EXHIBIT B: DATA PROCESSING AGREEMENT
KLUE CUSTOMER DATA PROTECTION ADDENDUM
This Data Protection Addendum, including all attachments (“DPA” or “Addendum”) forms part of the Agreement between the Klue entity identified in the Agreement (“Klue”) and “Customer” as defined therein, each a “Party” and collectively the “Parties.” This DPA applies exclusively to Klue’s processing of Personal Data in accordance with Customer’s instructions in the capacity of its role as Data Controller in relation to the provision of Klue’s Services to Customer as specified in the Agreement. Capitalized terms not defined in this DPA, shall have the meaning defined in the Agreement.
- Definitions. For purposes of this Addendum:
- “Adequate Country” means a country that has been designated by the European Commission and UK Information Commissioner’s Office as providing an adequate level of protection for personal data.
- “Data Protection Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the United Kingdom Data Protection Act of 2018 (“UK GDPR”); the Canadian Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”); and the Brazilian General Personal Data Protection Law (Law No. 13.709/2018, as amended by Law No. 13.853/2019) (“LGPD”).
- “Data Subject,” “Processor,” “Service Provider,” “Controller,” and “Business” shall be defined as provided in applicable Data Protection Laws.
- “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 7 below.
- “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws that Klue is processing on behalf of Customer in connection with the Agreement.
- “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Security Incident” means any known accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data occurring on Klue’s systems or otherwise under Klue’s control.
- “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).
- Scope and Purposes of Processing.
- Customer is the data controller and appoints Klue as a data processor to process the Personal Data. The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this Addendum, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement to provide such details under any Data Protection Law.
- Klue will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including any future Authorization Form, including this Addendum; (2) on Customer’s behalf; and (3) in compliance with Data Protection Laws. Klue will not “sell” Personal Data (as such term in quotation marks is defined in applicable Data Protection Laws), “share” or Process Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer.
- Klue will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without Customer’s express written permission;
- Klue will not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Customer.
- Klue will comply with any applicable restrictions under Data Protection Laws on combining the Personal Data with personal data that Klue receives from, or on behalf of, another person or persons, or that Klue collects from any interaction between it and any individual;
- Klue will provide the same level of protection for the Personal Data as is required under the CCPA applicable to Customer.
- Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.
- Personal Data Processing Requirements.
- Klue will:
- Keep all Personal Data that it processes on behalf of Customer strictly confidential. Klue shall ensure that any person it authorizes to process the Personal Data, including Klue’s Personnel, is subject to a strict duty of confidentiality. Klue shall not permit any person to process the Personal Data who is not under such a duty of confidentiality.
- Taking into account the nature of the processing, assist Customer to ensure that Customer may at any time respond to request(s) from Data Subjects exercising their rights under Data Protection Laws. Further, any such Data Subject request received by Klue will be referred to Customer promptly.
- Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data in relation to this DPA, and promptly notify Customer of (i) any third-party complaints regarding the Processing of Personal Data; or (ii) any government requests for access to or information about Klue’s Processing of Personal Data in connection with this DPA, unless otherwise prohibited by Data Protection Laws. Klue will provide Customer with reasonable cooperation and assistance in relation to any such request. If Klue is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Customer, Klue shall inform Customer that it can no longer comply with Customer’s instructions under this Addendum without providing more details and await Customer’s further instructions. Klue shall use reasonable and available legal mechanisms to challenge any demands for data access through national security process that it receives, as well as any non-disclosure provisions attached thereto.
- Provided that Customer is itself unable to do so without Klue’s assistance and Klue is able to do so in accordance with Data Protection Laws, Klue shall provide reasonable assistance to Customer with any data protection impact assessments which Customer reasonably considers to be required by Data Protection Law, in each case solely in relation to processing of Personal Data by Klue as governed by this DPA and taking into account the nature of such processing and the nature of the Personal Data processed by Klue.
- Promptly notify Customer if it determines that (i) it can no longer meet its obligations under this DPA or applicable Data Protection Laws; or (ii) in its opinion, an instruction from Customer infringes applicable Data Protection Laws.
