Kapta Data Processing Addendum

This Kapta Data Processing Addendum (the “DPA”) forms a part of, and is incorporated into, the Terms and Conditions of Service (the “Terms”) between Kapta and Customer. All capitalized terms not defined herein shall have the meaning set forth in the Terms. The parties agree as follows:

1. Definitions

1.1       “Applicable Data Protection Law(s)” means the data protection laws, rules and regulations that are applicable to Kapta. With respect to Personal Data from the EU, “Applicable Data Protections Law(s)” shall include, but not be limited to, Privacy Shield principles and requirements, and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

1.2       “Customer EU Personal Data” means Customer Personal Data about individuals who are, based on information known to Processor, residents of the European Union.

1.3       “Customer Personal Data” means Personal Data received by Kapta pursuant to the Terms and pertaining to Customer’s current, former, or potential customers, employees, vendors, or other individuals.

1.4       “Data Security Statement” means the Data Security Statement located at www.kapta.com/security-statement/, that is incorporated into the Terms and that is applicable to the Online Service purchased by Customer.

1.5       “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.6       “EU” or “European Union” means the European Union inclusive of the United Kingdom, whether or not the United Kingdom has officially withdrawn from the European Union, as well as Switzerland.

1.7       “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s).

1.8       “Privacy Shield” means the European Union – United States (“US”) and Swiss – US Privacy Shield Frameworks.

1.9       “Process”, “Processes”, “Processing”, “Processed” shall have the meanings assigned to them in the Applicable Data Protection Laws.

1.10    “Security Incident” means an event about which Kapta knows, discovers, is notified of, or reasonably suspects that, Customer Personal Data has been accessed, disclosed, acquired or used by unauthorized persons, in violation of Applicable Data Protection Law(s).

1.11    “Sub-Processor” means Kapta’s contractors, agents, vendors, and third-party service providers, that Process Customer Personal Data.

2. Data Handling and Access

2.1       General Compliance. Customer hereby authorizes and instructs Kapta to, and Kapta will, and will require Sub-Processors to, Process Customer Personal Data in compliance with the Terms, this DPA, the Data Security Statement, and all Applicable Data Protection Law(s). Customer represents and warrants that it has all authority, grounds, rights, and consents necessary to enable Kapta to Process the Customer Personal Data as required by the Terms, in accordance with the Applicable Data Protection Law(s).

2.2       Kapta and Sub-Processor Compliance. Kapta agrees to (i) enter into a written agreement with Sub-Processors regarding such Sub-Processors’ Processing of Customer Personal Data that imposes on such Sub-Processors data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s), that are consistent with the requirements under this DPA, and that, at a minimum, require a level of data protection and security equal to or superior to the level of data protection and security under this DPA; (ii) reasonably enforce compliance with such written agreement; and (iii) remain responsible to Customer for the actions or omissions of Kapta’s Sub-Processors (and their sub-processors if applicable) with respect to the Processing of Customer Personal Data.

2.3       Authorization to Use Sub-Processors. Customer hereby authorizes (i) Kapta to engage Sub-Processors and (ii) Sub-Processors to engage sub-processors. Kapta will provide Customer, upon Customer’s request, the name, address and role of each Sub-Processor used to Process Customer Personal Data and any other records of Processing of Customer Personal Data that Sub-Processors are required to maintain and provide under Applicable Data Protection Law(s). Customer hereby approves of the following Sub-Processors: Amazon Web Services (United States), Clearbit (United States), Hubspot (United States), Sendgrid (United States), Zoom Video Communications (United States), ScheduleOnce (United States), Zendesk (United States).

