Data Processing Agreement

Updated August 17, 2023

Data Processing Agreement

This Exhibit A will apply if Ignitium receives, processes, or otherwise has access to any Customer Data. Unless defined below, capitalized terms not defined in these Data Protection Requirements will have the meaning ascribed to them in the Agreement to which this Exhibit is attached.

1. Privacy and Security of Customer Data.

Ignitium will, at all times, comply with its obligations under Applicable Law related to its processing of Customer Data, and will not process Customer Data in a manner that will, or is likely to, result in Customer breaching its obligations under Applicable Law. Ignitium will also implement and maintain all appropriate technical, administrative, physical, and organizational measures (including, at a minimum, the Minimum Security Measures in Annex II below) required to (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Customer Data; and (ii) prevent unauthorized or unlawful processing of, accidental loss of, disclosure or destruction of, or damage to, Customer Data.

2. Processing of Customer Data.

Ignitium will only process Customer Data in accordance with the terms of this Agreement.

3. Hashed Customer Data.

If Ignitium receives, processes, or otherwise has access to Customer Data in hashed or otherwise obfuscated format, Ignitium will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Customer Data unless Customer instructs Ignitium to do so; and (ii) only share the Customer Data in the format Ignitium received it from Customer.

4. Disclosure.

Ignitium acknowledges that Customer may disclose this Exhibit A and any other relevant data protection and privacy provisions to the U.S. Department of Commerce, the Federal Trade Commission, European data protection authority(ies), or any other judicial or regulatory body upon their request.

5. No Information Selling.

Ignitium acknowledges and confirms its understanding that Ignitium: (i) does not and will not receive any Customer Data as consideration for any Services or other items that Ignitium provides to Customer under this Agreement; (ii) is prohibited from selling and will not sell any Customer Data as the term “sell” is defined in the California Consumer Privacy Act of 2018, as may be amended from time to time (“CCPA”); and (iii) will only collect, retain, disclose, or use Customer Data solely as necessary to perform the Services for the benefit of Customer. Ignitium represents and warrants that Ignitium understands the rules, requirements, and definitions of the CCPA and agrees to refrain from taking any action that would cause any transfers of Customer Data to or from Ignitium to qualify as “selling personal information” under the CCPA.

6. Complaint Handling.

Ignitium will, unless prohibited by Applicable Law, inform Customer promptly, and in any event within two business days, of any enquiry, legal process, or complaint received from a data subject or supervisory, judicial, legal, or government authority relating to Customer Data (“Data Inquiry”) and will not respond to the Data Inquiry unless required by law or expressly authorized by Customer. If Customer is unable to or does not receive a protective order or other remedy for the Data Inquiry, Ignitium may disclose only that portion of Customer Data that it is legally required to disclose and will use reasonable efforts to ensure the disclosed Customer Data is handled in accordance with the Agreement and accorded confidential treatment.

7. Cooperation.

Ignitium will provide reasonable cooperation and assistance to Customer as Customer may reasonably require to allow Customer to respond to, object to, or challenge any Data Inquiry and to comply with its obligations under Applicable Law, including in relation to data security, data breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfillment of data subjects’ rights, and any enquiry, notice, or investigation by a supervisory authority.

8. Data Breach.

8.1. Notification.
In accordance with Applicable Law, Ignitium will notify Customer without undue delay and, where feasible, no more than 48 hours after becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed or controlled by Ignitium or its Subcontractors (including Subprocessors) (a “Data Breach”). Ignitium will also provide Customer with a description of the Data Breach, the type of data that was the subject of the Data Breach, and (to the extent known to Ignitium) the categories of data subjects affected, as soon as that information can be collected or otherwise becomes available. Ignitium will cooperate with any reasonable request made by Customer relating to the Data Breach.

8.2. Communication. Ignitium may not issue, publish, or make available to any third party any press release or other communication concerning a Data Breach without Customer’s prior approval.

EXHIBIT B
EU AND UK DATA PROTECTION REQUIREMENTS
Version: November 1, 2022

1. Scope, Order of Precedence and Parties

This Data Processing Addendum (“DPA”) applies to the Processing of Personal Data by Ignitium on Your behalf when providing Ignitium’s cloud and any related professional services (“Services”) and is entered into between Ignitium, LLC (“Ignitium”) and the customer-user entity identified below (“You”). The Services are described in the relevant Order Form entered between the Parties and are subject to the Master Services Agreement to which this DPA is an addendum signed between the Parties for the Services (collectively, the “Agreement”). In the event of a conflict between the terms of the Master Services Agreement and this DPA, the terms of this DPA shall control. In the event of a conflict between the terms of this DPA and the EU and UK Standard Contractual Clauses, the terms of the EU and UK Standard Contractual Clauses shall control.

