Data Processing Addendum

Updated November 2023

This Data Processing Addendum (“DPA”) is incorporated into, forms part of, and supplements the Master Subscription Agreement and all incorporated documents (collectively the “Service Agreement” or “Agreement”) by and between ThinkLP, Inc., a Delaware corporation with offices at 100-219 Labrador Drive, Waterloo ON N2K 4M8 (“ThinkLP” or “Processor”) and the customer identified in the Service Agreement (“Customer” or “Controller”, together with ThinkLP, the “Parties”) and supersedes any previous data addendum entered into by the Parties.

 

Pursuant to this DPA, the Processor will provide certain services to Controller.  This DPA is intended to set forth the subject, scope, nature, and obligations of the Parties regarding personal data that is the subject of the Service Agreement.  This DPA will become legally binding upon the effective date of the Service Agreement.

 

For purposes of this DPA, ThinkLP is the Processor and Customer is the Controller.  The Controller may provide or transfer to ThinkLP as Processor Personal Data relating to individuals or entities engaging with the Controller for purposes of receiving ThinkLP’s loss prevention services (the “Services”).  To the extent this DPA conflicts with any other agreement, including the terms of the Service Agreement, this DPA shall prevail.

 

1.              Definitions.  For the purposes of this DPA, the following terms have the following definitions:

a.              “Applicable Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules, and regulations to which the Personal Data are subject, including any regulations or rules implementing these or any other laws in the United States with respect to data privacy or concerning Personal Data, as each may be amended or replaced from time to time. Applicable Data Protection Laws, include, but are not limited to, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Consumer Privacy Rights Act (“CCPA”), the Colorado Privacy Act, C.R.S.  § 6-1-1301 et seq. (“CPA”), the Virginia Consumer Data Protection Act, Va. Civ. Code § 59.1-575 et seq. (“VCDPA”), the Connecticut Consumer Data Protection Act, Conn. Gen. Stat. § 42-515 (“CTDPA”), the GDPR (as defined in Section 10), and the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”);

b.              “Controller” is the Customer identified in the Service Agreement and means the individual or entity who alone or jointly with others determines the purposes and means of the Processing of Personal Data. The term “Controller” includes “businesses,” “controllers,” “data owners,” and other similar terms under Applicable Data Protection Laws that refer to persons or entities that determine the purposes and means of the Processing of Personal Data;

c.               “Data Subject Request” means a request pertaining to Personal Data from a “data subject” or “consumer” to exercise its rights under Applicable Data Protection Laws;

d.              “Personal Data” shall have the meaning assigned to the terms “personal data”; “personal information,” protected data”; and/or or any similar category of information or data under the Applicable Data Protection Laws, and which is Processed by Processor on behalf of Controller pursuant to the Service Agreement;

e.               “Processor” shall have the meaning given to the terms “processor,” “service provider,” or similar term in the Applicable Data Protection Laws and which Processes Personal Data on behalf of the Controller pursuant to the Service Agreement, in this instance ThinkLP;

f.               “Process” “Processing” or “Processed” shall have the same meaning given to the term by Applicable Data Protection Laws, and means any operation or series of operations performed upon the Personal Data, whether or not by automatic means, including access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, or return or destruction;

g.              “Security Incident” means a breach of security leading to the unauthorized disclosure of, or access to, destruction, loss, or alteration of the Personal Data transmitted, stored, or otherwise Processed as defined by Applicable Data Protection Laws;

h.              “Sub-processor” means any Processor, including but not limited to Salesforce, Inc. (“Salesforce”), authorized or engaged by ThinkLP to Process Personal Data, including activities carried out on the Controller’s behalf under the terms of the Service Agreement and this DPA.  For the avoidance of doubt, Sub-processors are not third parties.

Any capitalized but undefined terms used in this DPA shall have the same meaning as they do in the Service Agreement unless stated otherwise.

