DATA PROCESSING ADDENDUM

This data processing addendum (“DPA”) is incorporated into the Agreement and is entered into as of the date of the Agreement. To the extent this DPA conflicts with any other agreement, including the terms of the Service Agreement, this DPA shall prevail.

1. DEFINITIONS

1.1 Definitions. Capitalized terms used but not defined in this DPA shall have the meanings set forth in the Agreement. For the purpose of this DPA, the following terms have the following definitions:

a. “Agreement” means the Master Services Agreement entered into between the parties for purchase of ThinkLP’s Services.
b. “Controller”, “Processor”, “Service Provider” and “processing” shall have the meanings given to them in the Applicable Data Protection Laws.
c. “Data Subject” means a natural person that can be identified, directly or indirectly, or as otherwise defined by Applicable Data Protection Laws.
d. “Personal Data” means any information relating to an identified or identifiable living individual or as otherwise defined by the Applicable Data Protection Laws which is processed by ThinkLP on behalf of the Customer in accordance with this DPA for the provision of the Services.
e. “Applicable Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data and privacy that may exist in the relevant jurisdictions, including, where applicable, the EU Data Protection Laws and the Non-EU Data Protection Laws.
f. “EU Data Protection Law” means all data protection laws and regulations applicable to Europe, including, without limitation and to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the UK GDPR from December 31st, 2020 and the United Kingdom Data Protection Act of 2018 (together “UK Law”) and the Swiss Federal Act on Data.
g. “Non-EU Data Protection Laws” means the US States Data Laws (as defined herein) and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).
h. “Security Incident” means a breach of security leading to the unauthorized disclosure of, or access to, destruction, loss, or alteration of the Personal Data transmitted, stored, or otherwise Processed as defined by Applicable Data Protection Laws.
i. “SCCs” means the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
j. “Sub-processor” means any third party that ThinkLP engages to Process Personal Data on behalf of ThinkLP to provide the Services.

2. SERVICES

2.1 Provision of Services. In the course of providing Services to Customer pursuant to the Agreement, ThinkLP may Process Customer Personal Data on behalf of Customer. The parties agree and acknowledge that the Applicable Data Protection Laws may apply to the processing of Personal Data on behalf of the Customer. Each party agrees to comply with the following provisions with respect to any Customer Personal Data Processed during the provision of the Services. The parties acknowledge and agree that with regards to such Processing of Personal Data, Customer is Controller and ThinkLP is Processor, or Service Provider, as applicable

2.2 Processing of Personal Data. The following provisions apply to the Processing of Personal Data pursuant to this DPA:

a. ThinkLP shall treat Customer Personal Data as Confidential Information and will only Process Personal Data in accordance with Applicable Data Protection Laws directly applicable to the Services. ThinkLP will Process Personal Data as necessary to perform the Services pursuant to the Agreement.

b. ThinkLP will Process Customer Personal Data (i) only for the purpose of providing, supporting, and improving ThinkLP’s Services using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Agreement, including, where applicable, the combination of Customer data to provide insights and analysis of cases that have been pattern matched to other retailers’ case data to show linked crime that can be an indication of organized crime patterns and other reporting. The parties agree that this DPA and the Agreement set out the Customer’s complete instructions to ThinkLP in relation to the processing of Customer Personal Data and processing outside the scope of these instructions (if any) require prior written agreement between Customer and ThinkLP. ThinkLP will not use or process Customer Personal Data for any other purpose. ThinkLP will promptly inform Customer in writing if it cannot comply with the requirements under this DPA, in which case Customer may terminate the Agreement or take any other reasonable action, including suspending data processing operations.

c. ThinkLP will inform Customer promptly if, in ThinkLP’s determination, an instruction from Customer violates Applicable Data Protection Laws.

3. Customer’s Obligations

a. Comply with its protection, security, and other obligations with respect to Customer Personal Data prescribed by the Applicable Data Protection Laws by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data is processed on behalf of Customer; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses, including, but not limited to, providing notice and obtaining all consents and rights necessary to process Customer Personal Data and provide the Services pursuant to this DPA and the Agreement; and (c) ensuring compliance with the provisions of the Agreement and this DPA by its personnel or by any third-party accessing or using Customer Personal Data. Customer acknowledges that Customer will have administrative controls over the ThinkLP Services and ThinkLP will have no control over the type of Customer Personal Data inputted outside of the scope of this DPA.

 
b. Delete Customer Personal Data as requested by the Data Subject through the deletion capability in the ThinkLP Services, in accordance with Applicable Data Protection Laws. If requested by ThinkLP, provide such information to ThinkLP as is reasonable and necessary, including, but not limited to, user IDs associated with such Data Subject, for ThinkLP to unambiguously identify the Data Subject requesting such deletion.

