TechInsights Data Processing Agreement

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership of or authority to direct more than 50% of the voting interests of the subject entity.

“Applicable Privacy and Data Protection Laws” means all applicable privacy and data protection laws and regulations, including laws and binding regulations that apply to the Processing of Personal Data under the Agreement, or to the privacy of electronic communications, including but not limited to, to the extent applicable, (i) Personal Information Protection and Electronic Document Act (PIPEDA) and other Canadian Provincial Privacy Laws (ii) the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the EU e-Privacy Directive (Directive 2002/58/EC), (iii) in respect of the United Kingdom the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"), (iv) the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199.95), the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102), and any related regulations or guidance provided by the California Attorney General (“CCPA” or “CPRA”), and (v) the state laws of Colorado, Virginia, Utah, Connecticut and any other U.S. states that are applicable to the Processing of Personal Data, and any legislation or regulations implementing, replacing, amending or made pursuant to such laws (in each case as may be amended or superseded from time to time).

“Controller” shall have the meanings given to them under Applicable Privacy and Data Protection Laws.

“Controller Affiliate” means any of Customer's Affiliate(s) (i) that are subject to Applicable Privacy and Data Protection Laws and (ii) permitted to use TechInsghts’ products and/or services pursuant to the Agreement between Customer and TechInsights.

“Customer Data” means (unless otherwise defined in the Agreement in which case the definition in the Agreement shall apply), all data and information provided by Customer, its Affiliates and its customers to TechInsights in relation to TechInsights’ provision of the products and/or services including without limitation message text, files, comments, links and profile information. “Customer Data” does not include non-TechInsights products and/or services.

“Customer Unidentifiable Data” means any information or Customer Data that cannot be used to identify or is attributable to any individual including but not limited to de-identified or anonymized data or aggregated data. It also includes Personal Data that has been modified using appropriate de-identification processes, so that the identity of the individual cannot be determined by a reasonably foreseeable method.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

"EEA" means the European Economic Area.

“Personal Data” means any information that relates to an identified or identifiable natural person or to an identified or identifiable legal entity, to the extent that such information is protected as personal data, personal information and/or personally identifiable information under Applicable Privacy and Data Protection Laws and such data submitted is Customer Data. “Personal Data” as used herein only applies to Personal Data for which TechInsights is a Processor.

“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” shall have the meanings given to them under Applicable Privacy and Data Protection Laws.

“TechInsights Inc.” means TechInsights, Inc., with its headquarters at Ottawa, Canada.

“TechInsights” means, collectively, TechInsights Inc. and its Affiliates engaged in the Processing of Personal Data.

“Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data originating from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data originating from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where Applicable Privacy and Data Protection Laws restrict transfer of Personal Data to any applicable jurisdiction not compliant with the requirements of such laws for cross-border transfer

“Security Practices” means TechInsights’ “Security Practices Datasheet”, as updated from time to time, and currently accessible at Exhibit 2.

“Standard Contractual Clauses” or “SCCs” (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council, (the "EU SCCs") and which are hereby incorporated into this DPA; (ii) where the UK GDPR applies, the International Transfer Addendum or Addendum to the EU SCCs for international data transfers issued under Section 119A of the Data Protection Act 2018 and approved by UK Parliament on 21 March 2022 (“International Data Transfer Addendum") and which is hereby incorporated into this DPA; in each case as completed as described in Section 11 below. For the purposes of the EU SCCs and the International Transfer Addendum, if applicable, (a) Customer shall be the 'data exporter and TechInsights the 'data importer.’

“Sub-processor” means any entity engaged by TechInsights and/or its Affiliates or as defined under Applicable Privacy and Data Protection Laws to Process Personal Data in connection with TechInsights products and/or services.

