Measurabl Logo
DATA PROCESSING ADDENDUM

EXHIBIT A

DATA PROCESSING ADDENDUM

THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into as of the Addendum Effective Date by and between: (1) Measurabl, Inc., a Delaware corporation having its principal place of business at 302 Washington Street, #150-5543, San Diego, CA 92103 (“Measurabl”); and (2) the legal entity indicated on the applicable Order Form (“Customer”), together the “Parties” and each a “Party”.

1. INTERPRETATION

1.1. In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:

  1. “Addendum Effective Date” means the effective date of the Agreement.
  2. “Agreement” means the Software as a Service Agreement and/or the Master Services Agreement entered into by and between the Parties on.
  3. “Applicable Data Protection Laws” means the GDPR and the CCPA, in each case to the extent applicable to the Processing of Customer Personal Data under the Agreement.
  4. “Business Day” means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business, in California.
  5. “CCPA” means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder.
  6. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  7. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
  8. “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
  9. “EEA” means the European Economic Area.
  10. “GDPR” means, as and where applicable to Processing concerned:
    • the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or
    • the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
  11. “Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws.
  12. “Personal Data Breach” means a breach of Measurabl’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data in Measurabl’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
  13. “Personnel” means a person’s employees, agents, consultants or contractors.
  14. “Process” and inflection thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  15. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
  16. “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in:
    • in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”);
    • in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
  17. “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
  18. “Service Data” means any data relating to the use, support and/or operation of the Services, which is collected directly by Measurabl from and/or about users of the Services and/or Customer’s use of the Service for use for its own purposes (certain of which may constitute Personal Data).
  19. “Services” means those services and activities to be supplied to or carried out by or on behalf of Measurabl for Customer pursuant to the Agreement.
  20. “Sub-Processor” means any third party appointed by or on behalf of Measurabl to Process Customer Personal Data.
  21. “Customer Personal Data” means any Personal Data Processed by Measurabl or its Sub-Processor on behalf of Customer to perform the Services under the Agreement.
  22. “Supervisory Authority”: (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
  23. “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).

1.2. In this DPA:

  1. the terms, "business," “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Customer Personal Data that constitutes “personal information” governed by the CCPA;
  2. unless otherwise defined in this DPA, all capitalised terms in this DPA shall have the meaning given to them in the Agreement;
  3. the singular includes the plural and vice versa, unless the context otherwise requires;
  4. references to this DPA include its Annexes;
  5. references to Sections and/or Annexes are to sections of, and annexes to, this Data Processing Addendum;
  6. this DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date. In the event of any conflict or inconsistency between:
    • this DPA and the Agreement, this DPA shall prevail; or
    • any SCCs entered into pursuant to Paragraph 6 of Annex 1 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

2.   SCOPE OF THIS DATA PROCESSING ADDENDUM
2.1   The front-end of this DPA applies generally to Measurabl’s Processing of Customer Personal Data under the Agreement.

2.2   Annex 1 (European Annex) to this DPA applies only if and to the extent Measurabl’s Processing of Customer Personal Data under the Agreement is subject to the GDPR.

2.3   Annex 2 (California Annex) to this DPA applies only if and to the extent Measurabl’s Processing of Customer Personal Data under the Agreement is subject to the CCPA with respect to which Customer is a “business” (as defined in the CCPA).

3.   PROCESSING OF CUSTOMER PERSONAL DATA
3.1   Measurabl shall not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws.

3.2   Customer instructs Measurabl to Process Customer Personal Data as necessary to provide the Services to Customer under and in accordance with the Agreement.

3.3   Notwithstanding anything to the contrary herein, Measurabl may terminate the Agreement in its entirety upon written notice to Customer with immediate effect if Measurabl considers (in its reasonable discretion) that:
  1. it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or
  2. to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).

