Crosslake Logo
Insights
Connect
Crosslake Logo

Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Agreement (as defined in the applicable Statement of Work, Master Services Agreement, or other applicable agreement) entered into by Crosslake Technologies, LLC, a limited liability company organized and existing under the laws of Washington, and its Affiliates and Client and sets out the additional terms, requirements, and conditions which shall apply to the processing of Personal Data by the parties when Services are performed under the Agreement. Capitalized terms used but not defined below will have the meanings set forth in the Agreement. References to “You” or “Your” herein shall be interpreted to mean the Client.

 

1.   Definitions and Interpretation

1.1

The Definitions and terms of the Agreement are deemed incorporated into this DPA, unless expressly stated otherwise, and the following definitions shall additionally or in replacement apply in this DPA.

  • Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing”: each have the meanings given to them in the Data Protection Legislation.
  • Data Protection Legislation”: means all applicable laws and regulations in force from time to time relating to the processing, protection, or privacy of Personal Data, including but not limited to the UK GDPR, which has the meaning given to it in section 3(10) of the Data Protection Act 2018 (as supplemented by section 205(4)); the General Data Protection Regulation ((EU) 2016/679); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended, the California Consumer Privacy Act, as amended, and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data.
  • Data Subject Request”: a request from a Data Subject to exercise the Data Subject’s rights under the Data Protection Legislation, including requests for access to Personal Data, rectification or erasure of Personal Data, right to object and right to human intervention restrictions of processing Personal Data, and portability of Personal Data.
  • EEA”: European Economic Area (currently EU and Ireland, Lichtenstein and Norway).
  • Regulator”: a regulatory or supervisory authority of competent jurisdiction from time to time with authority under Data Protection Legislation over the processing of Personal Data.
  • Standard Contractual Clauses (SCC) or International Data Transfer Agreement (IDTA)”: standard contractual clauses for the international transfer of Personal Data from the UK or EEA to countries outside of the UK or EEA that do not benefit from an adequacy decision by the European Commission.
1.2

References to clauses herein are to the clauses of this DPA.

1.3

The Schedule forms part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedule.

1.4

A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time and shall include all subordinate legislation made from time to time under that statute or statutory provision.

1.5

Any words following the terms “including,” “include,” or any similar phrase shall be construed as illustrative and shall not limit the generality of the related words.

1.6

A reference to writing or written shall include email.

 

2. General

2.1

The parties acknowledge and agree that this DPA forms part of the Agreement between Provider and You relating to the provision of the Services and sets out the parties’ obligations in respect of the processing of personal data under the Agreement.

2.2

In the event of any conflict or ambiguity between:

  • (a) any provision contained in the body of this DPA and any provision contained in the Schedules, the provision in the body of this DPA will prevail;
  • (b) any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail; and
  • (c) any of the provisions of this DPA and any executed SCCs or IDTA, the provisions of the executed SCCs or IDTA will prevail.

 

3.   Personal Data Types and Processing Purposes

3.1

If and to the extent that Provider is considered to be acting as a Processor of any Personal Data on Your behalf, Provider shall process such Personal Data for the sole purpose of providing the Services in accordance with this DPA. Further detail on the Personal Data categories, types of Data Subjects and the purpose for which Provider may Process the Personal Data in order to provide the Services are set out in the Schedule to this DPA.

3.2

In respect of Personal Data which Provider processes as a sole Controller in connection with the provision of the Services, then except where this DPA refers generally to Personal Data, the provisions of this DPA will not apply to such Processing but Provider will undertake such Processing in accordance with its legal obligations to Data Subjects under the Data Protection Legislation.

3.3

Both parties shall comply with their respective obligations under the Data Protection Legislation in respect of Personal Data processed in connection with the Agreement.

 

4.  Data Processing Obligations

YOUR OBLIGATIONS
4.1 

In respect of any Personal Data for which You are the Controller, it shall be Your responsibility to ensure that You are entitled to, and have a lawful basis to, process and to authorise Provider to process such Personal Data in the manner envisaged by this DPA (including providing any required notices and obtaining any required consents, and for the processing instructions You give to Provider). You consent to Provider processing the Personal Data in the manner envisaged by this DPA for the purposes of performing the Agreement. If at any time You have reason to believe that the processing of Personal Data under this DPA is in breach of the Data Protection Legislation, You shall immediately notify Provider, together with an explanation of the concern.