2.              Data Processing.  The following provisions apply to the Processing of Personal Data under this DPA:

a.              Each party will comply with the Applicable Data Protection Laws in connection with the performance of the Service Agreement and in providing or using the Services.

b.              The Controller authorizes the Processor and its affiliates, agents, contractors, and Sub-processors to undertake Processing of Personal Data only as set forth for the limited and specified purposes described in the Service Agreement and this DPA, or pursuant to additional written instructions from the Controller.  Any consideration paid by Controller to Processor under the Service Agreement is only for Processor’s provision of the Services.

c.               Controller acknowledges that Processor is SOC2 compliant, which is sufficient to comply with the terms of this DPA with regard to the security, confidentiality, and integrity of Personal Data.  Upon reasonable request by Controller, but no more than once per calendar year, Processor shall provide its SOC 2 Type II audit report to Controller.

d.              All Personal Data uploaded to ThinkLP’s software will be Processed by Salesforce, a Sub-processor separate and independent from Processor over which ThinkLP has no control.  Controller agrees that the Salesforce data protection practices, as set forth on its website or as may be publicly available, are sufficient to comply with the obligations set forth in this DPA and/or the Service Agreement. ThinkLP makes Salesforce available through its services, and Controller shall be responsible for and has the ability to customize all the data security settings, controls, and configurations within the Controller-specific Salesforce.com environment, including data encryption requirements.  Unless authorized by the Customer, Processor will not control or configure data security settings and shall not be responsible for the protection of Personal Data based on the security settings selected or set by the Controller.

e.               Each Party shall treat all confidential information and/or Personal Data exchanged with one another pursuant to the Service Agreement and/or this DPA in accordance with the confidentiality provisions in the Service Agreement.  Any Sub-processor, including Salesforce, who is authorized by the Parties to Process such confidential information and/or Personal Data shall contractually agree to maintain the confidentiality of such information or be bound by terms similar to those in the Service Agreement and this DPA.

f.               The Controller warrants to the Processor that the Personal Data provided to Processor is accurate, relevant, and suitable, and Controller’s requested Processing has a valid, lawful basis, and complies with the Applicable Data Protection Laws. If Processor makes a determination that it can no longer meet its obligations as a Processor under Applicable Data Protection Laws, Processor will inform Controller without undue delay.

g.              The type of Personal Data subject to the Processing by Processor pursuant to the terms of this DPA and the Service Agreement are provided in Schedule 1 attached to the Service Agreement.

h.              The duration of the Processing to be performed by Processor shall commence upon the effective date of the Service Agreement and shall end when the Service Agreement is terminated in accordance with Section 12 of the Service Agreement.

3.              Security Incidents.  The following provisions establish the required security and notification measures to be taken under this DPA:

a.              All Personal Data uploaded by Controller to ThinkLP’s software is stored and hosted in the Salesforce, Inc. cloud environment and will thus be subject to Salesforce’s data protection measures.  The information regarding Salesforce’s data protection measures is available at: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/salesforce-security-privacy-and-architecture.pdf, which could be changed from time to time by Salesforce.

b.              Processor shall maintain a reasonable level of security for the Personal Data that it Processes, particularly against Security Incidents, as may be required by Applicable Data Protection Laws.

c.               Should Processor become aware of a Security Incident, it shall notify the Controller, pursuant to the notice provisions of the Service Agreement, promptly after it learns of such a Security Incident unless prohibited by law, subpoena, warrant, court order, government agency or law enforcement. The obligations in this Section 3 do not apply to incidents that are caused by Controller, including Controller’s failure to implement appropriate security controls in Salesforce, Controller’s personnel, or by end users, or to unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

d.              To the extent that Processor is responsible for the Security Incident, the Processor shall reasonably assist the Controller in mitigating, documenting, and otherwise complying with Controller’s efforts to comply with its obligations under Applicable Data Protection Laws in the event of a Security Incident.

e.               To the extent that Processor is responsible for the Security Incident and the following information is feasible or known at the time of notification, Processor will provide the following details: (i) the nature of the Security Incident; (ii) the categories and approximate number of data subjects impacted; (iii) to the extent reasonably possible, information regarding the data subjects and data records concerned; (iv) measures taken or proposed to be taken by Processor to address or remediate the Security Incident; and (v) the name and contact details of Processor’s data protection officer or other relevant contact from whom more information may be obtained.

f.               Processor’s notification of, or response to, a Security Incident under this section will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Security Incident.

