Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Agreement (as defined in the applicable Order Form, Master Subscription and Services Agreement, or other applicable agreement) entered into by Validity and Customer.

 

  1. DEFINITIONS
  1. Capitalized terms used but not defined below or in Attachment 1 to this DPA will have the meanings set forth in the Agreement.
  1. DATA PROCESSING AND PROTECTION
  1. Limitations on Use. Validity will Process Personal Data only: (a) in a manner consistent with documented instructions from Customer, including with regard to transfers of Personal Data to a third country, which will include Processing as authorized or permitted under the Agreement, including as specified in Attachment 2 to this DPA; and (b) as required by Data Protection Law, provided that Validity will inform Customer (unless prohibited by such Data Protection Law) of the applicable legal requirement before Processing pursuant to such Data Protection Law.
  2. CCPA and CPRA. Validity will Process Personal Data subject to the CCPA as a Service Provider and will not, for any purpose (except for the specific purpose of performing Services or as otherwise permitted under CCPA for Service Providers) sell, share, retain, use, or disclose any Personal Data.
  3. Confidentiality. Validity will ensure that persons authorized by Validity to Process any Personal Data are subject to appropriate confidentiality obligations.
  4. Security. Validity will implement measures designed to protect Personal Data that meet or exceed applicable requirements under Data Protection Law, including, as applicable, requirements under Article 32 of the GDPR. These measures include technical and organizational measures, such as the use of firewalls, access control protocols, business continuity measures, penetration tests and patch management protocols. For a detailed list of Validity’s security controls please email [email protected]
  5. Return or Disposal. At the choice of Customer, Validity will delete or return (and delete existing copies of) all Personal Data after the end of the provision of Services unless Data Protection Law requires the storage of such Personal Data by Validity, in which case Validity will only further retain and process such Personal Data for the limited duration and purposes required by such Data Protection Law.
  6. Customer Obligation. Customer will not Process any Personal Data via the Services that includes any special categories of Personal Data, as described in Article 9 of the GDPR, or any other Personal Data that may be subject to heightened data security obligations, such as data subject to U.S. breach notification obligations or any protected health information.
  1. ASSISTANCE
  1. Data Subject’s Rights Assistance. Taking into account the nature of the Processing, Validity will reasonably assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising any individual’s privacy or data protection rights provided under Data Protection Law, including rights laid down in Chapter III of the
  2. Security and Assistance. Taking into account the nature of Processing and the information available to Validity, Validity will reasonably assist Customer in ensuring compliance with its security obligations under Article 32 of the GDPR.
  3. Personal Data Breach Notice and Assistance. Validity will notify Customer of any Personal Data Breach without undue delay after becoming aware of such Personal Data Breach. Taking into account the nature of Processing and the information available to Validity, Validity will assist Customer in ensuring compliance with Customer’s notification obligations under Data Protection Law in connection with any Personal Data Breach, including in ensuring compliance with Customer’s obligations pursuant to Articles 33 and 34 of the GDPR.
  4. Data Protection Impact Assessment Assistance. Taking into account the nature of Processing and the information available to Validity, Validity will assist Customer in ensuring compliance with the obligations under Articles 35 and 36 of the GDPR.
  1. AUDITS
  1. Upon Customer’s request, Validity will make available to Customer information necessary to demonstrate Validity’s compliance with this DPA in the form of an ISO 27001/27018 (where applicable) or SOC 2 certification or compliance summary report. These materials will be deemed the confidential information of Validity under the Agreement. If Customer reasonably believes Validity is in material breach of this DPA, or if required by a supervisory authority, then, subject to the terms of this Section 4, Customer may conduct an on-site audit (at its expense) of Validity’s systems and procedures as may be necessary to verify Validity’s compliance with this DPA. Customer will provide no less than 30 days’ advance notice of its request for any such on-site audit, and will cooperate in good faith with Validity to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party). Any such on-site audit must occur during Validity’s normal business hours and be conducted by a nationally recognized independent auditor. The auditor conducting such audit will (and Customer will be responsible for ensuring that the auditor will): (a) comply with reasonable and applicable on-site policies and procedures provided by Validity, (b) sign a standard confidentiality agreement with Validity, and (c) not unreasonably interfere with Validity’s business activities. Customer will provide written communication of any audit findings to Validity, and the results of the audit will be the confidential information of Validity. Customer shall reimburse Validity for any time expended to support or facilitate any such on-site audit at Validity’s then-current professional services rates, which Validity will provide to Customer upon request.
  1. SUBPROCESSORS