4.2

You shall ensure at all times that Your instructions to Provider for the processing of Personal Data under this DPA comply with Data Protection Legislation and that compliance with such instructions would not cause Provider to breach the Data Protection Legislation. You acknowledge that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific instructions from You or the Personal Data other than as required under the Data Protection Legislation.

4.3

You shall be responsible for compliance with Article 22 GDPR “Automated individual decision-making, including profiling” or, as the case may be, Section 14 of the UK Data Protection Act 2018, as a result of the way in which You decide to make use of the Services. This includes providing for human intervention following a Data Subject Request.

4.4

You shall be responsible for carefully reviewing the Provider policies and statements, as amended from time to time, and to assess whether such measures are appropriate to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. You can request the latest versions of Provider’s policies and statements at any time by emailing [email protected]

4.5

You shall provide an email address to which Provider shall transfer Data Subjects Requests.

4.6

You shall provide an email and telephone number for notification of data breach incidents.

4.7

You shall consult Provider beforehand on the content of any data breach notification made to Regulators that mentions Provider and provide a copy of the notification once it has been submitted.

4.8

You shall be responsible for the provision of fair processing information to relevant Data Subjects and for obtaining any consents that may be required (in each case to the extent necessary in order to comply with the Data Protection Legislation) from that Data Subject. You shall ensure that such fair processing notices are accurate and complete, and that any consents are sufficient in order for Provider to lawfully process the Personal Data in the manner set out in this DPA.

4.9

Given that Provider has no direct contact with the Data Subjects, You shall be responsible, (i) for informing Data Subjects that data collected is also processed by Provider as either a Processor or a sub-Processor as applicable; (ii) for providing a  link to Provider’s privacy policy, and (iii) for notifying Provider without delay if You become aware of any Data Subject Request that is wholly or partly intended for Provider.

4.10

You shall be responsible for monitoring compliance of Provider with the terms and conditions of this DPA.

4.11

You shall be responsible for ensuring all of Your own privacy policies, data protection policies, security statements and any and all such other applicable policies or statements relating to the safeguarding of Personal Data are up to date and where applicable declare Provider as a Processor or sub-Processor of Personal Data, as the case may be.

4.12

To the extent that You transfer Personal Data to Crosslake or a Crosslake Affiliate located in a country without an E.U. Commission adequacy decision, You will enter into SCCs or an IDTA (as applicable) with Crosslake with respect to such transfer.

PROVIDER’S OBLIGATIONS
4.13

If and to the extent that Provider processes Personal Data as a Processor on Your behalf, Provider shall in respect of such Personal Data:

  • (a) only Process the Personal Data on Your behalf where and to the extent necessary to perform Provider’s obligations under the Agreement and applicable law, and only in accordance with the terms of this DPA, and the documented reasonable instructions You may issue from time to time (provided that such instructions are within the scope of Provider’s obligations under this DPA), unless otherwise required by law, regulation, court of competent jurisdiction or any other governmental or regulatory body. The Provider will promptly notify You if, in its opinion, Your instructions would not comply with the Data Protection Legislation;
  • (b) implement appropriate technical and organizational measures, taking into account the nature and purposes of the processing and being appropriate to the nature of Personal Data to be protected, to protect the Personal Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage. Provider’s security measures are described further in the Schedule to this DPA;
  • (c) ensure that personnel who have access to and/or process the Personal Data are obliged to keep the Personal Data confidential;
  • (d) not transfer the Personal Data to another country unless the transfer complies with the Data Protection Legislation. The Schedule lists the countries where the Provider may receive, access, transfer, or store Personal Data;
  • (e) notify You if Provider becomes aware of any Data Subject Request to exercise any rights an individual may have relating to the Personal Data and to the extent that You, in Your use of the Services, do not have the ability to address the Data Subject Request, Provider shall upon Your request provide commercially reasonable efforts to assist You in responding to such Data Subject Request;
  • (f) provide commercially reasonable assistance to You in ensuring compliance with Your obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including with respect to consultations with supervisory authorities or regulators or carrying out a data protection impact assessment;
  • (g) inform You within 48 hours if it becomes aware of any Personal Data Breach or any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such Personal Data transmitted, stored or otherwise processed by Provider. Following any such notification, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Client in the Client’s handling of the matter, including assisting with any investigation and making available all relevant records, logs, files, data reporting, and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Client;
  • (h) maintain records and information regarding Provider’s processing activities in respect of the Personal Data to demonstrate Provider’s compliance with this DPA and any applicable Data Protection Legislation requirements;
  • (i) conduct audits of its Personal Data processing practices and the information technology and information security controls for the facilities and systems used in complying with its obligations under this DPA. Upon the Clients written request, Provider will make all of the relevant audit reports available to the Client for review. The Client will treat such reports as the Provider’s confidential information under the Agreement;
  • (j) allow for audits by You or Your designated auditor of Provider’s procedures relevant to the processing of the Personal Data, provided that in the case of any audit, You shall:
    • (i) comply with any reasonable requirements or security restrictions that Provider may impose to safeguard Provider’s systems, Personal Data Provider holds as a Controller and/or on behalf of other customers and clients and Provider’s own confidential or commercially sensitive information and to avoid unreasonable disruption to Provider’s business and operations;
    • (ii) reimburse Provider for any time expended by Provider in respect of any such audit, at Provider’s then current professional services rates, which shall be made available to You upon request, which costs shall be reasonable, taking into account the resources expended by Provider; and
    • (iii) before the commencement of any audit, the parties shall mutually agree on the scope, timing, and duration of the audit.
  • (k) On termination or expiry of this Agreement, or at any other time at Your request, Provider shall return or permanently erase (at Your election) all copies of Personal Data received and/or processed by it under this Agreement unless any applicable law requires retention of the Personal Data.
4.14