4.              Representatives.  Neither Party shall represent itself as a representative of the other or purport to assume obligations in the name of the other.

5.              Sub-Processors.  The following provisions apply to the selection of Sub-processors under this DPA:

a.              Controller hereby authorizes Processor to engage Sub-processors, including Salesforce, to assist it in performing its Processing obligations pursuant to the Service Agreement and/or this DPA.

b.              All Processing by Salesforce is governed by the Salesforce Data Processing Addendum available at in Salesforce Data Protection Agreement available on the Salesforce website at https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf.

c.               Upon reasonable request, which shall be made at least fourteen (14) days in advance, Processor shall make available to Controller once annually, in writing, a list of Sub-processors that Process Personal Data.  ThinkLP maintains a list of Sub-processors at Annex III.

d.              Upon Processor providing written notice of Sub-processors pursuant to Paragraph 5(a), Controller shall have ten (10) days to object in writing. Such objection shall identify the basis of Controller’s objection, which may only be the Sub-processors’ inability to comply with the requirements of this DPA.  The Parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days, and failing resolution, Controller may terminate the part of the service performed under the Service Agreement that cannot be performed by Processor without use of the objectionable Sub-processor.  Processor shall refund any pre-paid fees to Controller in respect of the terminated part of the service on a pro-rated basis, provided that Controller provides Processor with written notice of termination with at least ten (10) days’ notice prior to the relevant billing period.

e.               Except with respect to Salesforce, which is subject to section 5(a) above, any Sub-processor engaged after the effective date of the Service Agreement, Processor shall enter into a written agreement that imposes obligations on such Sub-processor that comply with Applicable Data Protection Laws.

f.               Notwithstanding Sections 5(a)-(e) above, all Personal Data uploaded to Processor’s software will be Processed by Salesforce, a Sub-processor separate and independent from Processor over which Processor has no control. Controller agrees that the Salesforce data protection practices, as set forth on its website at https://www.salesforce.com/company/privacy/, or as may be publicly available, are sufficient to comply with the obligations set forth in this DPA and/or the Master Agreement.

6.              Audit Rights.  The following provisions establish the obligations and rights of each Party in the event of an audit under this DPA:

a.              Upon reasonable request from Controller, the Processor shall make available to the Controller and/or its designated agents an annual (no more than once every 12 months) remote audit to verify Processor’s and any of its Sub-processors’ compliance with obligations under Applicable Data Protection Laws and this DPA (each an “Audit”) to be carried out either: (i) by an independent third party audit firm bound by a duty of confidentiality selected by Controller and approved by Processor (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority; or (ii) by a competent data protection authority.

b.              The Parties will mutually agree upon the scope and duration of, and the data protection controls applicable to, the Audit. Controller will notify Processor in writing with a minimum of ten (10) business days prior to any Audit being carried out. Any Audit or inspection shall be conducted within the Processor’s regular business hours.

c.               All expenses and costs in relation to any Audit conducted under this section, including Processor personnel time, shall be the sole responsibility of, and compensated by, the Controller. If Controller requests Processor to incur out-of-pocket costs to assist Controller in the Audit, then Processor is entitled to a reasonable reimbursement for its costs of the Audit incurred by Processor, to be paid by Controller.

d.              Under no circumstances shall Controller be allowed to conduct any physical Audit or inspection of Processor’s onsite premises.

e.               The provisions set out in Section 6(a)-(d) above shall satisfy any requirement under Applicable Data Protection Laws granting Controller the right to take reasonable and appropriate steps to ensure that the Processor uses the Personal Data that it collected pursuant to this DPA and the Service Agreement in a manner consistent with Processor’s obligations under Applicable Data Protection Laws.

f.               Nothing in the Service Agreement or this DPA will require Processor either to disclose to an independent auditor or Controller, or to allow an independent auditor or Controller to access: (i) any data of any other customer of Processor; (ii) Processor’s internal accounting or financial information; (iii) any trade secret of Processor; (iv) any premises or equipment not controlled by Processor; or (v) any information that, in Processor’s reasonable opinion, could: (a) compromise the security of Processor’s systems or premises; (b) cause Processor to breach its obligations under Applicable Data Protection Laws or the rights of any third party; or (c) any information that an independent auditor seeks to access for any reason other than the good faith fulfillment of Controller’s obligations under Applicable Data Protection Laws. Controller shall contractually impose, and designate Processor as a third party beneficiary of, contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than Controller unless such disclosure is required by applicable law.