2. Definitions

  • "Affiliate" means any subsidiary of Ignitium, LLC that may assist Ignitium in the Processing of Your Personal Data under this DPA.
  • "Aggregate" means information that relates to a group or category of individuals, from which identities have been removed such that the information is not linked or reasonably linkable to any individual subject to Applicable Data Protection Law.
  • "Applicable Data Protection Laws" means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws or regulations implementing or supplementing the GDPR; and (ii) any other international, federal, state, provincial and local privacy or data protection laws, rules, regulations, directives, and governmental requirements currently in effect and as they become effective that apply to the Processing of Personal Data under this DPA, including but not limited to the UK Data Protection Act 2018 and GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK.
  • "Customer Content" means any data uploaded to Your account for storage or data in Your computing environment to which Ignitium is provided access in order to perform Services.
  • "Effective Date" of this DPA shall be the later date between the effective date of the Agreement and the date of Ignitium’s signature below.
  • "European Economic Zone" means the European Economic Area, Switzerland, and the United Kingdom for the purpose of this DPA.
  • "New EU Standard Contractual Clauses" or "New EU SCCs" mean the contractual clauses annexed to the EU Commission Decision 2021/914/EU or any successor clauses approved by the EU Commission.
  • "Original EU Standard Contractual Clauses" or "Original EU SCCs" mean the contractual clauses annexed to the EU Commission Decision 2010/87/EU.
  • "Personal Data" means any Customer Content Processed in connection with the performance of Services that can identify a unique individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of individuals or as such information may be otherwise defined under Applicable Data Protection Laws.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed in order to perform the Services that compromises the security of the Personal Data.
  • "Sub-Processor" means any third party engaged to assist with the Processing of Personal Data for the performance of Services under the Agreement.
  • "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK.
  • "UK Standard Contractual Clauses" means International Data Transfer Addendum to the New EU Standard Contractual Clauses for international data transfers, issued under Section 119A of the Data Protection Act 2018 and following UK Parliamentary approval came into effect on March 21, 2022, in respect of transfers from the UK to countries which are not subject to an adequacy decision under the UK GDPR.
  • Terms used but not defined in this DPA (e.g., “Business Purpose, Consumer, Controller, Data Subject, Process/Processing, Processor”) shall have the same meaning as set forth in the Agreement or Applicable Data Protection Laws.

3. Roles as Data Controller and Data Processor

For purposes of this DPA, You are the Data Controller of the Personal Data Processed by Ignitium in its performance of the Services under the terms of the Agreement. You are responsible for complying with your obligations as a Controller under Applicable Data Protection Laws governing your provision of Personal Data to Ignitium for the performance of the Services, including without limitation obtaining any consents, providing any notices, or otherwise establishing the required legal basis. Unless specified in the Agreement, You will not provide Ignitium with access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA, and you will limit Ignitium’s access to Personal Data as necessary to perform the Services.Ignitium is the Data Processor and service provider with respect to such Personal Data, except when You act as a Processor of Personal Data, in which case Ignitium is a sub-Processor. Ignitium is responsible for complying with its obligations under Applicable Data Protection Laws that apply to its Processing of Personal Data under the Agreement and this DPA.

4. Ignitium’s Purpose of Processing

Ignitium and any persons acting under its authority under this DPA, including sub-Processors and Affiliates as described in Section 6, will Process Personal Data only for the purposes of performing the Services in accordance with your written instructions as specified in the Agreement, this DPA (including Annex I of the EU Standard Contractual Clauses attached hereto) and in accordance with Applicable Data Protection laws. Ignitium will not disclose Personal Data in response to a subpoena, judicial or administrative order, or other binding instrument (a “Demand”) unless required by law. Ignitium will promptly notify You of any Demand unless prohibited by law and provide You reasonable assistance to facilitate Your timely response to the Demand. Ignitium may also Aggregate Personal Data as part of the Services in order to provide, secure and enhance Ignitium products and Services. Additional details related to Ignitium’s Processing activities may be specified in the Agreement.

Ignitium may provide Personal Data to Affiliates in connection with any anticipated or actual merger, acquisition, sale, bankruptcy, or other reorganization of some or all of its business, subject to the obligation to protect Personal Data consistent with the terms of this DPA.

5. Data Subjects and Categories of Personal Data

You determine the Personal Data to which You provide Ignitium access to in order to perform the Services. This may involve the Processing of Personal Data of the following categories of Your Data Subjects:

  • Employees and applicants,
  • Customers and end-users,
  • Suppliers, agents, and contractors.