- Klue affirms it understands its obligations under this Addendum (including without limitation the restrictions under Sections 2 and 3 and that it will comply with them.
- Customer will:
- Customer represents and warrants that it has and shall maintain throughout the Term all necessary rights, consents and authorizations to provide the Personal Data to Klue in its capacity as Controller and to authorize Klue to process this Personal Data as contemplated by this DPA and the Agreement and/or other processing instructions provided to Klue.
- Customer shall comply with all applicable Data Protection Laws.
- Customer shall not provide any Personal Data to Klue except through agreed mechanisms. For example, Customer shall not provide any Personal Data to Klue via email.
- Customer will not collect, provide or otherwise use in any way in relation to the Services any special category or of Personal Data or similar designation as described in Data Protection Law.
- Customer shall immediately inform Klue if a data subject has revoked their right for Klue to process their Personal Data.
- Data Security. Klue will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data (“Security Measures”). These Security Measures shall at a minimum comply with applicable law and include the measures identified in Schedule A, Annex II. Customer acknowledges that Klue’s security measures are subject to technical progress and development and that Klue may update or modify the Security Measures from time to time. Klue and Customer agree that the measures set out in Schedule A, Annex II provide an appropriate level of security for the processing of Personal Data, accounting for the risks presented by the Processing outlined in the Agreement and this DPA.
- Security Incident. Upon becoming aware of a Security Incident, Klue shall inform Customer without undue delay (and, in any event, within 72 hours) and shall provide timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under, and in accordance with the timelines required by applicable Data Protection Law. Klue shall further take reasonable measures and actions necessary to remedy and mitigate the effects of the Security Incident in accordance with its severity and shall keep Customer informed of relevant developments in connection with the Security Incident. Except as required by applicable Data Protection Laws, Klue shall not make any public statements concerning a Security Incident that mentions the Customer either directly or indirectly without Customer’s prior written consent. Klue shall co-operate with Customer and take reasonable commercial steps as are requested by Customer to assist in the investigation, mitigation and remediation of each such Security Incident.
- Sub-processors.
- Customer grants a general authorization to Klue to engage or replace sub-processors to perform parts of the Service, provided that prior to receiving any Personal Data of Customer, sub-processors will be under written agreements that are substantially similar in scope as are imposed on Klue under this Agreement and, in particular, to the extent Klue engages sub-processors to process Personal Data that originates from the European Economic Area (“EEA”), Switzerland or the United Kingdom, in a country that is not an Adequate Country, all such processing shall be governed by contracts between Klue and its sub-processors incorporating Standard Contractual Clauses pursuant to which Klue is the data exporter and the sub-processor is the data importer. Klue shall be liable for the acts and omissions of its sub-processors to the same extent Klue would be liable if performing the services of each sub-processor directly under the terms of this DPA. Klue may continue to use those sub-processors already engaged by Klue as at the date of this Agreement listed at the following URL: https://help.app.klue.com/sub-processors.
- Klue will inform Customer of any intended changes concerning the addition or replacement of sub-processors being used in the Service in order to give the Customer the opportunity to object in accordance with Data Protection Laws. Klue may inform Customer by placing a notice on the Website or otherwise providing an in-product notification and such notice will be deemed to have been received on the date posted or otherwise provided. Customer may subscribe to notifications at www.klue.com/sub-processor-notifications. If Customer objects in writing to a particular sub-processor processing Personal Data within ten (10) days of receipt of such notice and can reasonably demonstrate that the new sub-processor is unable to process Personal Data in compliance with the terms of this DPA or applicable Data Protection Laws, Customer, as its sole and exclusive remedy, may terminate without penalty the applicable Authorization Form(s) by providing written notice to Klue. If no objection is received within such ten (10) day period, such sub-processor shall be deemed approved.
- Notwithstanding the above notice requirements, all Klue Affiliates are deemed to be approved sub-processors.