“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR for the EU; the Information Commissioner’s Office (‘ICO’) in the United Kingdom; and the Office of the Privacy Commissioner of Canada

2.1. Roles of the Parties

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and TechInsights is the Processor. TechInsights may engage Sub-processors pursuant to the requirements set forth in Article 4 “Sub-processors” below to Process such Personal Data

2.2. Customer’s Processing of Personal Data.

Customer shall have sole responsibility for the accuracy and quality of Personal Data, the means by which Customer acquired such Personal Data, ensuring that it has secured all necessary rights to enable TechInsights to Process such Personal Data, shall ensure that a privacy notice is provided to Data Subjects and any Data Subject’s consent is obtained to the extent required under Applicable Privacy and Data Protection Laws, and shall otherwise ensure compliance with laws as it relates to the foregoing. Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities that Customer may elect to use and that it will do so in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Personal Data. TechInsights will be entitled to rely solely on Customer’s instructions relating to Personal Data Processed by TechInsights.

2.3. TechInsights’ Processing of Personal Data.

With respect to Personal Data Processed by TechInsights as Customer’s Processor, TechInsights shall only Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and Terms & Conditions; (ii) Processing initiated by authorized users in their use of TechInsights’ products and/or services; and (iii) Processing to comply with other reasonable instructions provided by Customer in writing (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the “Purpose”). TechInsights shall not disclose Personal Data to third parties except: (i) to employees, Sub-processors or advisers who have a need to know the Personal Data and are under confidentiality obligations at least as restrictive as those described under this DPA, or (ii) as required to comply with valid legal process in accordance with the terms of the Agreement. If TechInsights has reason to believe Customer’s instructions infringe the GDPR, UK GDPR, other EEA data protection provisions, PIPEDA and other Canadian Provincial data privacy laws, the CCPA/CPRA or other applicable US state or federal laws, then TechInsights will promptly notify Customer. Customer acknowledges and agrees that TechInsights collects cumulative, anonymized data and analytics pertaining to its customers including without limitation Customer Unidentifiable Data, and, provided that such unidentifiable Data Subject is and will remain unidentifiable, the data is not governed under this DPA and not subject to the deletion requirement set forth in Paragraph 7 (“Return and Deletion of Client Data”) herein.

2.4. Details of the Processing.

TechInsights agrees that it will Process the Personal Data in relation to the Purpose and the provision of TechInsights’ products and/or services. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit 3 attached hereto and incorporated herein.

3.1. TechInsights shall, to the extent legally permitted, promptly notify Customer if TechInsights receives any requests from a Data Subject to exercise the following Data Subject rights: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). Taking into account the nature of the Processing, TechInsights shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Applicable Privacy and Data Protection Laws. In addition, to the extent Customer, in its use of TechInsights’ products and/or services, does not have the ability to address a Data Subject Request, TechInsights shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent TechInsights is legally permitted to do so and the response to such Data Subject Request is required under Applicable Privacy and Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from TechInsights’ provision of such assistance, including without limitation any fees associated with provision of additional functionality.

4.1. Appointment of Sub-processors.

Customer acknowledges and agrees that (a) TechInsights’ Affiliates may be retained as Sub-processors; and (b) TechInsights and TechInsights’ Affiliates respectively may engage third-party Sub-processors in connection with the provision of the products and/or services. As a condition to permitting a third-party Sub-processor to Process Personal Data, TechInsights or a TechInsights Affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor. Customer agrees to enter into the SCCs and acknowledges that Sub-processors may be appointed by TechInsights in accordance with Clause 9 of the SCCs incorporated herein.

4.2. List of Current Sub-processors and Notification of New Sub-processors.

The then-current list of Sub-processors TechInsights uses to provide the products and/or services, including the identities of those Sub-processors and their country of location, will be made available to the Customer by TechInsights (“Sub-processor List”) which may be updated by TechInsights from time to time, but not less than annually when applicable, upon advance written notice to Customer. Customer hereby consents to each Sub-processor in the Sub-processor List including the cross-border transfer of Personal Data to and by each Sub-processor.

