Try for free5

Data Processing Agreement

 

This Data Processing Agreement (“DPA”) forms part of the agreement between Lead Forensics (herein the “Data Processor) and Customer (herein the “Data Controller” for the purchase of services from Lead Forensics (the “Agreement”). Hereinafter jointly referred to as the “Parties”.

It is entered into in accordance with Applicable Data Protection Laws (as defined below, “DP Laws”). While providing Services to the Customer under the Agreement, Lead Forensics may process Personal Data on behalf of the Customer.

In the event of a contradiction between this DPA and the provisions of related Agreements between the Parties, when this DPA is agreed upon or entered into thereafter, this DPA shall prevail.

The parties agree to comply with the provisions of this DPA regarding Personal Data processed under the Agreement. By signing the Agreement, the Customer enters the terms of this DPA on behalf of itself and its affiliates if and to the extent Lead Forensics processes Personal Data for such affiliates.

 

1. Introduction

1.1 This DPA sets out the provisions concerning Personal Data and the Service that will apply between the parties. Lead Forensics shall always be a Data Processor, and the Customer shall be a Data Controller.

2. Definitions

2.1 The terms in this DPA shall have the following meanings:

a. “Agreement” refers to the contract between the parties in relation to the Service.

b. “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” shall each have the meanings ascribed to them under the DP laws.

c. “Customer Personal Data” shall mean the applicable personal data processed as part of the Services.

d. “Data Protection Supervisory Authority” means the relevant supervisory authorities with responsibilities for data protection and/or privacy in the applicable jurisdiction in which the Services will be deployed.

e. “DP Laws” means, to the extent applicable to the activities or obligations of the parties under or pursuant to this Agreement, which shall include the EU GDPR, the UK GDPR, and the Data Protection Act 2018.

f. “EEA” means all member states of the European Union, Iceland, Liechtenstein, Norway, and for the purposes of this DPA, Switzerland.

g. “EU GDPR” or “UK GDPR” means the European Union General Data Protection Regulation 2016/679, and the “UK GDPR” is defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

h. “Information System” or “IS” means the material, immaterial and software means and resources, as well as any logical and/or physical infrastructure, for the collection, storage, processing, or distribution of information, platform, servicer, network, software, application, database, API.

i. “Services” as defined in the Agreement.

j. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as adapted for the UK or such alternative as may be approved by the European Commission or by the UK from time to time.

k. “State of the art” means best practices and technologies relating to the security of IS and the information derived from them, in particular the ISO 27001 standard

l. “Sub-Processors” means approved sub-processors appointed by Lead Forensics to process Personal Data as part of the Services, which shall be deemed to include http://leadforensics-23462658.hs-sites.com/sub-processors

m. “Transfer Risk Impact Assessment” or “TRIA” means an assessment to consider whether the Article 46 transfer mechanism will provide appropriate safeguards, and effective and enforceable rights for people.

n. “UK Addendum” means the ICO’s addendum to the Standard Contractual Clauses issued in accordance with section 119A of the Data Protection Act 2018.

3. Instruction to Process

3.1 Lead Forensics will only use Personal Data in accordance with the Customer’s instructions (which may be specific or general) to perform the Services in accordance with the Agreement, except to the extent Lead Forensics is required by DP Laws to process or share that Personal Data. In this case, Lead Forensics shall inform the Customer of that requirement unless the law prohibits this.

3.2 Notwithstanding any other provision in this DPA, Lead Forensics may process Personal Data and Customer Data for analysis as part of the Service, including creating, compiling, and producing aggregated data sets and/or statistics to assist Customers’ reporting, provided that such aggregated datasets and statistics will not enable any living individual to be identified.

3.3 If the Customer is based in a country that does not have an adequacy decision with the US and is contracting with Lead Forensics, Inc., an international safeguard mechanism will be required for the transfer of personal data. The Customer will need to contact [email protected].