4.   VENDOR PERSONNEL
Measurabl shall take commercially reasonable steps to ascertain the reliability of any Measurabl Personnel who Process Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5.   SECURITY
5.1   Measurabl shall implement and maintain technical and organisational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access as described in Annex 3 (Security Measures) (the “Security Measures”).

5.2   Measurabl may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.

6.   DATA SUBJECT RIGHTS
6.1   Measurabl, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If Measurabl receives a Data Subject Request, Customer will be responsible for responding to any such request.

6.2   Measurabl shall:
  1. promptly notify Customer if it receives a Data Subject Request; and
  2. not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Applicable Data Protection Laws.

6.3   Operational clarifications:
  1. When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Measurabl’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
  2. Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Measurabl to notify any third- party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.
  3. For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
  4. Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Measurabl (at Measurabl’s then-current professional services rates) in Measurabl’s cooperation and assistance provided to Customer under this Section 6, and shall on demand reimburse Measurabl any such costs incurred by Measurabl.

7.   PERSONAL DATA BREACH

Breach notification and assistance

7.1   Measurabl shall notify Customer without undue delay upon Measurabl’s becoming aware of a Personal Data Breach affecting Customer Personal Data. Measurabl shall provide Customer with information (insofar as such information is within Measurabl’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Measurabl) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. Measurabl’s notification of or response to a Personal Data Breach shall not be construed as Measurabl’s acknowledgement of any fault or liability with respect to the Personal Data Breach.

7.2   Measurabl shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.

7.3   Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.

Notification to Measurabl

7.4   If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Measurabl, where permitted by applicable laws, Customer agrees to: Measurabl in advance; and in good faith, consult with Measurabl and consider any clarifications or corrections Measurabl may reasonably recommend or request to any such notification which:
  1. relate to Measurabl’s involvement in or relevance to such Personal Data Breach; and/li>
  2. are consistent with applicable laws.

8.   CUSTOMER’S RESPONSIBILITIES
8.1   Customer agrees that, without limiting Measurabl’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including
  1. making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data;
  2. securing the account authentication credentials, systems and devices Customer uses to access the Services;
  3. securing Customer’s systems and devices that Measurabl uses to provide the Services; and
  4. backing up Customer Personal Data.

8.2   Customer shall ensure:
  1. that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Measurabl of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and
  2. that all Data Subjects have
    • been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable));
    • provided all required consents, in each case (i) and (ii) relating to the Processing by Measurabl of Customer Personal Data.

8.3   Customer agrees that the Service, the Security Measures, and Measurabl’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.

8.4   Customer shall not provide or otherwise make available to Measurabl any Customer Personal Data that contains any
  1. Social Security numbers or other government-issued identification numbers;
  2. protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  3. health insurance information;
  4. biometric information;
  5. passwords to any online accounts;
  6. credentials to any financial accounts;
  7. tax return data;
  8. any payment card information subject to the Payment Card Industry Data Security Standard;
  9. Personal Data of children under 13 years of age; or
  10. any other information that falls within any special categories of personal data (as defined in GDPR) and/or data relating to criminal convictions and offences or related security measures (together, “Restricted Data”).

8.5   Customer acknowledges that Measurabl may be required under the GDPR to:
  1. collect and maintain records of certain information, including the name and contact details of each Processor and/or Controller on behalf of whom Measurabl is acting and, where applicable, of such Processor’s or Controller’s local representative (e.g., any such representative(s) appointed under Article 27 of the GDPR) and data protection officer; and
  2. make such information available to Supervisory Authorities. Accordingly, Customer will, where requested, provide such information to Measurabl, and will ensure that all information provided is kept accurate and up-to-date.

9.   LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 9 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).

10.   SERVICE DATA
10.1   Customer acknowledges that Measurabl may collect, use and disclose Service Data for its own business purposes, such as:
  1. for accounting, tax, billing, audit, and compliance purposes;
  2. to provide, improve, develop, optimise and maintain the Services;
  3. to investigate fraud, spam, wrongful or unlawful use of the Services; and/or
  4. as otherwise permitted or required by applicable law.