4.3. Objection Right for New Sub-processors.

TechInsights may change the list of such other Sub-processors by no less than 30 days’ advance notice to Customer (e.g., via email). Customer may reasonably object to TechInsights’ use of a new and/or changed Sub-processor(s) on reasonable data protection grounds by notifying TechInsights promptly in writing within 30 business days after receiving notification of the change (the “30 Notification Window”). Such notice shall explain the grounds for the objection. In the event Customer objects to a new Sub-processor within the 30 Notification Window, TechInsights will use commercially reasonable efforts to make available to Customer a change in TechInsights’ products and/or services or recommend a commercially reasonable change to Customer’s configuration or use of TechInsights’ products and/or services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If TechInsights is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days from the date TechInsights receives written notice from Customer, either party may terminate without penalty the applicable Order Form(s) with respect only to those TechInsights’ products and/or services which cannot be provided by TechInsights without the use of the objected-to new Sub-processor by providing written notice to the other party advising of such termination. TechInsights will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated TechInsights products and/or services, without imposing a penalty for such termination on Customer. If Customer fails to object within the 30 Notification Window, Customer shall be deemed to have accepted the change in Sub-processor(s).

4.4. Liability.

TechInsights shall be liable for the acts and omissions of its Sub-processors to the same extent TechInsights would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

5.1. Controls for the Protection of Customer Data.

TechInsights shall maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of Customer Data, as set forth in the Security Practices.

TechInsights shall maintain commercially reasonable security incident management policies and procedures specified in the Security Practices. TechInsights shall notify Customer without undue delay of any breach relating to Personal Data (within the meaning of Applicable Privacy and Data Protection Laws) of which TechInsights becomes aware and which may require a notification to be made to a Supervisory Authority or Data Subject under Applicable Privacy and Data Protection Laws or which TechInsights is required to notify to Customer under Applicable Privacy and Data Protection Laws (a “Customer Data Incident”). Taking into account the nature of Processing and the information available to TechInsights and in accordance with the Agreement, TechInsights shall provide commercially reasonable cooperation and assistance in identifying the cause of such Customer Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within TechInsights’ control. The obligations herein shall not apply to incidents that are caused by Customer, Customer’s authorized users and/or any non-TechInsights products and/or services.

Upon termination of the Agreement and/or Order Form pursuant to which TechInsights is Processing Personal Data, TechInsights shall, upon Customer’s request, and subject to the limitations described in the Agreement and the Security Practices, return all Customer Data and copies of such data to Customer or securely destroy them and reasonably demonstrate to the Customer in writing that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Customer Data. TechInsights agrees to preserve the confidentiality of any retained Customer Data for the duration of the Agreement only and will only actively Process such Customer Data after such date if agreed to by the parties or to otherwise comply with applicable laws. This Section 7 shall only apply to Customer Data and shall not apply to Customer Unidentifiable Data, as defined herein.

8.1. Contractual Relationship.

The parties acknowledge and agree that, by executing the Agreement and/or Order Form and this DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Controller Affiliates, thereby establishing a separate DPA between TechInsights and each such Controller Affiliate subject to the provisions of the Agreement. Each Controller Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement.

8.2. Communication.

The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with TechInsights under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Controller Affiliates.

8.3. Rights of Controller Affiliates.

If a Controller Affiliate becomes a party to the DPA with TechInsights, it shall, to the extent required under Applicable Privacy and Data Protection Laws, also be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

• 8.3.1. Except where Applicable Privacy and Data Protection Laws require the Controller Affiliate to exercise a right or seek any remedy under this DPA against TechInsights directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Controller Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Controller Affiliate individually but in a combined manner for all of its Controller Affiliates together (as set forth, for example, in Section 8.3.2, below).
• 8.3.2. The parties agree that the Customer that is the contracting party to the Agreement shall, if carrying out an audit of the TechInsights procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on TechInsights by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Controller Affiliates in one single audit.

9.1. Confidentiality.

TechInsights shall use commercially reasonable efforts to ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. TechInsights shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

9.2. Reliability.

TechInsights shall take commercially reasonable steps to ensure the reliability of any TechInsights personnel engaged in the Processing of Personal Data.

9.3. Limitation of Access.

TechInsights shall ensure that TechInsights’ access to Personal Data is limited to those personnel performing services in accordance with the Agreement.

9.4. Data Protection Officer/Responsible Party.

TechInsights has a data protection officer or individual responsible for its data protection in Canada, the United States, EU and UK that are collectively reached at dpo@techinsights.com; or privacy@TechInsights.com.