4. Personal Data

4.1 The processing particulars are set out in Appendix A of this DPA.

4.2 The duration of the Personal Data processing shall be subject to clauses 12.3 and 12.5.

5. Records of Processing

5.1 In accordance with DP Laws, Lead Forensics shall maintain a record of processing activities undertaken on behalf of the Customer regarding the Personal Data processed. The Records shall contain:

5.1.1 The name and contact information of each Sub-Processor.

5.1.2 The categories of processing of Customer Personal Data carried out on behalf of the Customer.

5.1.3 Details of any transfers of Customer Personal Data to any country or territory outside the UK/EEA, including suitable safeguards in accordance with DP Laws.

6. International Transfers

6.1 Lead Forensics shall not transfer Personal Data to countries outside the European Economic Area (EEA) without notifying the Data Controller. If Personal Data processed under this Agreement is transferred onward to a sub-processor outside the EEA, Lead Forensics shall ensure that the Personal Data is adequately protected. The parties recognise the Standard Contractual Clauses of the European Union and the UK/Swiss Addendum, or equivalent as deemed by DP Laws, shall be implemented.

7. Security of Processing

7.1 Technical and Organisational Measures;

7.1.1 Lead Forensics shall implement and maintain technical and organisational measures in the context of processing Personal Data to ensure a level of security appropriate to the risk. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data (Personal Data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

7.1.2 The Customer shall review the Technical and Organisational Measures (Appendix B). The Technical and Organisational Measures provided are subject to review and further development. The supplier may implement a revised version without reducing the security level. It shall provide the Customer with an updated copy as soon as reasonably practicable.

7.2 Access and Confidentiality;

7.2.1 Lead Forensics shall ensure that personnel with access to Customer data for the performance of the Service is limited, and such personnel are subject to relevant contractual terms of confidentiality.

7.3 Personal Data Breach;

7.3.1 Lead Forensics shall notify the Customer without undue delay and, in any event, within 48 hours upon becoming aware of a Personal Data Breach impacting the Customer’s Personal Data.

7.3.2 Lead Forensics shall assist the Customer in notifying the Personal Data Breach to the competent supervisory authority/ies unless DP laws do not require such notification.

8. Sub-Processors

8.1 Lead Forensics may continue to use any sub-processors already engaged by Lead Forensics as part of the Services prior to the effective date of this DPA, which shall be deemed to include http://leadforensics-23462658.hs-sites.com/sub-processors

8.2 Personal Data may be fulfilled by an approved sub-processor outside the UK and European Economic Area that is not subject to a competent binding adequacy decision. For any such sub-processing, Lead Forensics shall (i) participate in a valid data transfer mechanism under the DP Law and (ii) take such steps as are required by the DP Laws (which may include the implementation of the IDTA, the Standard Contractual Clauses together with, to the extent the UK GDPR applies to the relevant transfer, the UK Addendum, or any successor standard contractual clauses adopted by the ICO) to ensure that the level of protection afforded to the Personal Data is equivalent to the level of protection required by the DP Laws of the UK and/or European Union (as applicable) and the transfer is otherwise compliant with the DP Laws.

8.3 Lead Forensics shall publish the details of any new or alternative sub-processor, which shall be deemed notice to the customer. If, within 30 working days of the date of such notice:

8.3.1 The customer notifies Lead Forensics in writing of any reasonable objections to the appointment or change of such sub-processor; the parties will work in good faith to address the concerns. If the Customer objects, Lead Forensics will consider remedial steps within a reasonable timeframe, which may include no longer using the sub-processor or restricting its use for the Customer’s Personal Data.

8.4 In the absence of such objection, the update shall be considered approved.

8.5 When Lead Forensics engages a sub-processor to process personal data, Lead Forensics will;

8.5.1 Remain liable to the Customer for the performance of the sub-processor in accordance with this DPA.

8.5.2 Have a contract with the sub-processor that offers substantially the same level of protection for Personal Data as those set out in this DPA.

