF OF THE CUSTOMER WITH RESPECT TO THE MATTERS CONTAINED HEREIN.
Attachment 1: Definitions
For purposes of this DPA, the following terms will have the meaning ascribed below:
“Data Protection Law” means the GDPR, Member State laws implementing the GDPR, UK Data Protection Laws, the FADP, US Data Protection Laws, and any other data protection laws that apply directly to Validity in connection with its Processing of Personal Data.
“Business” and “Service Provider” shall have the meaning as defined under applicable Data Protection Law, including CPRA.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, found at ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
“FADP” means the Swiss Federal Act on Data Protection of 1992, as amended.
“FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
“GDPR” means (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
“Personal Data” means the Customer Data Processed by Validity on behalf of Customer in connection with the Services that consists of “personal data” or “personal information” (or analogous variations of such terms) under Data Protection Law, as further described under Attachment 2.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which processes personal data on behalf of the Controller.
“Subprocessor” means (i) Validity, when Validity is processing Personal Data on behalf of the Customer and where Customer is itself a Processor of such Personal Data, or (ii) any third-party Processor engaged by Validity to process Personal Data in order to provide the Services to Customer.
“UK Data Protection Laws” means all laws relating to data protection, the processing of
personal data, privacy and/or electronic communications in force from time to time in the UK including the UK GDPR and the Data Protection Act 2018.
“UK GDPR” means as defined in section 3 of the Data Protection Act 2018.
“UK SCC Addendum” means the template addendum B.1.0 issued by the UK Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 thereof, found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf
“US Data Protection laws” means all applicable and as enacted data protection laws in the United States including the California Consumer Privacy Act as amended (“CCPA”), the California Privacy Rights Act (“CPRA”), the Connecticut Data Privacy Act (‘CDPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), and Utah Consumer Privacy Act (“UCPA”),
Attachment 2: Scope of Processing
Subject-Matter of Processing
Validity Processes Personal Data in connection with the subject matter specified under the Agreement (including the Order Form).
Nature and Purpose of Processing (i.e., Processing operations)
Validity’s Processing operations depend on the Services that Customer utilizes, as further described on the Order Form. For example, some Services involve data cleansing (create, read, update, and delete operations), while others help Customer improve the effectiveness of email campaigns (validate, test).
Types of Personal Data
Depending on the Services that the Customer has purchased, the following types of Personal Data may be relevant:
- Contact information such as email addresses, phone numbers (US/Canada only), and postal addresses (US only), as determined by the Customer.
- Activity information associated with email campaigns (collected via pixels or similar tracking technology), including IP address, event, mail provider, and email address, as determined and configured by the Customer.
- Application end-user’s first and last name, business email address, IP address, company name.
Categories of Data Subjects
Depending on the Services that the Customer has contracted, the following types of Categories of Data Subjects may be relevant:
- Application end-users who will log in to Validity’s web-based SaaS to interact with the service, as determined by the Customer.
- Individuals that Customer wishes to communicate with, as determined by Customer.
Special Categories of Data
None (as outlined under Section 3(f) of this Agreement).
Data exporter (if applicable)
Customer, as defined in the Agreement.
Data importer (if applicable)
Validity, as defined in the Agreement.
The Frequency of the Transfer(s)
The transfer of Personal Data takes place on a continuous and/or on-off basis in accordance with the Agreement and the selected Services by the Customer.
Last Updated: January 2023