- Notwithstanding the above notice requirement, Klue may replace a sub-processor immediately and without prior notice if such replacement is urgent, necessary to provide the Services, and the surrounding circumstances are beyond Klue’s reasonable control. In the event of such an emergency replacement, Klue will notify Customer as soon as reasonably practicable, and Customer shall retain the right to object to such replacement under the terms of this DPA.
- Notwithstanding the above notice requirement, Klue may engage additional sub-processors for beta or trial version services, provided Klue provides notice of the additional sub-processor in the beta or trial version notice.
- Data Transfers.
- At all times Klue shall provide an adequate level of protection for Personal Data, wherever processed, in accordance with the requirements of the Data Protection Law. Canada is an Adequate Country and, as a Canadian company, Klue shall comply with the privacy laws of Canada in processing Personal Data pursuant to this Agreement. Further, to the extent Klue engages sub-processors to process Personal Data that originates from the EEA in a country that is not an Adequate Country, all such processing shall be governed by contracts between Klue and such sub-processors incorporating Standard Contractual Clauses pursuant to which Klue is the data exporter and the applicable sub-processor is the data importer.
- To the extent legally required, by signing this Addendum, Customer and Klue are deemed to have signed the EU SCCs, which form part of this Addendum and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
- Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to Klue (as a processor);
- Clause 7 (the optional docking clause) is included;
- Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Schedule B of this Addendum and Klue shall update that list and provide a notice to Customer in advance of any intended additions or replacements of sub-processors as provided in Section 6.
- Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
- Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
- Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
- Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this Addendum;
- Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
- Annex II (Technical and organizational measures) is completed with Schedule A of this Addendum; and
- Annex III (List of Subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9, however a list of Klue’s Subprocessors is available in Schedule B.
- With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any EEA jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this Addendum and takes precedence over the rest of this Addendum as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows: (i) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer; (ii) the Key Contacts shall be the contacts set forth in Schedule A; (iii) the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties; (iv) Annex 1A, 1B, II, and III shall be set forth in Schedules A and B below; (v) either Party may end this Addendum as set out in Section 19 of the UK SCCs; and (vi) by entering into this Addendum, the Parties are deemed to be signing the UK SCCs and agree that the Addendum will be governed by the laws of England and Wales and enforced by the courts and relevant supervisory authorities in England and Wales.
- For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this Addendum as set forth in Section 7(b) of this Addendum, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (iii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iv) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
- Audits. Upon Customer’s written request, and no more than once annually, Klue will provide Customer with our most recent security review reports and/or certifications (such as, for example, SOC2 reports) applicable to Klue’s Processing of Personal Data pursuant to the Agreement. If Customer provides a reasonable, written objection that the information provided is not sufficient to demonstrate Klue’s compliance with this DPA or if requested by an applicable supervisory authority, Customer may conduct an audit, or select a mutually-agreed upon third-party to conduct an audit, of Klue’s practices related to Processing Personal Data in compliance with this DPA, at Customer’s sole expense (an “Audit”). Customer will provide Klue with thirty (30) days prior written notice of its intention to conduct an Audit. Before any Audit, the parties will mutually agree upon the scope, timing, and duration of the Audit, as well as the Klue reimbursement rate for which Customer will be responsible, provided that the scope of any Audit shall not include areas already addressed through third party audits provided to Customer. Customer and its third-party representatives will conduct any Audit: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services; and (ii) in a manner that will result in minimal disruption to Klue’s business operations. Neither Customer nor its third-party representatives will be entitled to receive data or information of other Klue customers or any other Klue Confidential Information that is not directly relevant for the authorized purposes of the Audit in accordance with this provision. Customer will promptly provide Klue with the Audit results upon completion of the Audit. All Audit related materials will be considered “Confidential Information” subject to the confidentiality provisions of the Agreement.
- Return or Destruction of Personal Data. Upon termination or expiry of the Agreement, Klue shall destroy, delete or deidentify all Personal Data (including all copies of the Personal Data) in its possession or control, including any Personal Data subcontracted to a third party for processing. This requirement will not apply to the extent that Klue is required by Data Protection Law to retain some or all of the Personal Data, in which event Klue shall isolate and protect the Personal Data from any further processing except to the extent required by such Data Protection Law.