9. Assistance to the Customer

9.1 Lead Forensics shall inform the Customer if, in its opinion, the Customer’s instructions could infringe DP laws.

9.2 Insofar as the Customer is subject to an inspection by a competent supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the personal data processed by the Supplier, the Supplier shall make every reasonable effort to support the Customer.

9.3 Data Subject Rights;

9.3.1 Lead Forensics will promptly notify the Customer of any request it has received from a data subject. Lead Forensics will not respond to the request itself unless authorised to do so.

9.4 Lead Forensics shall assist the Customer in fulfilling its obligations to respond to the data subject’s requests to exercise their rights, taking into account the nature of the processing.

9.5 Data Protection Impact Assessment;

9.5.1 Lead Forensics will provide reasonable assistance to the Customer concerning any data protection impact assessments required under Articles 35 or 36 of EU/UK GDPR or equivalent DP Laws, taking into account the nature of the data processing.

9.6 Audit Rights;

9.6.1 Lead Forensics shall allow the Customer to audit compliance with its obligations under this DPA upon giving reasonable written notice. The Customer shall bear the costs of such an audit. If the Customer mandates a third party to conduct the audit on its behalf, the third-party auditor shall agree to comply with a Non-Disclosure Agreement issued by Lead Forensics.

9.6.2 An audit may only be carried out concerning the Customer’s Personal Data processed by Lead Forensics as defined in Appendix A and as relevant to the Customer’s processing activities.

10. General Obligations on the Customer

10.1 The Customer agrees to comply with DP Laws concerning its obligations as a Data Controller of the Personal Data.

10.1.1 The Customer shall be responsible for ensuring that any notification is provided to Data Subjects, that any required consent is obtained, and that there is a lawful basis, in accordance with DP laws, for the Personal Data that Lead Forensics is instructed to process.

11. Lawful Jurisdiction

11.1 The lawful jurisdiction specified in the commercial Agreement for the provision of Services shall govern this DPA.

11.2 A Data Subject may bring legal proceedings against Lead Forensics or the Customer before the courts of the Member State in which they have their habitual residence.

11.3 Lead Forensics and the Customer are compelled to the jurisdiction of such courts.

12. Commencement and Termination

12.1 This DPA shall become effective in alignment with the Customer Agreement and in accordance with updates https://www.leadforensics.com/dpa-update-notification/.

12.2 Personal Data, as defined by Appendix A, is deleted from the Services as described in the Agreement within thirty (30) days of the confirmed termination that the contract has been terminated.

12.3 Lead Forensics retains backup data via Sub-Processors, as described in 6, for 2 (two) years unless the Customer submits a written request or DP Laws require storage of the Personal Data.

12.4 The Customer shall retrieve (via self-serve options via the Service) all required data within thirty (30) days of the confirmed termination that the contract has been terminated.

12.5 This DPA shall be considered terminated when the Customer’s Personal Data has been deleted per Lead Forensics’ retention policy or upon the Customer’s written request (whichever is first).

APPENDIX A (Personal Data)

Category Data Data Subjects Comments
Online Identifier IP Address, to the extent that it is considered personal data Website Visitors See IP Processing Policy
B2B Contact Data

 

 

First name, surname, job title, LinkedIn URL Employees of a matched business. For example, prospects, customers, and leads (as defined by Customer). Applies to ‘search’ and ‘add’ functionality, instructing an API call to an approved third-party contact data provider (see Sub-Processors).

 

Contact Data For example, first name, surname, job title, LinkedIn URL (as provided by Customer) As defined by the Customer. This may apply to uploaded data and PURLs (purpose defined by the Customer).
Contact Data First name, surname, email Customer employee Login credentials

 

APPENDIX B (Technical and Organisational Measures)

Click this link to access the Technical and Organisational Measures https://www.leadforensics.com/technical-and-organisational-measures-toms/

 

V6 Last modified December 2024