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Controller Affiliates and TechInsights, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

For the avoidance of doubt, the total liability of TechInsights (and its Affiliates, if any) for all claims from the Customer and all of its Controller Affiliates arising out of and/or related to the Agreement and each DPA shall apply in the aggregate for all claims under the Agreement and all DPAs established under the Agreement, including by Customer and all Controller Affiliates. It is specifically understood that liability shall not apply individually and severally to Customer and to Controller Affiliates.

11.1. Data Protection Impact Assessment.

Upon Customer’s request, TechInsights shall provide Customer with reasonable cooperation and assistance (at Customer’s expense) needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of TechInsights’ products and/or services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to TechInsights. TechInsights shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR.

11.2. Transfer Mechanisms.

11.2.1. TechInsights shall (and shall procure that any Sub-processor shall) not Process or transfer (directly or via onward transfer) any Customer Data in or to a territory other than the territory in which the Customer Data was first collected (nor permit the Customer Data to be so Processed or transferred) unless: (i) iit has first obtained Customer's prior written consent by the execution of the Agreement and this DPA and (ii) it takes all such organizational and technical measures as are necessary to ensure such Processing or transfer is in compliance with Applicable Privacy and Data Protection Laws (including such measures as may be communicated by Customer to TechInsights). Without prejudice to the foregoing, the Parties agree that when a transfer of Customer Data by Customer (as data exporter) to TechInsights (as data importer) under this DPA is a Restricted Transfer, TechInsights shall be bound by the SCCs, which shall be deemed incorporated into this DPA as follows:

• 11.2.1.1. In relation to transfers of Personal Data protected by the GDPR, the EU SCCs will apply completed as follows:
  • 11.2.1.1.1. Where Customer is a controller of the Personal Data, Module Two (controller to processor transfers) shall apply;
  • 11.2.1.1.2. In Clause 7, the optional docking clause will apply;
  • 11.2.1.1.3. In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 4 of this Agreement;
  • 11.2.1.1.4. In Clause 11, the optional language will not apply;
  • 11.2.1.1.5. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by English law;
  • 11.2.1.1.6. In Clause 18(b), disputes shall be resolved before the courts of England; and
  • 11.2.1.1.7. Annex I and II of the EU SCCs shall be deemed completed with the information set out in Exhibits 2-4 of this DPA;

• 11.2.1.2. In relation to transfers of Personal Data protected by the UK GDPR, the EU SCCs will also apply to such transfers in accordance with Section 11.2.1.1 above, with the following modifications:
  • 11.2.1.2.1. any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR;
  • 11.2.1.2.2. references to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales;
  • 11.2.1.2.3. Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts;"
  • 11.2.1.2.4. The International Transfer Addendum is set forth at Exhibit 4 to this DPA, if applicable, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR, in which event the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Exhibits 2 -4 of this DPA (as applicable).

This DPA shall only become legally binding between Customer and TechInsights (and TechInsights, Inc., if different) when executed by both parties. If Customer has previously executed a data processing addendum with TechInsights concerning the subject matter hereof, the parties acknowledge and agree that this DPA supersedes and replaces such prior data processing addendum. For purposes of clarification, this DPA becomes legally binding on the date the last party below executes the DPA.

This DPA and any dispute or claim arising out of and/or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the legal system of Canada.

The parties agree that this DPA and, if applicable, the Standard Contractual Clauses, shall terminate automatically upon (i) termination of the Agreement; or (ii) if applicable, the expiration or termination of all Order Forms or similar contract documents entered into by TechInsights with Customer pursuant to the Agreement, whichever is later. Any obligation imposed on either party under this DPA in relation to the Processing of Personal Data that would reasonably be interpreted to survive any termination or expiration of this DPA, shall survive. Customer may notify TechInsights in writing from time to time of any variations to this DPA which are required as a result of a change in Applicable Privacy and Data Protection Laws. Any such required variations shall take effect on the date falling 45 (forty-five) calendar days after the date such written notice is received and TechInsights shall procure that, where necessary, the terms in each contract between TechInsights or any TechInsights Affiliate and each Sub-processor are amended to incorporate such variations within the same time period. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.