10.2   In respect of any such Processing described in Section 10.1, Measurabl:
  1. independently determines the purposes and means of such Processing;
  2. shall comply with Applicable Data Protection Laws (if and as applicable in the context);
  3. shall Process such Service Data as described in Measurabl’s relevant privacy notices/policies (such as that shown at https://www.measurabl.com/privacy-policy, as updated from time to time); and
  4. where possible, shall apply technical and organisational safeguards to any relevant Personal Data that are no less protective than the Security Measures.

10.3   For the avoidance of doubt, this DPA shall not apply to Measurabl’s collection, use, disclosure or other Processing of Service Data, and Service Data does not constitute Customer Personal Data.

11.   CHANGE IN LAWS
11.1   In the event that there is a change in Applicable Data Protection Laws that Measurabl considers (acting reasonably) would mean that Measurabl is no longer able to provide the Services (including any Processing and/or Restricted Transfer(s) of Customer Personal Data) in accordance with its obligations under Applicable Data Protection Laws, Measurabl reserves the right to make such changes to the Services and to amend any part of this DPA as it considers reasonably necessary to ensure that Measurabl is able to provide the Services in accordance with Applicable Data Protection Laws.

11.2   In the event that Customer considers (acting reasonably) that any required changes made either to the Services and/or this DPA pursuant to Section 11.1 will cause material and irreparable harm to Customer, Customer may terminate the Agreement in its entirety upon written notice to Measurabl with immediate effect.

Exhibit A, Annex 1 European Annex

1.   PROCESSING OF CUSTOMER PERSONAL DATA
1.1   The Parties acknowledge and agree that the details of Measurabl’s Processing of Personal Data under this DPA and the Agreement (including the respective roles of the Parties relating to such Processing) are as set out in Attachment 1 to Annex 1 (European Annex) to the DPA.

1.2   Where Measurabl receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Measurabl shall inform Customer.
1.3   Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Measurabl pursuant to or in connection with the Agreement shall be in strict compliance with the GDPR and all other applicable laws.

2.   SUB-PROCESSING
2.1   Customer generally authorises Measurabl to appoint Sub-Processors in accordance with this Paragraph 2.

2.2   Measurabl may continue to use those Sub-Processors already engaged by Measurabl as at the date of this DPA (as those SubProcessors are shown, together with their respective functions and locations, at https://www.measurabl.com/sub-processors/ (Authorised Sub-Processors) (the “Sub- Processor List”)).

2.3   Measurabl shall give Customer prior written notice of the appointment of any proposed Sub- Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor, by providing Customer with an updated copy of the SubProcessor List via a ‘mailshot’ or similar bulk distribution mechanism sent via email to Customer’s contact point as set out in Attachment 1 to Annex 1 (European Annex). If, within ten (10) Business Days of receipt of that notice, Customer notifies Measurabl in writing of any objections (on reasonable grounds) to the proposed appointment: Measurabl shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and where:
  1. such a change cannot be made within twenty (20) Business Days from Measurabl’s receipt of Customer’s notice;
  2. no commercially reasonable change is available; and/or
  3. Customer declines to bear the cost of the proposed change, then either Party may by written notice to the other Party with immediate effect terminate the Agreement, either in whole or to the extent that it relates to the Services which require the use of the proposed Sub-Processor, as its sole and exclusive remedy.

2.4   If Customer does not object to Measurabl’s appointment of a Sub-Processor during the objection period referred to in Paragraph 2.3, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.

2.5   With respect to each Sub-Processor, Measurabl shall maintain a written contract between Measurabl and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA (including the Security Measures). Measurabl shall remain liable for any breach of this DPA caused by a Sub-Processor.

2.6   Operational clarifications:
  1. The terms and conditions of this Paragraph 2 apply in relation to Measurabl’s appointment and use of Sub-Processors under the SCCs.
  2. Any approval by Customer of Measurabl’s appointment of a Sub-Processor that is given expressly or deemed given pursuant to this Paragraph 2 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required under Clause 8.8 of the SCCs.