4. Data Subject Request

1.    Data Subject Request. ThinkLP shall, to the extent legally permitted, promptly notify Customer if it receives a request from (i) a Data Subject to access, correct or delete that person’s Personal Data or if a Data Subject objects to the Processing of Data Subject’s Personal Data (“Data Subject Request”) or (ii) a law enforcement authority with a legally binding request for disclosure of Customer Personal Data by, unless ThinkLP is otherwise forbidden by law to inform Customer. ThinkLP shall not respond to a Data Subject Request without Customer’s prior written consent except to confirm that such request relates to Customer, to which Customer hereby agrees. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request or if the Customer fails to address a Data Subject Request within seven (7) days of ThinkLP’s request, ThinkLP shall provide commercially reasonable assistance to facilitate such Data Subject Request to the extent ThinkLP is legally permitted and/or required to do so, technically can provide assistance and provided that such Data Subject Request is exercised in accordance with Applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from ThinkLP’s provision of such assistance.

5. Security of Personal Data

ThinkLP shall: 

a. Maintain SOC2 certification, which is deemed sufficient to comply with the terms of this DPA with regards to the security, confidentiality, and integrity of Personal Data. Upon reasonable request by the Customer, but no more than once per calendar year, ThinkLP shall provide its SOC 2 Type II audit report to the Customer.

b. Implement and maintain an appropriate information security program with technical and organizational measures to protect the security of Personal Data to a level of security appropriate to the risk; in particular, against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Process will not materially decease its overall security of Customer Personal Data during the term of the Agreement and, upon request by the Customer, supply details of such technical and organizational measures.

 

6. Sub-processors

a. ThinkLP currently utilizes the Sub-processors set forth in Annex III. ThinkLP shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer (email is sufficient) if it adds or removes Sub-processors prior to any such changes provided that Customer registers to receive such notices. ThinkLP will (i) enter into contractual arrangements with such Sub-processors binding them to provide the same level of data protection and information security to that provided for in this DPA and (ii) be liable for the acts and omissions of its Sub-processors to the same extent ThinkLP would be liable if performing the Services of each Sub-processor directly under the terms of the Agreement.

b. Customer may object in writing to ThinkLP’s appointment of a new Sub-processor within ten (10) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Customer may terminate the part of the service performed under the Service Agreement that cannot be performed by ThinkLP without use of the objectionable Sub-processor. ThinkLP shall refund any pre-paid fees to the Customer in respect of the terminated part of the service on a pro-rated basis, provided that the Customer provides ThinkLP with written notice of termination with at least ten (10) days’ notice prior to the relevant billing period.

7. ThinkLP Personnel

a. ThinkLP will take reasonable measures to inform and train its personnel engaged in the Processing of Customer Data about relevant privacy legislation and data security and ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and ensure that all personnel and Sub-processors are informed of the confidential nature of the Personal Data and are aware of ThinkLP’s duties under this DPA and their personal duties and obligations under Applicable Data Protection Laws.

b. The Customer has administrative controls and the ability to customize, and shall be responsible for such customization, of all the data security settings, controls, and configurations within the Customer-specific Salesforce.com environment, including data encryption requirements. Unless authorized by the Customer in writing, ThinkLP Personnel will not control or configure any Customer Data or Customer security settings and shall not be responsible for the protection of Personal Data based on the security or administrative settings selected or set by the Customer. 

8. Security Incident

a. If ThinkLP becomes aware of a Security Incident, ThinkLP shall, at its own expense, (i) immediately notify (and in any event within 48 hours) the Customer (“Notice”) (ii) fully co-operate with the Customer and assist the Customer, in dealing with a Security Incident and in ensuring compliance with its obligations under Applicable Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators as soon as reasonably practicable and (iii) take reasonable steps to mitigate the effects and minimize any damage resulting from the Security Incident.

b. The Notice shall include, to the extent available to ThinkLP at the time: (i) a description of the nature of the Security Incident, including where possible the categories and approximate number of data subjects concerned, (ii) a description of the likely consequences of the Security Incident and (iii) a description of the measures taken or proposed to be taken by ThinkLP to address the Security Incident.

c. ThinkLP’s obligation to report or respond to a Security Incident under this section is not and will not be construed as an acknowledgement by ThinkLP of any fault or liability of ThinkLP with respect to the Security Incident

 

9. Audit

The following provisions establish the obligations and rights of each party in the event of an audit under this DPA:

a. Upon reasonable request from the Customer, ThinkLP shall make available to the Customer and/or its designated agents an annual (no more than once every 12 months) remote audit to verify ThinkLP’s compliance with obligations under Applicable Data Protection Laws (each an “Audit”) to be carried out either: (i) by an independent third party audit firm bound by a duty of confidentiality selected by the Customer and approved by ThinkLP (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority; or (ii) by a competent data protection authority.