2.4       Objection Right for New Sub-Processors. Kapta will inform Customer of any new Sub-Processor in connection with the provision of the applicable Online Service. Customer may object to Kapta’s use of a new Sub-Processor by notifying Kapta promptly in writing within ten (10) business days after receipt of such information. In the event Customer objects to a new Sub-Processor, as permitted in the preceding sentence, Kapta may address the concerns with respect to the Sub-Processor, or recommend a commercially reasonable change to Customer’s configuration or use of the Online Service to avoid Processing of Personal Data by the objected-to Sub-Processor without unreasonably burdening the Customer. If Kapta does not do so within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to any such Online Service which cannot be provided by Kapta without the use of the objected-to new Sub-Processor by providing written notice to Kapta. Kapta will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Order Form(s).

2.5       Following Instructions. Processor will Process Customer Personal Data only in accordance with the written instructions of Customer for the following purposes: (i) Processing in accordance with the Terms and applicable Order Form(s); (ii) Processing initiated by users in their use of the Online Service; (iii) Processing to further develop and provide the Online Services to Kapta’s customers, (iv) Processing to facilitate the anonymization of Personal Data, and (v) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the Terms and all Applicable Data Protection Laws.

2.6       Details of the Processing. The subject matter of Processing of Personal Data by Kapta is the performance of the Online Service pursuant to the Terms. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.

3. EU – U.S. Compliance. This Section applies where the Processor Processes Customer EU Personal Data.

3.1       Rights of Data Subjects. Kapta will, to the extent legally permitted, promptly notify Customer if Kapta receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Kapta will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws. In addition, Kapta will, upon Customer’s request and at Customer’s expense, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Kapta is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer will be responsible for any reasonable costs arising from Kapta’s provision of such assistance.

3.2       Kapta Data Transfer Mechanism. Kapta is not Privacy Shield certified but hereby confirms that, during the Subscription Term and with regard to Customer EU Personal Data that Kapta receives or accesses under the Terms, it shall (i) provide at least the same level of protection as is required by Privacy Shield, and (ii) have an independent recourse mechanism compliant with Privacy Shield.

3.3       Prior Consultation. Processor agrees to provide reasonable assistance to Customer (at Customer’s expense) where, in Customer’s judgement, the type of Processing performed by Processor is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

3.4       Demonstrable Compliance. Processor agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide such records to Customer upon request. If Processor is collecting Customer EU Personal Data on Customer’s behalf, such records shall include but not be limited to (i) the legal basis for Processing or (ii) records of the verifiable consent under Applicable Data Protection Law(s).

4. Information Security

Kapta will maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of Personal Data, as set forth in the Data Security Statement.

5. Assessments, Audits and Remediation

5.1       Assessments. Records to demonstrate compliance with this DPA and Applicable Data Protection Law(s) will be maintained by Kapta and provided to Customer upon request. Kapta will complete within two weeks any reasonable data protection questionnaire provided by Customer.

5.2       Audits. For the purpose of verifying Kapta’s compliance with Applicable Data Protection Law(s) and the Terms and upon reasonable notice of no less than thirty (30) days, Kapta agrees to permit Customer, at Customer’s cost and no more than once annually, to conduct audits through a Kapta approved third party auditor. However, Kapta agrees to allow audits to be conducted directly by Customer where, under Applicable Data Protection Law(s), (a) Customer has the right to conduct audits directly; and (b) such right cannot be contractually waived by Customer. Kapta agrees to cooperate in good faith with the audit and promptly (i) provide access to books, records (including, but not limited to, security scan records), systems, files, and other information necessary for the audit, and (ii) at Customer’s request enable access to Kapta’s premises if absolutely necessary to properly conduct the audit or required under Applicable Data Protection Law(s). Notwithstanding the forgoing, Customer may not conduct any security scans or other intrusion testing on Kapta’s systems without the express prior written consent of Kapta. Customer agrees to (x) schedule audits to minimize disruption to Kapta’s business, (y) require any third party it employs to sign a non-disclosure agreement, and (z) make the results of the audit available to Kapta. Customer will only disclose the results of the audit to third parties to the extent such disclosure is (A) required to demonstrate Customer’s own compliance, or (B) otherwise required under applicable laws.