7.              Indemnification.  The following provisions establish the extent and circumstances in which each Party is indemnified:

a.              Processor agrees to indemnify, defend and hold harmless Controller and each of their officers, directors, employees, subcontractors, representatives and agents from any and all damages, actions, third party claims, liabilities, costs and expenses resulting from such actions or claims, arising out of or relating to a Security Incident or violation of this DPA (excluding any Security Incident or breach of this DPA arising out of Controller’s acts or omissions, including but not limited to any failure of Controller to implement appropriate Complementary User Entity Controls identified on pages 20–21 in Processor’s SOC2 Type II audit report or a Security Incident caused by Salesforce) only to the extent that it results from Processor’s gross negligence or willful misconduct, and subject to the limitation of liability set forth in Section 11 of the Service Agreement.  Such indemnification shall not exceed Processor’s available insurance coverage. Notwithstanding the foregoing, Processor shall not be liable to Controller or any other party under any circumstances for punitive, special, consequential or indirect damages.

b.              Controller agrees to indemnify, defend and hold harmless Processor and each of their officers, directors, employees, subcontractors, representatives and agents from any and all damages, actions, third party claims, liabilities, costs and expenses resulting from such actions or claims, arising out of or relating to: (i) Controller’s misuse of the services; (ii) where Personal Data as provided by Controller, infringes or violates the rights of a third party or violates applicable law; (iii) where Controller did not have the authority to allow Processor to transmit, Process, store, or host Personal Data; (iv) Controller’s failure to implement appropriate Complementary User Entity Controls identified on pages 20­–21 in Processor’s SOC2 Type II audit report; and (v) Controller’s misuse or mishandling of Personal Data in violation of Applicable Data Protection Laws. Notwithstanding the foregoing, Controller shall not be liable to Processor or any other party under any circumstances for punitive, special, consequential, or indirect damages.

c.               Indemnification is contingent on each Party promptly notifying the other of a claim by such Party or against them related to this DPA or the Service Agreement, and before payment to any party and before any first party expenses and costs are incurred.

d.              Each Party’s indemnification obligations set forth in this DPA and the entirety of this Section 7, are subject to the limitation of liability set forth in Section 11 of the Service Agreement.

8.              Termination and Deletion or Return of Controller’s Personal Data.  The following provisions shall apply to the maintenance of records following termination of the Service Agreement and/or this DPA:

a.              Upon or within 30 days of termination of the Service Agreement or DPA, the Controller’s Personal Data uploaded to Salesforce or another cloud service provider for the purpose of accessing the Services will be deleted. To the extent that Customer wants to download or retain the Controller’s Personal Data following termination of the Services, it must take immediate steps to download or preserve that information directly, but no later than 30 days following termination. Upon Controller’s written request, the Processor shall provide commercially reasonable assistance to the Controller in the deletion of records of the Controller’s Personal Data in its possession or control, except to the extent that Processor is required by applicable law, rules, regulations, directives, ordinances, codes or similar enactments and any obligations imposed by self-regulatory bodies promulgating standards to retain the Personal Data.

b.              Upon request, the Processor shall provide written confirmation to the Controller that it does not have access to Controller’s Personal Data and has fully complied with this section within forty-five (45) days of termination.

c.               Notwithstanding the above, the Processor will maintain records as required for relevant business needs or as required by any and all applicable laws, court order, or other legal requirement.