b. The parties shall agree upon the scope and duration of, and the data protection controls applicable to, the Audit. The Customer will notify ThinkLP in writing with a minimum of ten (10) business days prior to any Audit being carried out. Any Audit or inspection shall be conducted within ThinkLP’s regular business hours.

c. All expenses and costs in relation to any Audit conducted under this section, including ThinkLP personnel time, shall be the sole responsibility of, and compensated by, the Customer. If the Customer requests ThinkLP to incur out-of-pocket costs to assist the Customer in the Audit, then ThinkLP is entitled to a reasonable reimbursement for its costs of the Audit incurred by ThinkLP, to be paid by the Customer.

d. Under no circumstances shall the Customer be allowed to conduct any physical Audit or inspection of ThinkLP’s or its Subprocessors’ onsite premises.

e. The provisions set out in Section 11(a)-(d) above shall satisfy any requirement under Applicable Data Protection Laws granting the Customer the right to take reasonable and appropriate steps to ensure that the ThinkLP uses the Personal Data that it collected pursuant to this DPA and the Service Agreement in a manner consistent with ThinkLP’s obligations under Applicable Data Protection Laws.

f. Nothing in the Service Agreement or this DPA will require ThinkLP either to disclose to an independent auditor or the Customer, or to allow an independent auditor or the Customer to access: (i) any data of any other customer of ThinkLP; (ii) ThinkLP’s internal accounting or financial information; (iii) any trade secret of ThinkLP; (iv) any premises or equipment not controlled by ThinkLP; or (v) any information that, in ThinkLP’s reasonable opinion, could: (a) compromise the security of ThinkLP’s systems or premises; (b) cause ThinkLP to breach its obligations under Applicable Data Protection Laws or the rights
of any third party; or (c) any information that an independent auditor seeks to access for any reason other than the good faith fulfillment of the Customer’s obligations under Applicable Data Protection Laws. The Customer shall contractually impose, and designate ThinkLP as a third party beneficiary of, contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than the Customer unless such disclosure is required
by applicable law.

 

10. Transfers of Personal Data

a. The Customer acknowledges that ThinkLP may transfer and process Customer Personal Data to ThinkLP affiliates, or its Sub-processors in the course of performing the Services. ThinkLP shall, at all times, ensure that such transfers are made in compliance with the requirements of all Applicable Data Protection Laws including GDPR chapter V.

b. To the extent Personal Data includes personal data protected by EU Data Protection Laws, the parties are deemed to have signed the SCCs, including their annexes, attached hereto.

c. To the extent the SCCs are entered into, the following options for Module 2 of the SCCs shall be used:
                   i. Clause 7. The optional docking shall apply.
                  ii. Clause 9. Use of sub-processors Option 2: General written authorization shall apply with a 10-day period to object to the sub-processor. Section 5 shall control the notification process. See Annex 3 for list of current sub-processors.
                 iii. Clause 11. The optional language does not apply.
                 iv. Clause 17. Option 1 shall apply and shall reference the laws of Ireland.
                  v. Clause 18 (b). Courts of Dublin, Ireland.
                 vi. Clause 13. All square brackets in are hereby removed;
                vii. The parties will complete Schedule 1, which includes the information called for in the SCCs Annexes I, II, and III. By executing the Agreement, the parties hereby execute Annexes I-III, to the extent applicable.

d. To the extent Personal Data includes data from Switzerland clause 11(b) and the Switzerland Addendum applies.

e. To the extent Personal Data includes data from the UK the UK data transfer addendum applies.

f. To the extent Personal Data includes data of Data Subjects residing in the US, the US States Privacy Laws Addendum applies.  

11. Indemnification and Limitation of Liability

To the extent applicable by Applicable Data Protection Law, ThinkLP shall indemnify and keep indemnified the Customer against direct damages, claims, and losses incurred by the Customer which arise directly from ThinkLP’s data processing activities under this DPA. To the extent permissible by Applicable Data Protection Law, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement. For the avoidance of doubt, ThinkLP’s and its affiliates’ total liability for all claims from the Customer arising out of the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement.

12. Deletion

On the expiration or termination of the Agreement (or, if applicable on expiration of any post- termination period during which ThinkLP may agree to continue providing access to the Services), ThinkLP will delete any Customer Personal Data then in its possession and/or control within a maximum period of 90 days, unless applicable legislation or legal process prevents it from doing so.

13. Access; Export of Data

To the extent Customer, in its use and administration of the Services during the term of the Agreement, does not have the ability to amend or delete Customer Personal Data (as required by Applicable Data Protection Laws), or migrate Customer Personal Data to another system or service provider, ThinkLP will, at Customer’s reasonable expense, comply with any reasonable requests from Customer to assist in facilitating such actions to the extent ThinkLP is legally permitted to do so and has reasonable access to the relevant Customer Personal Data.