Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Agreement (as defined in the applicable Order Form, Master Subscription and Services Agreement, or other applicable agreement) entered into by Validity and Customer.

 

  1. DEFINITIONS
  1. Capitalized terms used but not defined below or in Attachment 1 to this DPA will have the meanings set forth in the Agreement.
  1. DATA PROCESSING AND PROTECTION
  1. Limitations on Use. Validity will Process Personal Data only: (a) in a manner consistent with documented instructions from Customer, including with regard to transfers of Personal Data to a third country, which will include Processing as authorized or permitted under the Agreement, including as specified in Attachment 2 to this DPA; and (b) as required by Data Protection Law, provided that Validity will inform Customer (unless prohibited by such Data Protection Law) of the applicable legal requirement before Processing pursuant to such Data Protection Law.
  2. CCPA. Validity will Process Personal Data subject to the CCPA as a Service Provider and will not retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of performing the Services, or as otherwise permitted by the CCPA for service providers, including by not retaining, using, or disclosing the Personal Data for a commercial purpose other than to provide the Services.
  3. Confidentiality. Validity will ensure that persons authorized by Validity to Process any Personal Data are subject to appropriate confidentiality obligations.
  4. Security. Validity will implement measures designed to protect Personal Data that meet or exceed applicable requirements under Data Protection Law, including, as applicable, requirements under Article 32 of the GDPR. These measures include technical and organizational measures, such as the use of firewalls, access control protocols, business continuity measures, penetration tests and patch management protocols.
  5. Return or Disposal. At the choice of Customer, Validity will delete or return (and delete existing copies of) all Personal Data after the end of the provision of Services unless Data Protection Law requires the storage of such Personal Data by Validity, in which case Validity will only further retain and process such Personal Data for the limited duration and purposes required by such Data Protection Law.
  6. Customer Obligation. Customer will not Process any Personal Data via the Services that includes any special categories of Personal Data, as described in Article 9 of the GDPR, or any other Personal Data that may be subject to heightened data security obligations, such as data subject to U.S. breach notification obligations or any protected health information.
  1. ASSISTANCE
  1. Data Subject’s Rights Assistance. Taking into account the nature of the Processing, Validity will reasonably assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising any individual’s privacy or data protection rights provided under Data Protection Law, including rights laid down in Chapter III of the GDPR.
  2. Security and Assistance. Taking into account the nature of Processing and the information available to Validity, Validity will reasonably assist Customer in ensuring compliance with its security obligations under Article 32 of the GDPR.
  3. Personal Data Breach Notice and Assistance. Validity will notify Customer of any Personal Data Breach without undue delay after becoming aware of such Personal Data Breach. Taking into account the nature of Processing and the information available to Validity, Validity will assist Customer in ensuring compliance with Customer’s notification obligations under Data Protection Law in connection with any Personal Data Breach, including in ensuring compliance with Customer’s obligations pursuant to Articles 33 and 34 of the GDPR.
  4. Data Protection Impact Assessment Assistance. Taking into account the nature of Processing and the information available to Validity, Validity will assist Customer in ensuring compliance with the obligations under Articles 35 and 36 of the GDPR.
  1. AUDITS
  1. Upon Customer’s request, Validity will make available to Customer information necessary to demonstrate Validity’s compliance with this DPA in the form of an ISO 27001/27018 (where applicable) or SOC 2 certification or compliance summary report. These materials will be deemed the confidential information of Validity under the Agreement. If Customer reasonably believes Validity is in material breach of this DPA, or if required by a supervisory authority, then, subject to the terms of this Section 4, Customer may conduct an on-site audit (at its expense) of Validity’s systems and procedures as may be necessary to verify Validity’s compliance with this DPA. Customer will provide no less than 30 days’ advance notice of its request for any such on-site audit, and will cooperate in good faith with Validity to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party). Any such on-site audit must occur during Validity’s normal business hours and be conducted by a nationally recognized independent auditor. The auditor conducting such audit will (and Customer will be responsible for ensuring that the auditor will): (a) comply with reasonable and applicable on-site policies and procedures provided by Validity, (b) sign a standard confidentiality agreement with Validity, and (c) not unreasonably interfere with Validity’s business activities. Customer will provide written communication of any audit findings to Validity, and the results of the audit will be the confidential information of Validity. Customer shall reimburse Validity for any time expended to support or facilitate any such on-site audit at Validity’s then-current professional services rates, which Validity will provide to Customer upon request.
  1. SUBPROCESSORS
  1. Customer authorizes Validity to use subcontractors to Process Personal Data in connection with the provision of Services to Customer (“Subprocessor”). Validity will provide Customer with a current list of Subprocessors promptly following a Customer written request. Validity will notify Customer of any intended changes concerning the addition or replacement of its Subprocessors, and provide Customer with the opportunity to object to such changes. Customer will not object to any such change unless it has a reasonable belief that such change poses a materially new data protection risk to the Personal Data. Customer will notify Validity in writing of any such objection within 10 days of receipt of Validity’s written notice of the change or will waive its right to object. If Customer provides written notice of its objection within such period and Validity determines it cannot accommodate such objection, Validity may terminate the Agreement upon notice to Customer without liability. Validity will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Validity will remain liable for any acts or omissions of its Subprocessors.
  1. DATA TRANSFERS
  1. Validity may Process the Personal Data in the United States and other jurisdictions where its Subprocessors are located. With regard to transfers of Personal Data from the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom to a country which does not ensure an adequate level of data protection within the meaning of Data Protection Laws, to the extent such transfers are subject to such Data Protection Laws, such transfer will be made pursuant to the relevant Standard Contractual Clauses in accordance with the below terms:
  1. To the extent that any Personal Data originates from a Member State in the European Economic Area and is subject to the GDPR (“Data Transfer”), the parties will conduct such Data Transfer in accordance with this Section 6(a). Any Data Transfer will be conducted pursuant to the EU Standard Contractual Clauses (EU SCCs) (which will be deemed executed by the parties as of the effective date of this DPA), and the following terms will apply:
    1. Terms of the Module 2 (Controller to Processor) of the EU SCCs apply to the extent Customer is a Controller and Validity is a Processor of the Personal Data;
    2. Terms of the Module 3 (Processor to Processor) of the EU SCCs apply to the extent Customer is a Processor and Validity is a Subprocessor of the Personal Data;
    3. Any audits authorized under the EU SCCs will be conducted pursuant to Section 4 (Audits) of this DPA;
    4. In relation to Clause 9 of the EU SCCs, Option 2: General Written Authorisation is selected; the process and time period for the addition or replacement of Subprocessors is described in Section 5 (Subprocessors) of this DPA;
    5. In relation to Clause 13 and Annex I. C of the EU SCCs Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority/ies;
    6. In relation to Clause 17 (Option 1 is selected) and Clause 18 of the EU SCCs, the Member State for purposes of governing law and jurisdiction shall be Ireland;
    7. Customer will be referred to as the “Data Exporter” and Validity will be referred to as the “Data Importer” in Annex I. A of the EU SCCs with relevant Customer name and address details from this DPA and Customer’s Agreement;
    8. Details in Attachment 2 (Scope of Processing) of this DPA will be used to complete Annex I. B of the EU SCCs;
    9. Section 2(d) (Security) of this DPA will be used to complete Annex II of the EU SCCs.
  2. To the extent that any Personal Data originates from the United Kingdom (UK) and is subject to applicable UK law, the 2010 SCCs form part of this DPA and will govern such transfers, until such time that the UK adopts new Standard Contractual Clauses, in which case new SCCs will prevail.  For purposes of the 2010 SCCs (which will be deemed executed by the parties as of the effective date of this DPA), the following terms will apply:
    1. Customer will be referred to as the “Data Exporter” and Validity will be referred  to as the “Data Importer” in such clauses with relevant Customer name and address details   from this DPA and the Agreement;
    2. Any audits authorized under the 2010 SCCs will be conducted pursuant to Section 4 (Audits) of this DPA;
    3. In relation to Clause 9 of the 2010 SCCs specifies that United Kingdom law will govern the 2010 SCCs;
    4. Details in Attachment 2 (Scope of Processing) of this DPA will be used to complete Appendix 1 of the 2010 SCCs;
    5. Section 2(d) (Security) of this DPA will be used to complete Appendix 2 of the 2010 SCCs.
  1. MISCELLANEOUS
  1. The terms of this DPA will control to the extent there is any conflict between this DPA and the Agreement. Except as amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect. Without limiting the foregoing, the limitation of liability clauses, governing law clause and forum selection clause of the Agreement will apply to any disputes arising out this DPA.
  1. Attachment 1: Definitions