For the avoidance of doubt, the provisions of Clause 4.13 do not apply to Personal Data Processed by Provider as a Controller.

4.15

Provider will limit Personal Data access to:

  • (a) Those of its employees who require Personal Data access to meet the Provider’s obligations under this DPA and the Agreement; and
  • (b) the part or parts of the Personal Data that those employees strictly require for the performance of their duties.
4.16

Provider will ensure that all of its employees:

  • (a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
  • (b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
  • (c) are aware both of Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
4.17

Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Provider’s employees with access to the Personal Data.

 

5.   Sub-processors

5.1

In respect of Personal Data which is processed by Provider on Your behalf, You hereby consent to Provider appointing the Processors set out in the Schedule as Sub-Processors of the Personal Data under this DPA.

5.2

Provider shall have in place a written contract with such Sub-Processors in respect of such Processing of Personal Data that contains terms substantially similar to those set out in this DPA.

5.3

To the extent that any Sub-Processors are involved in the Processing of such Personal Data, Provider shall inform You of any intended changes or replacements to any such Processors or any additional Processors (name of Sub-Processor, type of Processing activity and location). Within a period of 30 days of the date of notification of such changes, You may object to any such changes on reasonable grounds, in which event either party shall have the right to terminate the Agreement on giving the other party 30 days’ written notice, without liability to the other party. If You have not objected to any such changes within a period of 30 days of the date of the notification of the changes, You shall be deemed to have accepted such changes.

5.4

Where such Sub-Processors are providing the Services in countries that do not benefit from an adequacy decision by the European Commission, Provider shall provide this information and implement appropriate safeguards as required by Data Protection Legislation. This may be by way of standard contractual clauses or other means.

 

6.   Liability

6.1

Each party’s liability under this DPA shall be subject to the exclusions and limitations of liability in the Agreement.

 

7.   Change of Law

7.1

If there are any changes and/or updates to any Applicable Law (including Data Protection Legislation) or codes of practice issued by the Information Commissioner’s Office which require or make it desirable for any amendments to be made to this DPA (as determined by Provider), Provider shall be entitled to vary this DPA and shall provide notice of any changes in writing to You.

 

8.   Term & Termination

8.1

This DPA will remain in full force and effect so long as:

  • (a) the Agreement remains in effect; or
  • (b) Provider retains any Personal Data related to the provision of the Services under the Agreement in its possession or control (“Term”).
8.2

Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.

8.3

If any change in any Data Protection Legislation or either party’s circumstances prevent a party from fulfilling all or part of its obligations, the parties will suspend the processing of Personal Data until the party’s processing complies with the requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation, either party may terminate the Agreement upon written notice to the other party.

 

9.   Miscellaneous

9.1

This DPA and the Agreement (and any documents incorporated therein) constitute the entire agreement and understanding of the parties in relation to the subject matter of this DPA and the Agreement and supersede any previous agreement between the parties relating to such subject matter; and shall apply to the exclusion of and prevail over any express terms contained in any standard documentation of either party (including but not limited to any of Your standard terms and conditions). The parties acknowledge that they have not entered into this DPA in reliance upon any statement, representation, assurance or warranty which is not set out in this DPA.