9.              Assistance.  The following provisions shall apply to ThinkLP’s assistance to Controller with responses to Data Subject Requests and regulatory inquires or investigations.

a.              Where the Data Subject Request is received directly by the Controller and to the extent Controller does not have the ability to address such Data Subject Request using the functionalities available to Controller through the services, ThinkLP will provide commercially reasonable assistance as requested by Controller to enable Controller to respond to a Data Subject Request to the extent ThinkLP is legally able to do so.

b.              If ThinkLP receives a Data Subject Request directly, where Controller has been explicitly identified, ThinkLP will promptly inform Controller within five (5) business days, and ThinkLP shall not respond to such requests except as instructed by Controller, unless otherwise required by applicable law, including Applicable Data Protection Laws, provided, however, that ThinkLP may: (i) confirm receipt; (ii) advise that such request relates to Controller; (iii) direct such data subject or consumer to Controller; or (iv) take other action as may be necessary to comply with Applicable Data Protection Laws.

c.               ThinkLP will also assist Controller, at Customer’s expense, with the resolution of any request or inquiries that Controller receives from data protection authorities or regulators relating to ThinkLP and, if and to the extent requested by Controller, cooperate with any authorities’ requests.

d.              Upon Controller’s request, ThinkLP shall, at Customer’s expense, provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to ThinkLP.

10.            Europe Specific Provisions. To the extent ThinkLP processes Personal Data subject to the GDPR, UK GDPR, and/or FADP, the following provisions shall also apply:

a.              Definitions.

i.                “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, as may be updated and amended from time to time.

ii.              “GDPR” means the Regulation (EU) 2016 /679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

iii.             “SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance) (the text of which is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).  The SCCs are hereby incorporated into this DPA to the extent the Services contemplate the export of Personal Data from the European Union or Switzerland to jurisdictions not recognized by a competent data protection authority transferring jurisdiction as providing an adequate level of data protection without other safeguards.

iv.             “UK” means the United Kingdom of Great Britain and Northern Ireland.

v.              “UK International Data Transfer Addendum” means United Kingdom’s Information Commissioner’s Office’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued pursuant to S119A(1) Data Protection Act 2018, and is incorporated into this DPA and available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. The UK International Data Transfer Addendum, including but not limited to the Part 2: Mandatory Clauses, are hereby incorporated into this DPA to the extent the Services contemplate the export of Personal Data from the United Kingdom to jurisdictions not recognized by a competent data protection authority in the United Kingdom as providing an adequate level of data protection without other safeguards.

vi.             “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

b.              Details of Processing. The subject-matter of Processing of Personal Data by ThinkLP is the performance of the Services pursuant to the Services Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Schedule 1.

11.            International Transfers of Personal Data.

a.              The parties agree to negotiate in good faith and enter into the appropriate data transfer agreements when required by Data Protection Laws.

b.              ThinkLP shall not transfer Personal Data to or from a jurisdiction whose Data Protection Laws restrict the transfer of Personal Data unless in accordance with (i) the documented Instructions from Customer, including this DPA, and (ii) in accordance with applicable Data Protection Laws.

c.               In the event that Personal Data is required to be Processed outside of the European Economic Area (“EEA”), Switzerland, or the UK, then the parties agree that:

i.                with respect to transfers from the EEA and Switzerland, the SCCs will apply;

ii.              with respect to transfers from the UK, the UK International Data Transfer Addendum will apply; and

iii.             The SCCs and the UK International Data Transfer Addendum are incorporated into and form part of the Agreement and DPA.

d.              For the purposes of the SCCs, Module 2 will apply to the Processing of Personal Data by ThinkLP on behalf of Customer.  Whereby:

i.                Clause 7 (“Docking clause”) shall apply.

ii.              Clause 9 (a) Option 2 (“GENERAL WRITTEN AUTHORISATION”) shall apply with a 10 day period to object to the sub-processor.  Section 5 shall control the notification process.  See Annex 3 for list of current sub-processors.

iii.             Clause 11 (a) (“Redress”) without the mentioned OPTION.

iv.             Clause 17 (“Governing law”) Option 1 shall apply and shall reference the laws of Ireland.

v.              Clause 18 (“Forum Choice”) with the courts of Dublin, Ireland.

vi.             The parties will complete Schedule 1, which includes the information called for in the SCCs Annexes I, II, and III.  By executing the DPA, the parties hereby execute Annexes I-III, to the extent applicable.