  1. For purposes of this DPA, the following terms will have the meaning ascribed below:
  2. “Data Protection Law” means the GDPR, Member State laws implementing the GDPR, the CCPA, and any other data protection laws that apply directly to Validity in connection with its Processing of Personal Data.
  3. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  4. “CCPA” means the California Consumer Privacy Protection Act of 2018, as amended, including any regulations promulgated thereunder by the California Attorney General.
  5. “GDPR” means (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and (b) such law as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).
  6. “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, found at ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
  7. “2010 SCCs” means Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)
  8. “Personal Data” means the Customer Data Processed by Validity on behalf of Customer in connection with the Services that consists of “personal data” or “personal information” (or analogous variations of such terms) under Data Protection Law, as further described under Attachment 2.
  9. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  10. “Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  11. “Processor” means the entity which processes personal data on behalf of the Controller.
  12. “Service Provider” should have the meaning as defined under the CCPA.
  13. “Subprocessor” means (i) Validity, when Validity is processing Personal Data on behalf of the Customer and where Customer is itself a Processor of such Personal Data, or (ii) any third-party Processor engaged by Validity to process Personal Data in order to provide the Services to Customer.
  1. Attachment 2: Scope of Processing

  1. Subject-Matter and Duration of Processing
  2. Validity Processes Personal Data in connection with the subject matter specified under the Agreement (including the Order Form) and until the Agreement terminates or expires, unless otherwise agreed upon by the parties in writing.
  3. Nature and Purpose of Processing (i.e., Processing operations)
  4. Validity’s Processing operations depends on the Services that Customer utilizes, as further described on the Order Form. For example, some Services involve data cleansing (create, read, update and delete operations), while others help Customer improve the effectiveness of its email campaigns.
  5. Types of Personal Data
  6. Depending on the Services that the Customer has purchased, the following types of Personal Data may be relevant:
    1. Contact information, including email addresses, phone numbers and postal addresses.
    2. Activity information associated with email campaigns (collected via pixels or similar tracking technology), including IP address mail provider, email address, approximate geolocation (derived from IP), user-agent string (e.g., browser and other technical device information communicated in a log file).
  7. Categories of Data Subjects
  8. Individuals that Customer wishes to communicate with, as determined by Customer.
  9. Special Categories of Data (if appropriate)
    None anticipated.
  10. Data exporter (if applicable)
  11. Customer, as defined in the Agreement.
  12. Data importer (if applicable)
  13. Validity, as defined in the Agreement.

Last Updated: October 2021

Products

BriteVerify

BriteVerify email verification ensures that an email address actually exists in real-time

DemandTools

The #1 global data quality tool used by thousands of Salesforce admins

Everest

Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality

Solutions

Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time