9.2

Subject to Clause 7 (Change of Law), any variation or amendment to this DPA will not be binding on the parties unless set out in writing, expressed to amend this DPA and signed by an authorised representative of each party.

9.3

Each of the parties to this DPA is an independent contractor and nothing contained in this DPA shall be construed to imply that there is any relationship between the parties of partnership or of principal/agent or of employer/employee nor are the parties hereby engaging in a joint venture and accordingly neither of the parties shall have any right or authority to act on behalf of the other nor to bind the other by contract or otherwise, unless expressly permitted by the terms of this DPA.

9.4

No failure or delay by a party to exercise any right or remedy provided under this DPA or by law shall constitute a waiver or abandonment of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

9.5

Any notice given to a party under or in connection with this DPA shall be done so in accordance with the provisions for notices in the Agreement.

 

10.   Governing Law & Venue

10.1

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the provisions for governing law and venue in the Agreement.

®Purpose of the processing of Personal Data by Provider on Your behalf

Provider uses such information for the purpose of providing services to its clients as specified by the Agreement.

 

Types of personal data to be processed and categories of data subject

Depending on the Services that the Client has purchased, Provider may be in receipt of Your employee contact information, including but not limited to name, job title, phone number and email.

 

Processing duration

Provider shall determine the period for which such personal data is processed.

To the extent that Provider processes personal data on Your behalf, Provider shall only process the personal data for as long as is required for the performance of the Agreement or as required under applicable law. Following termination of the Agreement, Provider shall cease processing and delete the personal data, save to the extent: (a) required by applicable law; (b) as a result of Provider’s automatic archiving and backup procedures; and/or (c) to comply with bona fide internal compliance and audit policies and procedures, and in such case, Provider will continue to protect such personal data in accordance with the terms of this DPA until such time that it can reasonably return or securely dispose of such personal data.

 

Retention of the data for which Provider is a controller

For the avoidance of doubt, this obligation shall not apply to personal data which Provider processes as a controller in the provision of the Services.

 

Processors and Sub-Processors

  • Amazon Web Services: hosting. Processing locations: Ireland and USA. Nature of safeguard in case of transfer of data outside the EEA: adequacy decision; SCCs. 
  • Auctor: video conferencing summarization. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Bridgetown Research: research platform. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Cognito Forms: form creation. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Crosslake Technologiesas set out in the DPA. Processing location: USA. Nature of safeguard in case of transfer of data outside the EEA: IDTA.
  • Datto: backup solution. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Demand Tools: CRM data quality tool. Processing location: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Docusign: eSignature. Processing location: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Easy Retro: sprint retrospective collaboration. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • eTrigue: lead management. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Fathom: video conferencing summarization. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Figma: prototyping / UX design. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • GLG: research platform. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Grammarly: writing assistance. Processing location: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs.  
  • Inex One: research platform. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Jira (Atlassian): service desk software. Processing location: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs.
  • LucidChart: diagram / chart creation. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Medallia Agile Research: client satisfaction surveys. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Merge: data integration. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Miro: visual collaboration. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Monday: project management and productivity; team management. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Moqups: prototyping / UX design. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • MS Office 365: Outlook email and calendar, document storage using OneDrive and SharePoint and reporting in Power BI. Processing locations: UK and USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Netsuite (Oracle): accounting and billing. Processing location: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • OpenAI: data analysis. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Roadmunk: roadmapping. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Salesforce: CRM. Processing location: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Scout APM: application monitoring. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Sentry: application monitoring. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Slack: messaging. Processing location: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Smartsheet: project management. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Twilio: two-factor authentication. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Zapier: automation workflows. Processing locations: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 
  • Zoom: video conferencing. Processing location: USA. Nature of safeguard in case of transfer of data outside the EEA: SCCs. 

Provider may update the list of its Processors from time to time and notify You as provided in the DPA.

 

Security Measures

  • Password protection
  • Access controls
  • Data back up and destruction with accompanying policies
  • Multi-factor authentication
  • Firewalls and anti-phishing layers
  • Physical security at Provider premises
  • Data segregation

 

Location of Processing

UK, USA and Ireland

 

Crosslake logo 128x24-4x
Insights
Connect
Crosslake logo 128x24-4x
Insights
Connect