e.               For transfers of Personal Data originating from Switzerland, i) the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by FADP; ii) references in the SCCs to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); and iii) until the revised FADP enters into force, the SCCs will also protect the data of legal entities in Switzerland.

f.               For the purposes of the UK International Data Transfer Addendum, the parties will complete Schedule 1, which includes the information called for in the UK International Data Transfer Addendum, including the information called for in the tables set out in Annex IV.  By executing the DPA, the parties hereby execute Annex IV, to the extent applicable.

g.              Conflicts with Transfer Mechanisms. If any term or provision of the DPA or Agreement is contradictory or inconsistent with any term or provision of the SCCs or UK International Data Transfer Addendum (as applicable), then the terms and provisions of the SCCs or UK International Data Transfer Addendum that provide adequate protection for such Personal Data under Data Protection Laws shall control.

h.              ThinkLP shall provide Customer with all reasonable information necessary to allow Customer to obtain any applicable data transfer authorization in connection with the Services.

12.            General Provisions.  The following provisions apply to the enforceability, modification, and inclusiveness of this DPA:

a.              Processor shall not:

i.                “sell” or “share” as defined in Applicable Data Protection Laws, including but not limited to the CCPA, the Personal Data Processed pursuant to this DPA (except with respect to authorized Sub-processors);

ii.              retain, use, or disclose Personal Data for any purpose other than to provide the limited and specific services pursuant to the Service Agreement;

iii.             retain, use, or disclose the Personal Data outside the direct business relationship between Controller and Processor; or

iv.             combine the Personal Data that Processor receives from, or on behalf of, Controller with Personal Data that it receives from, or on behalf of, another person or third party, or collects from its own interaction with a data subject directly, except as permitted by Applicable Data Protection Laws.

b.              Controller shall not:

i.                provide Processor, or cause Processor to Process any protected health information as defined under the Health Insurance Portability and Accountability Act (“HIPAA”), and its implementing regulations, as amended, unless otherwise expressly agreed to by Processor in the Services Agreement. If Processor does not expressly agree to Process such information pursuant to the previous sentence, Processor has no obligations or liability with respect to such data.  If Controller inadvertently provides or causes Processor to Process any protected health information, Controller shall: (i) immediately notify Processor in writing; and (ii) take all necessary steps to assist Processor in removing protected health information from Processor’s systems.

c.               If at any time any provision in this DPA is or becomes illegal, invalid, or unenforceable in any respect under the law of any jurisdiction, that shall not affect the legality, validity or enforceability in that jurisdiction or any other jurisdiction of any other provision of this DPA or Service Agreement.

d.              Nothing in this DPA permits Processing in a manner prohibited by the Service Agreement.  If any variation of this DPA is required as a result of changes in the Applicable Data Protection Laws or other laws or regulations, either Party may provide written notice to the other Party of that change in law and the Parties will negotiate in good faith any necessary variations to this DPA for no less than thirty (30) days and failing resolution, Controller may terminate the part of the service performed under the Service Agreement that cannot be performed by Processor without use of the objectionable Sub-processor.  Processor shall refund any pre-paid fees to Controller in respect of the terminated part of the service on a pro-rated basis, provided that Controller provides Processor with written notice of termination with at least ten (10) days’ notice prior to the relevant billing period.

e.               Nothing in this DPA reduces or eliminates any rights or remedies that the Controller or Processor may have under the Service Agreement.  This DPA binds and benefits the Parties and their permitted assigns.  This DPA does not contemplate third party beneficiaries and no person or entity who is not a party to this DPA shall have rights to enforce any provision of this DPA.

f.               This DPA is governed by the law of the State of New York and the Parties submit to the exclusive jurisdiction of the courts of the State of New York regarding any dispute between them that may arise from this DPA or Service Agreement.

g.              This DPA constitute the entire and exclusive agreement of the Parties relating to the subject matter included therein, and supersedes all other oral or written agreements, including settlement agreements, arising hereto.  This DPA may be modified, or rights within it waived, only by a written document executed by both Parties.