The Processing of Your Personal Data may also include the following categories of Personal Data:

  • Direct identifiers such as first name, last name, date of birth, and home address,
  • Communications data such as home telephone number, cell telephone number, email address, postal mail, and fax number,
  • Family and other personal circumstance information, such as age, date of birth, marital status, spouse or partner, number and names of children,
  • Employment information such as employer, work address, work email and phone, job title and function, salary, manager, employment ID, system usernames and passwords, performance information, CV data,
  • Other data such as financial, goods, or services purchased, device identifiers, online profiles and behavior, and IP address,
  • Other Personal Data to which You provide Ignitium access in connection with the provision of Products or Services.

6. Sub-Processing

Subject to the terms of this DPA, You authorize Ignitium to engage sub-Processors and Affiliates for the Processing of Personal Data. These sub-Processors and Affiliates are bound by written agreements that require them to provide at least the level of data protection required of Ignitium by the Agreement and this DPA. You may request Ignitium to perform an audit on a sub-Processor or to obtain an existing third-party audit report related to the sub-Processor’s operations to verify compliance with these requirements. You may also request copies of the data protection terms Ignitium has in place with any sub-Processor or Affiliate involved in providing the Services. Ignitium is responsible at all times for such sub-Processors’ and Affiliates’ compliance with the requirements of the Agreement, this DPA, and Applicable Data Protection Laws.

A list of sub-Processors and Affiliates, as well as a mechanism to obtain notice of any updates to the list, are available upon request by emailing security@ignitium.com or visiting https://www.ignitium.com/dpa. At least fourteen (14) calendar days before authorizing any new sub-Processor to access Personal Data, Ignitium will update the list of sub-Processors and Affiliates.

The current list of sub-Processors is below:

Name

Location

Processing Activities

Google

United States

Cloud Service Provider: analysis of people and accounts within Google Platform

Slack

United States

Collaboration: lead tracking and enrichment

Microsoft

United States

Cloud Service Provider: Email

Zapier

United States

SaaS: lead routing and process automation

Domo

United States

BI: account and people analytics & presentation

G-Connecter

United States

SFDC Integration: CRM dataexport & loading

Demandbase

United States

ABM Platform: account-based marketing, advertising, sales intelligence.

Folloze

United States

SaaS: Web personalization platform for hosting ungated experiences

Regie.ai

United States

United States

Celonis

United States

SaaS: process automation

Where Ignitium is a Processor (and not a sub-Processor), the following terms apply:

  • If, based on reasonable grounds related to the inability of such sub-Processor or Affiliate to protect Personal Data, You do not approve of a new sub-Processor or Affiliate, then You may terminate any subscription for the affected Service without penalty by providing, before the end of the notice period, written notice of termination that includes an explanation of the grounds for non-approval.
  • If the affected Service is part of a suite (or similar single purchase of Services), then any such termination will apply to the entire suite.
  • After such termination, You shall remain obligated to make all payments required under any purchase order or other contractual obligation with the ELA Reseller and/or Ignitium and shall not be entitled to any refund or return of payment from the ELA Reseller and/or Ignitium.

7. International Transfer of Personal Data

Ignitium may transfer Personal Data to the United States and/or to other third countries as necessary to perform the Services, and you appoint Ignitium to perform any such transfer to process Personal Data as necessary to provide the Services. Ignitium will follow the requirements of this DPA regardless of where such Personal Data is stored or Processed.Where the Processing involves the international transfer of Personal Data under Applicable Data Protection Laws in the European Economic Zone or UK to Ignitium, Affiliates, or sub-Processors in a jurisdiction (i) that has not been deemed by the European Commission or UK Information Commissioner’s Office (“ICO”) to provide an adequate level of data protection, and (ii) there is not another legitimate basis for the international transfer of such Personal Data, such transfers are subject to either the EU Standard Contractual Clauses, the UK Standard Contractual Clauses, or other valid transfer mechanisms available under Applicable Data Protection Laws. For international transfers subject to:

  • the Original EU SCCs for jurisdictions that have not adopted the New SCCs, the parties hereby incorporate by reference the Original EU SCCs in unmodified form. The content of Appendices I and II of the Original EU SCCs are set forth below as Annexes 1 and 2 to Schedule A.
  • the New EU SCCs attached hereto as Schedule A.
  • the UK SCCs attached hereto as Schedule B.

For such purposes, You will act as the Data Exporter on Your behalf and on behalf of any of Your entities, Ignitium will act as the Data Importer on its own behalf and/or on behalf of its Affiliates. For purposes of Clause 7 of the New EU SCCs, any acceding entity shall enforce its rights through You. For purposes of Clause 9 of the Original EU SCCs, Swiss law shall apply to transfers subject to the Swiss Federal Data Protection Act and United Kingdom law shall apply to transfer subject to the UK GDPR.Where the Processing involves the international transfer of Personal Data under other Applicable Data Protection Laws to Ignitium, Affiliates, or sub-Processors, such transfers are subject to the data protection terms specified in this DPA and Applicable Data Protection Laws.