3.   DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
3.1   Measurabl shall, taking into account the nature of the Processing and the information available to Measurabl, provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Measurabl.

3.2   Operational clarification: Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Measurabl (at Measurabl’s then-current professional services rates) in Measurabl’s provision of any cooperation and assistance provided to Customer under Paragraph 3.1, and shall on demand reimburse Measurabl any such costs incurred by Measurabl.

4.   RETURN AND DELETION
4.1   Subject to Paragraph 4.2 and 4.3, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Measurabl shall promptly cease all Processing of Customer Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA.

4.2   Customer hereby acknowledges and agrees that, due to the nature of the Customer Personal Data Processed by Measurabl, return (as opposed to deletion) of Customer Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Customer agrees that (for the purposes of Article 28(3)(g) of the GDPR) it is hereby deemed (at the Cessation Date) to have irrevocably selected deletion, in preference of return, of the Customer Personal Data.

4.3   To the fullest extent technically possible in the circumstances, within thirty five (35) Business Days after the Cessation Date, Measurabl shall either (at its option):
  1. delete; or
  2. irreversibly render anonymous, all Customer Personal Data then within Measurabl’s possession.

4.4   Measurabl and any Sub-Processor may retain Customer Personal Data where permitted or required by applicable law, for such period as may be required by such applicable law, provided that Measurabl shall:
  1. maintain the confidentiality of all such Customer Personal Data; and
  2. process the Customer Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.

4.5   Operational clarification: Certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of the SCCs, shall be provided only upon Customer’s written request.

5.   AUDIT RIGHTS
5.1   Measurabl shall make available to Customer on request, such information as Measurabl (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.

5.2   Subject to Paragraphs 5.3 to 5.8, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Measurabl pursuant to Paragraph 5.1 is not sufficient in the circumstances to demonstrate Measurabl’s compliance with this DPA, Measurabl shall allow for and contribute to audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Measurabl.

5.3   Customer shall give Measurabl reasonable notice of any audit or inspection to be conducted under Paragraph 5.2 (which shall in no event be less than thirty (30) Business Days’ notice unless required by a Supervisory Authority pursuant to Paragraph 5.6(f)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Measurabl in respect of, any destruction, damage, injury or disruption to Measurabl’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Measurabl’s other customers or the availability of Measurabl’s services to such other customers).

5.4   Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Measurabl will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Measurabl security, privacy, employment or other relevant policies). Measurabl will work cooperatively with Customer to agree on a final audit plan.

5.5   If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Measurabl has confirmed in writing that there are no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.

5.6   Measurabl need not give access to its premises for the purposes of such an audit or inspection:
  1. where an Audit Report is accepted in lieu of such controls or measures in accordance with Paragraph 5.5;
  2. to any individual unless they produce reasonable evidence of their identity and authority;
  3. to any auditor whom Measurabl has not approved in advance (acting reasonably);
  4. to any individual who has not entered into a non-disclosure agreement with Measurabl on terms acceptable to Measurabl;
  5. where, and to the extent that, Measurabl considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Measurabl’s other customers or the availability of Measurabl’s services to such other customers;
  6. outside normal business hours at those premises; or
  7. on more than one occasion in any calendar year during the term of the Agreement, except for any audits or inspections which Customer
    1. reasonably considers necessary because of a Personal Data Breach affecting Customer Personal Data or
    2. is required to carry out under the GDPR or by a Supervisory Authority, in each case provided Customer has identified the Personal Data Breach or the relevant requirement in its notice to Measurabl of the audit or inspection.

5.7   Nothing in this DPA shall require Measurabl to furnish more information about its Sub- Processors in connection with such audits than such Sub-Processors make generally available to their customers.

