Data Protection Addendum to the Master Agreement

This Data Protection Addendum ("DPA") forms part of the agreement with Lead Intelligence, Inc. dba InfutorData ("Infutor") that incorporates this DPA by reference ("Agreement"). The Agreement may be either the Master Agreement terms available at https://infutor.com/master-agreement or a signed agreement between the parties that references this addendum. References to "Licensee" in this DPA refer to the counterparty to the applicable Agreement.

1. DEFINITIONS

Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The capitalized terms used in this DPA are defined as follows:

"CA PI" means Covered Processor Data to the extent such data is subject to the CCPA.

"CCPA" means the California Consumer Privacy Act of 2018 and its implementing regulations.

"Covered Controller Data" means Personal Data provided by or on behalf of Infutor to Licensee in connection with the Infutor Products, and that Licensee Processes as a Controller or as a Third Party (as applicable). Such Processing is further described in schedule 1.

"Covered Data" means Covered Controller Data and Covered Processor Data.

"Covered Processor Data" means Personal Data provided by or on behalf of Licensee to Infutor in connection with the Infutor Products, and that, except where Section 5.D applies, Infutor Processes as a Processor or as a Service Provider (as applicable). Such Processing is further described in schedule 1.

"Data Subject" means a natural person whose Personal Data is Processed.

"Deidentified Data" means data created using Covered Data where such created data cannot reasonably be directly or indirectly linked to any individual.

"Subprocessor" means an entity appointed by Infutor to Process Covered Processor Data on its behalf.

The terms "Controller", "Processor", "Business", "Service Provider", "Sale", "Share", and "Third Party" have the meanings given to them in the Data Protection Laws.

2. INTERACTION WITH THE AGREEMENT

This DPA is incorporated into the Agreement. In the case of a conflict between this DPA and the Agreement, this DPA controls to the extent of such conflict with respect to any Processing of Covered Data.

3. COMPLIANCE

With respect to its Processing of Covered Data, each party shall comply with its obligations under the Data Protection Laws and provide the same level of privacy protection as is required by the Data Protection Laws.

Each Party may each take reasonable and appropriate steps to:

1. ensure that the other party uses Covered Data in a manner consistent with its obligations under Data Protection Laws; and
2. upon reasonable advance notice to the other party, stop and remediate unauthorized use of Covered Data by that other party.

Each party shall promptly notify the other party if it determines it can no longer meet its obligations under Data Protection Laws.

4. PROCESSING OF COVERED CONTROLLER DATA

The Covered Controller Data is provided to, sold to, or shared with Licensee solely for the purposes set out in schedule 1.

5. PROCESSING OF COVERED PROCESSOR DATA

A) Processing Details

The details of the Processing of Covered Processor Data under the Agreement and this DPA are described in the Agreement and in schedule 1.

Infutor will Process Covered Processor Data on behalf of and under the instructions of Licensee and in accordance with Data Protection Laws. The Agreement, the applicable Order Form, and this DPA constitute Licensee’s instructions for the Processing of Covered Processor Data. Licensee may issue further written instructions in accordance with this DPA. Except per Licensee’s instructions, Infutor is prohibited from:

1. Selling Covered Processor Data;
2. Sharing Covered Processor Data;
3. retaining, using, or disclosing Covered Processor Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Data Protection Laws;
4. retaining, using, or disclosing Covered Processor Data outside of the direct business relationship between the Parties; and
5. except as otherwise permitted by Data Protection Laws or the Agreement, combining Covered Processor Data with Personal Data that Infutor receives from or on behalf of another person or persons or collects from its own interaction with the Data Subject.

B) Data Protection Assessments

Infutor shall provide Licensee with information to enable Licensee to conduct and document any data protection assessments required under Data Protection Laws and, upon Licensee’s reasonable request, provide information reasonably necessary to demonstrate Infutor’s compliance with its obligations under Data Protection Laws.

C) Deidentifying Data

Infutor may deidentify Covered Processor Data through a reasonably reliable anonymization procedure and use such anonymized data for its own business and commercial purposes, provided such data cannot reasonably be linked to the Covered Processor Data, directly or indirectly.

D) CCPA

With respect to the CCPA only, to the extent that Infutor cannot legally operate as a Service Provider (as such term is defined under the CCPA) when Processing CA PI, then, with respect to such Processing of CA PI by Infutor under this DPA:

1. Infutor is deemed a Third Party (as such term is defined under the CCPA);
2. the Parties acknowledge and agree that the CA PI is made available to, sold to, or shared with Infutor solely for the purposes set out in schedule 1;
3. the restriction on combining Covered Processor Data under Section 5.A.(e) of this DPA does not apply;
4. Infutor shall promptly notify Licensee if Infutor determines it can no longer meet its obligations under the CCPA;
5. Infutor otherwise remains subject to all of Infutor’s obligations under this DPA with respect to CA PI; and
6. the words "as a Processor" are hereby deleted from table 1 in Schedule 1.