8. Requests from Data Subjects

Ignitium will make available to You the Personal Data of Your Data Subjects and the ability to fulfill requests by Data Subjects to exercise one or more of their rights under Applicable Data Protection Laws in a manner consistent with Ignitium’s role as a Data Processor. Ignitium will provide reasonable assistance to assist with Your response.If Ignitium receives a request directly from Your Data Subject to exercise one or more of their rights under Applicable Data Protection Laws, Ignitium will direct the Data Subject to You unless prohibited by law.

9. Security

Ignitium shall implement and maintain appropriate technical and organizational practices designed to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such security practices are set forth in Addendum II attached hereto. Ignitium seeks to continually strengthen and improve its security practices, and so reserves the right to modify the controls described herein. Any modifications will not diminish the level of security during the relevant term of Services.

Ignitium employees are bound by appropriate confidentiality agreements and required to take regular data protection training as well as comply with Ignitium corporate privacy and security policies and procedures.

10. Personal Data Breach

Ignitium shall notify You without undue delay after becoming aware of a Personal Data Breach involving Personal Data in Ignitium’s possession, custody, or control. Such notification shall at least: (i) describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Your Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) provide the name and contact details of the data protection officer or other contact where more information can be obtained; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. You will coordinate with Ignitium on the content of any public statements or required notices to individuals and/or supervisory authorities.

11. Your Instructions and Providing Information & Assistance

You may provide additional instructions to Ignitium related to the Processing of Personal Data that are necessary for You and Ignitium to comply with our respective obligations under Applicable Data Protection Laws as a Data Controller and Data Processor (or Processor and sub-Processor, as applicable). Ignitium will comply with Your instructions at no additional charge, provided that in the event that Your instructions impose costs on Ignitium beyond those included in the scope of Services under the Agreement, the parties agree to negotiate in good faith to determine the additional costs.
Ignitium will promptly inform You if it believes that Your instructions are not consistent with Applicable Data Protection Laws, provided that Ignitium shall not be obligated to independently inspect or verify Your Processing of Personal Data.

Ignitium will provide You with information reasonably necessary to assist You in enabling Your compliance with Your obligations under Applicable Data Protection Laws, including without limitation Ignitium’s obligations under the EU General Data Protection Regulation to implement appropriate data security measures, carry out a data protection impact assessment and consult the competent supervisory authority (taking into account the nature of Processing and the information available to Ignitium), and as further specified in this DPA.

12. Return and Deletion of Personal Data

Ignitium will, at Your choice, upon termination or expiration of the Agreement, either return all Personal Data to You, or securely dispose of it in accordance with Ignitium’s data retention policies, except for Personal Data Ignitium is required by law to retain. Ignitium will confirm in writing to You when it has securely disposed of or returned Your Personal Data.

13. Liability

The aggregate liability of either party towards the other party under or in connection with this DPA, the Agreement, or their subject matter, shall be limited to the greater of (i) USD $10,000 or (ii) the amount paid or payable by You to Ignitium under the Agreement in the twelve months immediately preceding the event giving rise to the claim.

14. Notification of Changes

Ignitium may make changes to this DPA from time to time. Ignitium will provide notice to You of any material changes to this DPA by posting a notice on Ignitium’s website, by sending an email notification to You, or by other reasonable means. You can review the most current version of this DPA at any time by visiting https://www.ignitium.com/dpa.

15. Enforcement

To monitor compliance with the terms and conditions of this DPA, Ignitium reserves the right to cooperate fully with you or the data protection authorities, including the right to conduct a data protection audit in line with the respective Applicable Data Protection Laws. You agree to reasonably cooperate with Ignitium in such audit and provide any information necessary for Ignitium to meet its audit obligations under Applicable Data Protection Laws.

16. Miscellaneous

The terms of this DPA shall continue in effect until the Agreement is terminated in accordance with the terms of the Agreement.

17. Governing Law

The terms and conditions of this DPA and any non-contractual obligations arising out of or in connection with them are governed by and interpreted in accordance with the laws of the State of California, excluding its conflict of law provisions. Each Party consents to the jurisdiction of the courts of Santa Clara County, California for the purpose of any suit, action, or other proceeding arising out of this DPA or the subject matter here of.

18. Counterparts

This DPA may be executed in two or more counterparts, each of which will be considered an original, but all of which together will constitute one and the same instrument.

19. Annexes

Annexes to this DPA are included to provide additional information and will be part of this DPA. Ignitium and You shall comply with the terms of any Annexes included in this DPA.