5.8   Operational clarifications:
  1. Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Measurabl (at Measurabl’s then-current professional services rates) in Measurabl’s provision of any cooperation and assistance provided to Customer under this Paragraph 5 (excluding any costs incurred in the procurement, preparation or delivery of Audit Reports to Customer pursuant to Paragraph 5.5 ), and shall on demand reimburse Measurabl any such costs incurred by Measurabl.
  2. The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in this Paragraph 5.

6.   RESTRICTED TRANSFERS

EU Restricted Transfers
6.1   To the extent that any Processing of Customer Personal Data under this DPA involves an EU Restricted Transfer from Customer to Measurabl, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: populated in accordance with Part 1 of Attachment 2 to Annex 1 (European Annex); and entered into by the Parties and incorporated by reference into this DPA.

UK Restricted Transfers
6.2   To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Customer to Measurabl, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 2 to Annex 1 (European Annex); and entered into by the Parties and incorporated by reference into this DPA.

Adoption of new transfer mechanism
6.3   Measurabl may on notice vary this DPA and replace the relevant SCCs with:
  1. any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
  2. another transfer mechanism, other than the SCCs, that enables the lawful transfer of Customer Personal Data to Measurabl under this DPA in compliance with Chapter V of the GDPR.

Provision of full-form SCCs
6.4   In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Attachment 1 to this Annex 1(European Annex); accompanied by suitable supporting evidence of the relevant request), Measurabl shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Attachment 2 to Annex 1 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.

ATTACHMENT 1 TO EUROPEAN ANNEX

Data Processing Details

Note:
This Attachment 1 to Annex 1 (European Annex) to the DPA includes certain details of the Processing of Personal Data as required:
  • by Article 28(3) GDPR; and
  • to populate the Appendix to the SCCs in the manner described in Attachment 2 to Annex 1 (European Annex) to the DPA.

VENDOR / ‘DATA IMPORTER’ DETAILS
Name:Measurabl, Inc., a Delaware corporation
Address:As set out in the preamble to the DPA
Contact Details for Data Protection:Role: Head of Legal
Email: dataprivacy@measurabl.com
Measurabl Activities:Measurabl is a provider of certain SaaS and other offerings to customers that own or have interest in commercial real estate – including the provision of the Services to Customer, and certain associated Processing of Customer Personal Data on Customer’s behalf, subject to and in accordance with the Agreement.
Role:Processor

VENDOR / ‘DATA IMPORTER’ DETAILS
Name:The entity or other person who is a counterparty to the Agreement
Address:As set out in the preamble to the DPA
Contact Details for Data Protection:Customer’s contact details are the contact details shown in the Order Form
Measurabl Activities:Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role:• Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and
• Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person (including its affiliates if and where applicable).

DETAILS OF PROCESSING
Categories of Data SubjectsRelevant Data Subjects include:

     • Personnel of Customer with whom Measurabl needs to communicate in order to make the Measurabl Services available to Customer and its authorised users.
     • Authorised users of the Measurabl Services (including Customer Personnel and other third parties authorised by Customer).

Each category includes current, past and prospective Data Subjects.
Categories of Personal DataRelevant Personal Data includes:

     • Name
     • Email address
     • Employer
     • Professional title
     • Telephone number
     • Office address
     • IP address
Sensitive Categories of Data, and associated additional restrictions/safeguardsCategories of sensitive data

None – as noted in Section 8.4 of the DPA, Customer agrees that Restricted Data, which includes ‘sensitive data’ (as defined in Clause 8.7 of the SCCs), must not be submitted to the Services.

Additional safeguards for sensitive data: N/A
Frequency of TransferOngoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the ProcessingProcessing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the ProcessingCustomer Personal Data will be processed:
     (i) as necessary to provide the Services as initiated by Customer in its use thereof, and
     (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing / Retention PeriodFor the period determined in accordance with the Agreement and DPA, including Paragraph 4 of Annex 1 (European Annex) to the DPA.
Transfers to (sub-)processorsTransfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List (as may be updated from time to time in accordance with Paragraph 2 of Annex 1 (European Annex) to the DPA).