6. ACCESS TO DATA

Infutor shall:

1. limit access to Covered Processor Data to personnel who have a business need to access such Covered Processor Data; and
2. ensure that such personnel are subject to obligations at least as protective of the Covered Processor Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.

7. CONFIDENTIALITY OF DATA

Infutor shall maintain the confidentiality of the Covered Processor Data and shall not disclose the Covered Processor Data to third parties unless Licensee specifically authorizes the disclosure, or otherwise as required by domestic law, court, or regulator. If a domestic law, court, or regulator requires Infutor to Process or disclose the Covered Processor Data to a third party, Infutor shall first inform Licensee of such legal or regulatory requirement and give Licensee an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

8. SUBPROCESSORS

Licensee grants Infutor general authorisation to engage Subprocessors to Process Covered Processor Data, subject to the conditions of this section.

Infutor shall:

1. enter into a written agreement with each Subprocessor imposing data protection obligations that are no less protective of Covered Processor Data than Processor’s obligations under this DPA; and
2. remain liable for each Subprocessor’s compliance with the obligations under this DPA.

If required by Data Protection Laws, Infutor will: a) provide an up-to-date list of the Subprocessors it has appointed upon written request from Licensee; and b) notify Licensee (email is sufficient) of any intended changes concerning the addition or replacement of Subprocessors. Licensee may object to such changes within 10 calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection (an "Objection"). In the event Licensee submits an Objection to Infutor, Licensee shall work together to find a mutually acceptable resolution to address such Objection. If Infutor and Licensee are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed 30 days, either party may, as its sole remedy, terminate the portion of the Agreement relating to the Infutor Products affected by such change by providing written notice to the other party. During any such Objection period, Infutor may suspend provision of the affected portion of the Infutor Products. Licensee acknowledges that the inability to use a Subprocessor may result in delay in or inability to provide the Infutor Products, or increased fees, and that Infutor will not be responsible or liable for such delay or inability.

9. DATA SUBJECT RIGHTS REQUESTS

A) Notification of Request

Each party will promptly notify the other if it receives a request from a Data Subject to assert their rights to the deletion, correction, or opt out of the Sale or Share of Covered Data

Infutor will promptly notify Licensee of any valid request received by Infutor or any Subprocessor from a Data Subject to assert their rights in relation to Covered Processor Data under Data Protection Laws (a "Data Subject Request"). Licensee will have sole discretion in responding to the Data Subject Request in connection with such Covered Processor Data, and Infutor shall not respond to the Data Subject Request, except that Infutor may advise the Data Subject that their request has been forwarded to Licensee or otherwise respond to a Data Subject to the extent required to confirm that such Data Subject Requests relates to Licensee.

B) Assistance

Infutor will provide Licensee with reasonable assistance as necessary for Licensee to fulfil its obligation under Data Protection Laws to respond to Data Subject Requests.

10. AUDIT AND DOCUMENTATION

A) Audit

Licensee may audit Infutor’s compliance with this DPA in connection with the Processing of Covered Processor Data no more than once per year. The Parties agree that all such audits will be conducted: a) upon reasonable written notice to Infutor; b) only during Infutor’s normal business hours; and c) solely at Licensee’s cost.

Licensee may engage a third-party auditor, provided that such auditor is suitably qualified and independent and enters into an appropriate confidentiality agreement with Infutor. Such auditor must comply with the requirements of this section.

Licensee will promptly notify Infutor of any non-compliance discovered during an audit.

B) Documentation

Upon request, Infutor will provide to Licensee documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards. Infutor may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing Licensee. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within 12 months of Licensee’s audit request and Infutor confirms there are no known material changes in the controls audited, Licensee agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

11. TERM

This DPA shall survive so long as and to the extent that either Party Processes Covered Data.

12. DELETION

Infutor shall delete all Covered Processor Data no more than 90 days after termination of the Agreement, unless required to retain the data under Data Protection Laws or by order of a court or other governmental authority or as otherwise allowed under the Agreement. Infutor shall make reasonable efforts to ensure the deletion of Covered Processor Data by Sub-processors. Infutor may retain Covered Processor Data that is contained in automated backups and service logs if such data is not usable by Infutor in the normal course of business.

13. DEIDENTIFIED DATA

If Infutor receives Deidentified Data from or on behalf of Licensee, Infutor shall:

1. take reasonable measures to ensure the information cannot be associated with a Data Subject.
2. Process the Deidentified Data solely in deidentified form and not attempt to reidentify the information.
3. contractually obligate any Sub-processors of the Deidentified Data to comply with the foregoing requirements and Data Protection Laws.

14. GENERAL

The Parties hereby certify that they understand the requirements in this DPA and will comply with them. The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Data Protection Laws.

SCHEDULE 1

Details of Processing

• Table 1: Processing that Infutor undertakes as a Processor

• Table 2: Processing that Licensee undertakes as a Controller