______________________________________________

 

ANNEX I
(SCCs)

 

1. LIST OF PARTIES

 

Data exporter(s): See Customer Information in Master Service Agreement

 

Data importer(s) (ThinkLP):

 

Name:  ThinkLP, Inc

 

Activities relevant to the data transferred under these Clauses:  loss prevention services

Role: Processor

 

1. DESCRIPTION OF TRANSFER –

 

Categories of Data Subjects: See Schedule 1

 

Categories of Personal Data transferred: See Schedule 1

 

Sensitive data transferred (if applicable): See Schedule 1

 

and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

 

ThinkLP implements heightened security standards and respects the security settings set by Customers for all personal data, including special categories of data, that is Processes.

 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

 

The data is transferred continuously and initiated when the Customer uploads its data, including Personal Information, into Salesforce or another cloud service provider in order to access the Services.

 

Nature of the processing:

 

ThinkLP provides loss prevention services and processes Customer data in its role as a processor and service provider only for the purposes of providing the Services and as set out in the DPA.  Customer is the Controller of the Personal Data.

 

Purpose(s) of the data transfer and further processing:

 

The purpose of the data transfer is so that ThinkLP may provide loss prevention services and processes Customer data in its role as a processor and service provider only for the purposes of providing the Services and as set out in the DPA.

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: See Master Service Agreement and DPA

 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

 

Processor/Service Provider (ThinkLP) processes and uses the Personal Data of the data subjects on behalf of Customer/Controller in order to perform the Services contracted, including providing loss prevention services. The duration of processing is set forth in the Agreement.

 

1. COMPETENT SUPERVISORY AUTHORITY

 

Identify the competent supervisory authority/ies in accordance with Clause 13: The Irish Data Protection Commission

_______________________________________________________

 

 

 

 

 

 

 

 

 

 

ANNEX II
(SCCs)
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND
ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Measures taken by the Data Exporter in respect of the transfer: See Schedule 1

 

Measures taken by the Data Importer:

 

ThinkLP is System and Organization Controls (SOC) 2 Type II certified.  A copy of ThinkLP’s SOC 2 Type II report is available upon request.

 

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:

 

All security features and functions in the cloud environment utilized to deliver ThinkLP’s services are controlled by the Customer. Links to the descriptions of the security environments are provided in the Agreement.

 

_______________________________________________________

 

 

ANNEX III
(SCCs)
LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors:

The Controller has authorised the use of the following Sub-processors:

 

1. Name: Salesforce.com, Inc.

Incorporation Location: Delaware, USA

Location of Processing: United States of America

Description of Processing: Cloud Application Platform-as-a-Service (aPaaS) Provider

 

2. Name: Action Verb LLC (d/b/a Files.com) Incorporation Location: California, USA

Location of Processing: United States of America

Description of Processing: S-FTP File Transfer Hosting (if utilized by Data Exporter)

 

3. Name: Amazon Web Services (AWS)

Location: United States of America

Description of Processing: Secure data transfer, processing and storage for large data sets

 

4. Name: Microsoft Azure

Location: United States of America

Description of Processing: Secure data transfer, processing and storage for large data sets

 

_______________________________________________________

 

 

 

ANNEX IV
(UK INTERNATIONAL DATA TRANSFER ADDENDUM)

 

For information called for in Table 1, see Agreement.

For information called for in Table 2, to the extent applicable, see Agreement.

For information called for in Table 3, see Agreement.

Part 1: Tables

Table 1: Parties

Start date
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Full legal name: Trading name (if different): Main address (if a company registered address): Official registration number (if any) (company number or similar identifier):	Full legal name: Trading name (if different): Main address (if a company registered address): Official registration number (if any) (company number or similar identifier):
Key Contact	Full Name (optional): Job Title: Contact details including email:	Full Name (optional): Job Title: Contact details including email:
Signature (if required for the purposes of Section ‎2)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Reference (if any): Other identifier (if any): Or the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
1
2	X
3
4

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties:

Annex 1B: Description of Transfer:

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:

Annex III: List of Sub processors (Modules 2 and 3 only):

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19: Importer Exporter neither Party