  1. Customer authorizes Validity to use Subprocessors to Process Personal Data in connection with the provision of Services to Customer. Validity will provide Customer with a current list of Subprocessors promptly following a written request to [email protected]. Validity will notify Customer of any intended changes concerning the addition or replacement of its Subprocessors, and provide Customer with the opportunity to object to such changes. Customer will not object to any such change unless it has a reasonable belief that such change poses a materially new data protection risk to the Personal Data. Customer will notify Validity in writing of any such objection within 10 days of receipt of Validity’s written notice of the change or will waive its right to object. If Customer provides written notice of its objection within such period and Validity determines it cannot accommodate such objection, Validity may terminate the Agreement upon notice to Customer without liability. Validity will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Validity will remain liable for any acts or omissions of its Subprocessors.
  1. DATA TRANSFERS
  1. Validity may Process the Personal Data in the United States and other jurisdictions where its Subprocessors are located. With regard to transfers of Personal Data from the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom (UK) to a country which does not ensure an adequate level of data protection within the meaning of Data Protection Law, to the extent such transfers are subject to such Data Protection Law, such transfer will be made pursuant to the relevant approved transfer mechanisms in accordance with the below terms:
  1. To the extent that any transfer of Personal Data is subject to the GDPR (“Data Transfer”), the parties will conduct such Data Transfer in accordance with this section 6(a). Any Data Transfer will be conducted pursuant to the EU SCCs (which will be deemed executed by the parties), and the following terms will apply:
    1. Terms of the Module 2 (Controller to Processor) of the EU SCCs apply to the extent Customer is a Controller and Validity is a Processor of the Personal Data;
    2. Terms of the Module 3 (Processor to Processor) of the EU SCCs apply to the extent Customer is a Processor and Validity is a Subprocessor of the Personal Data;
    3. Any audits authorized under the EU SCCs will be conducted pursuant to the section 4 (Audits) of this DPA;
    4. The Docking Clause at Clause 7 of the EU SCCs shall apply;
    5. In relation to Clause 9 of the EU SCCs, Option 2: General Written Authorisation is selected; the process and time period for the addition or replacement of Subprocessors is described in the section 5 (Subprocessors) of this DPA;
    6. The optional clause at Clause 11 of the EU SCCs shall not apply;
    7. In relation to Clause 13 and Annex I. C of the EU SCCs Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority/ies;
    8. In relation to Clause 17 (Option 1 is selected) and Clause 18 of the EU SCCs, the Member State for purposes of governing law and jurisdiction shall be Ireland;
    9. Customer will be referred to as the “Data Exporter” and Validity will be referred to as the “Data Importer” in Annex I. A of the EU SCCs with relevant Customer name and address details from this DPA and Agreement;
    10. Details in Attachment 2 (Scope of Processing) of this DPA will be used to complete Annex I. B of the EU SCCs;
    11. Section 2(d) (Security) of this DPA will be used to complete Annex II of the EU SCCs.
  2. To the extent that any transfer of Personal Data is subject to applicable UK Data Protection Law, the relevant Module(s) of the EU SCCs (as set out in the section 6(a) above) as amended by the UK SCC Addendum will govern such transfers. For purposes of the UK SCC Addendum (which will be deemed executed by the parties) the following terms will apply:
    1. For the purposes of Table 1 of the UK SCC Addendum:
      1. Customer will be referred to as the “Data Exporter” and Validity will be referred to as the “Data Importer” in such clauses with relevant Customer name and address details from this DPA and the Agreement; and
      2. The key contacts for the parties are specified in the Agreement.
    2. For the purposes of Table 2 of the UK SCC Addendum, Modules 2 and 3 of the EU SCCs shall apply (where applicable), including the Appendix information and, clauses or optional clauses of the EU SCCs brought into effect for the purposes of this Addendum as outlined in relevant sections under 6 (a) above.
    3. For the purposes of Table 3 of the UK SCC Addendum:
      1. The details about the parties as identified in the Agreement will be used to populate Annex 1.A of the UK SCC Addendum;
      2. Details in Attachment 2 (Scope of Processing) of this DPA will be used to complete the transfer details in Annex I.B of the UK SCC Addendum;
      3. Section 2(d) (Security) of this DPA will be used to complete Annex II of the UK SCC Addendum; and
      4. The general list of Subprocessors is available here and will be used to complete Annex III of the UK SCC Addendum.
    4. For the purposes of Table 4 of the UK SCC Addendum either party (Data Exporter, Data Importer) will be permitted to end the UK SCC Addendum as set out in the section 19 of the UK SCC Addendum.
  3. To the extent that any transfer of Personal Data is subject to the FADP, the parties agree that the EU SCCs will extend and apply in accordance with the following adaptations:
    1. The FDPIC will be the competent supervisory authority in Annex I.C under Clause 13 of the EU SCCs, insofar as the data transfer is governed by the FADP;
    2. The applicable law for contractual claims and place of jurisdiction for actions between the parties under Clauses 17 and 18 of the EU SCCs shall be as set forth in the EU SCCs, provided that that the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 c.;
    3. The Clauses will also protect the data of legal entities until the entry into force of the revised FADP.
  1. MISCELLANEOUS
  1. The terms of this DPA will control to the extent there is any conflict between this DPA and the Agreement. Except as amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect.
  1. Attachment 1: Definitions