5.3       Remediation. Kapta agrees to promptly take action to correct any documented material security issue affecting Customer Personal Data identified by such audit and to inform Customer of such actions. If action is not promptly taken, Customer’s sole remedy will be to terminate any or all Order Forms at Customer’s discretion provided that Kapta will incur no penalty for any such termination.

6. Secure Disposal

Customer Personal Data will be securely disposed (i) during the Subscription Terms upon Customer’s written request if such Customer Personal Data is no longer reasonably required to perform the services, (ii) at the termination of the provision of the services. If instructed by Customer, a copy of such Customer Personal Data will be returned to Customer prior to disposal. Kapta may retain Customer Personal Data to the extent that it is required to do so under Applicable Data Protection law(s).

7. Changes to Requirements

Kapta may amend or supplement this DPA from time to time to reflect new requirements under Applicable Data Protection Law(s).

8. Security Incident

8.1       Policy. Kapta will, to the extent required under Applicable Data Protection Laws, notify Customer without undue delay after becoming aware of any Security Incident. Kapta will make reasonable efforts to identify the cause of such Security Incident and take those steps as Kapta deems necessary and reasonable in order to remediate the cause of such Security Incident to the extent the remediation is within Kapta’s reasonable control. The obligations herein shall not apply to Security Incidents that are caused by Customer or Customer’s Users.

8.2       Reports. Upon request by Customer, Kapta will enable Customer to review the results of and reports relating to the investigation and response to a Security Incident, which Customer will treat as Confidential Information of Kapta.

9.Termination Obligations

9.1       Termination. Notwithstanding anything to the contrary in the Terms or this DPA, Customer may terminate any Order Form, or any portion thereof, immediately upon written notice to Kapta, and without judicial notice or resolution or prejudice to any other remedies, in the event a data protection or other regulatory authority or other tribunal or court in any country finds there has been a breach of Applicable Data Protection Law(s) by virtue of Customer’s or Kapta’s Processing of Customer Personal Data in connection with the Terms, and such breach has not been cured within sixty (60) days of Kapta’s receiving notice thereof.

9.2       Effect of Termination or Expiration. Customer Personal Data will be securely destroyed unless Kapta is required to retain such information under Applicable Data Protection law(s). Kapta’s obligations to protect Customer Personal Data will continue until all such information has been permanently and completely destroyed or deleted, including from any back-up.

10. Contact Information

Kapta will designate a point of contact as its Privacy and Security Coordinator. This Privacy and Security Coordinator will: (i) maintain responsibility for applying adequate protections to Customer Personal Data, including the development, implementation, and maintenance of its information security program, (ii) oversee application of Kapta compliance with the requirements of this DPA, and (iii) serve as a point of contact for internal communications and communications with Customer pertaining to this DPA and compliance with or any breaches thereof.

SCHEDULE 1

Nature and Purpose of Processing

Kapta will Process Personal Data as necessary to perform the Online Service pursuant to the Terms, as further specified in the Order Form, and as further instructed by Customer in its use of the Online Service provided by Kapta that enables Customer’s key account management.

Duration of Processing

Kapta will Process Personal Data for the duration of Subscription Term, as provided in the DPA, and as otherwise agreed upon in writing.

Categories of Data Subjects

Customer may submit Personal Data to the Online Service relating to the following categories of data subjects:

        • Current or potential clients, business partners and vendors of Customer (who are natural persons)
        • Employees, officers, directors, contractors or contact persons of Customer’s third-party suppliers, business partners and vendors
        • Customer users authorized by Customer to use the relevant Online Service

Type of Personal Data

Customer may submit Personal Data to the Online Service, the extent of which is neither determined nor controlled by Kapta, and which may include, but is not limited to the following categories of Personal Data:

        • Contact details (e.g. name, postal address, job title, job position, location, employer, relationship with the organization, e-mail address, telephone number, postal address);
        • Username and password for the account of data subjects may establish in the relevant Online Service.