- Limitation of Liability. The total liability of each of Klue and Customer arising out of or related to this DPA, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the applicable limitations of liability set forth in the Agreement.
- General Terms.
- The provisions of this Addendum survive the termination or expiration of the Agreement for so long as Klue or its Subprocessors Process the Personal Data.
- If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail. In the event of a conflict between this DPA and the EU SCCs or UK SCCs, the terms of the EU SCCs or UK SCCs, as relevant, will control.
- Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement.
- The DPA shall be governed by laws of the same jurisdiction as this Agreement, except where and to the extent applicable Data Protection Laws require that the DPA be governed by the laws of another jurisdiction, in which case the DPA shall be governed by the laws of Ireland.
Schedule A
ANNEX I
A. LIST OF PARTIES
Data exporter(s): The exporter (Controller) is Customer and Customer’s contact details and signature are as provided in the Agreement.
Data importer(s): The importer (Processor) is Klue and Klue’s contact details and signature are as provided in the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
- Customer’s Users who are assigned user accounts for the Services;
- Individuals whose personal data Customer transfers to Klue in order for Klue to provide the part of the Services.
Categories of personal data transferred:
The categories of Personal Data depend on the Services that the Customer subscribes for, so these categories may vary. Generally speaking, the Personal Data processed is limited to information for security authentication and customer support purposes. The following Personal Data is collected from or provided by individuals who are assigned User IDs for the Service for the purpose of creating a user account for the Service: business email address, username, job title/role and encrypted password. In addition, when a user logs into the Service and uses the Service, the Service collects the following information: IP address, browser type, language preferences, cookies data, device type, operating system, and location. This is in addition to any category of Personal Data that Customer voluntarily provides relating to either Users or third parties to support Klue’s provisioning of competitive enablement services.
Sensitive data transferred (if applicable): N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): On a continuous basis as needed to provide the Services to Customer during Term.
Nature of the processing: The nature of the processing is to perform the obligations in connection with delivering the Services, as further set out in the Agreement between the parties.
Purpose(s) of the data transfer and further processing: The purposes of the data transfer is to provide the Services chosen by Customer in connection with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The data will be retained for Term or such other time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Please see Schedule B for a list our Subprocessors and the nature of the services they provide. All transfers will last for the duration of the Agreement between the parties.
C. COMPETENT SUPERVISORY AUTHORITY
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR, and where possible, will be the Irish Data Protection Commissioner.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Klue’s Information Security Program includes specific security requirements for its personnel and all Subprocessors or agents who have access to Personal Data (“Data Personnel”). Klue’s security requirements cover the following areas:
- Physical Access Controls: Klue shall take reasonable measures, such as security Personnel and secured buildings and premises, to prevent unauthorized persons from gaining physical access to Personal Data.
- System Access Controls: Klue shall take reasonable measures to prevent Personal Data from being used without authorization. These controls may vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging of access on several levels.
- Data Access Controls: Klue shall take reasonable measures to provide that Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access; and, that personal data cannot be read, copied, modified, or removed without authorization in the course of processing.
- Transmission Controls: Klue shall take reasonable measures to ensure it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.
- Input Controls: Klue shall take reasonable measures to provide that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified, or removed. Klue shall take reasonable measures to ensure that (i) the Personal Data source is under the control of Customer; and (ii) Personal Data integrated into Klue’s systems is managed by secured file transfer between Klue and data subject.
- Data Backup: Klue shall ensure that backups are made on a regular basis, are secured, and are encrypted when storing personal data to protect against accidental destruction or loss when hosted by Klue.
- Logical Separation: Klue shall ensure that data from Customer is logically segregated on Klue’s systems to ensure that Personal Data that is collected for different purposes may be processed separately.Information Security Policies and Standards. Klue will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:
The processors and sub-processors of Klue are contractually obligated to implement technical and organisational measures no less protective than those provided by Klue under this DPA.