    For purposes of this DPA, the following terms will have the meaning ascribed below:

    “Data Protection Law” means the GDPR, Member State laws implementing the GDPR, UK Data Protection Laws, the CCPA, the FADP, and any other data protection laws that apply directly to Validity in connection with its Processing of Personal Data.

    “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

    “CCPA” means the California Consumer Privacy Protection Act of 2018, as amended, as amended, including the California Privacy Rights Act and any regulations promulgated thereunder by the California Attorney General.

    “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, found at ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

    “FADP” means the Swiss Federal Act on Data Protection of 1992, as amended.

    “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

    “GDPR” means (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

    “Personal Data” means the Customer Data Processed by Validity on behalf of Customer in connection with the Services that consists of “personal data” or “personal information” (or analogous variations of such terms) under Data Protection Law, as further described under Attachment 2.

    “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

    “Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

    “Processor” means the entity which processes personal data on behalf of the Controller.

    “Service Provider” should have the meaning as defined under the CCPA.

    “Subprocessor” means (i) Validity, when Validity is processing Personal Data on behalf of the Customer and where Customer is itself a Processor of such Personal Data, or (ii) any third-party Processor engaged by Validity to process Personal Data in order to provide the Services to Customer.

    “UK Data Protection Law” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK including the UK GDPR and the Data Protection Act 2018.

    “UK GDPR” means as defined in section 3 of the Data Protection Act 2018.

    “UK SCC Addendum” means the template addendum B.1.0 issued by the UK Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 thereof, found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf

Attachment 2: Scope of Processing

Subject-Matter of Processing

Validity Processes Personal Data in connection with the subject matter specified under the Agreement (including the Order Form).

Nature and Purpose of Processing (i.e., Processing operations)

Validity’s Processing operations depends on the Services that Customer utilizes, as further described on the Order Form. For example, some Services involve data cleansing (create, read, update, and delete operations), while others help Customer improve the effectiveness of its email campaigns (validate, test).

Types of Personal Data

Depending on the Services that the Customer has purchased, the following types of Personal Data may be relevant:

  • Contact information such as email addresses, phone numbers (US/Canada only), and postal addresses (US only), as determined by the Customer.
  • Activity information associated with email campaigns (collected via pixels or similar tracking technology), including IP address, event, mail provider, email address, as determined and configured by the Customer.
  • Application end-user’s first and last name, business email address, IP address, company name.

Categories of Data Subjects

Depending on the Services that the Customer has contracted, the following types of Categories of Data Subjects may be relevant:

  • Application end-users who will log in to Validity’s web-based SaaS to interact with the Service, as determined by the Customer.
  • Individuals that Customer wishes to communicate with, as determined by Customer.

Special Categories of Data

None (as outlined under the section 2 (f) of this Agreement).

Data exporter (if applicable)

Customer, as defined in the Agreement.

Data importer (if applicable)

Validity, as defined in the Agreement.

The Frequency of the Transfer(s)

The transfer of Personal Data takes place on a continuous and/or on-off basis in accordance with the Agreement and the selected Services by the Customer.

Last Updated: July 2022