DATA PROCESSING ADDENDUM

ATTACHMENT 2 TO EUROPEAN ANNEX POPULATION OF SCCs

Notes:

  • In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 2 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 6.2 of Annex 1 (European Annex) to the DPA).
  • In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 2 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 6.3 of Annex 1 (European Annex) to the DPA).

PART 1: POPULATION OF THE SCCs

1.   SIGNATURE OF THE SCCs:
Where the SCCs apply in accordance with Paragraph 6.2 of Annex 1 (European Annex) to the DPA each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.

MODULES
The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 1 (European Annex) to the DPA):
  1. Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and/or
  2. Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.

POPULATION OF THE BODY OF THE SCCs
3.1   For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
  1. The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is let intentionally blank.
  2. In Clause 9:
    • OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Paragraph 2.3 of Annex 1 (European Annex) to the DPA; and
    • OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.
  3. In Clause 11, the optional language is not used and is deleted.
  4. In Clause 13, all square brackets are removed and all text therein is retained.
  5. In Clause 17: OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
  6. For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

3.2   In this Paragraph 3, references to “Clauses” are references to the Clauses of the SCCs.

4.   POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
4.1   Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Attachment 1 to Annex 1 (European Annex) to the DPA, with: Customer being ‘data exporter’; and Measurabl being ‘data importer’.

4.2   Part C of Annex I to the Appendix to the SCCs is populated as below: Irish Data Protection Authority (Data Protection Commission)
4.3   Annex II to the Appendix to the SCCs is populated as below:

General:
  • Please refer to Section 5 of the DPA and Annex 3 (Security Measures) to the DPA.
  • In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Measurabl, Customer should email Measurabl’s contact point for data protection identified in Attachment 1 to Annex 1(European Annex) to the DPA.
Sub-Processors: When Measurabl engages a Sub-Processor under these Clauses, Measurabl shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
  • applicable information security measures;
  • notification of Personal Data Breaches to Measurabl;
  • return or deletion of Customer Personal Data as and where required; and
  • engagement of further Sub-Processors.

PART 2: UK RESTRICTED TRANSFERS

1.   UK TRANSFER ADDENDUM
1.1   Where relevant in accordance with Paragraph 6.3 of Annex 1 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
  1. Part 1 to the UK Transfer Addendum. The Parties agree:
    • Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Attachment 1 to Annex 1 (European Annex) to the DPA and the foregoing provisions of this Attachment 2 (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
    • Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
  2. Part 2 to the UK Transfer Addendum. The Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.

1.2   As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1.1 of this Part 2; provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).

1.3   In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.

Exhibit A, Annex 2 California Annex

1.   It is the Parties’ intent that with respect to any personal information, Measurabl is a service provider. Measurabl shall not
  1. sell any personal information;
  2. retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Service; or
  3. retain, use or disclose the personal information outside of the direct business relationship between Measurabl and Customer. Measurabl hereby certifies that it understands its obligations under this Annex 2 and will comply with them.

2.   The Parties acknowledge that Measurabl’s retention, use and disclosure of personal information authorised by Customer’s instructions stated in the DPA are integral to the Services and the business relationship between the Parties. The exchange of Customer Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.

Exhibit A, Annex 3 Security Measures

As from the Addendum Effective Date, Measurabl will implement and maintain the Security Measures as set out in this Annex 3.

1.   Organisational management and dedicated staff responsible for the development, implementation and maintenance of Measurabl’s information security program.

2.   Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Measurabl’s organisation, monitoring and maintaining compliance with Measurabl’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3.   Data security controls which include at a minimum logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Customer Personal Data that is:
  • transmitted over public networks (i.e. the Internet) or when transmitted wirelessly; or
  • at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).

4.   Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access when employment terminates or changes in job functions occur).

5.   Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Measurabl passwords that are assigned to its employees must:
  • be at least eight (8) characters in length;
  • not be stored in readable format on Measurabl’s computer systems;
  • have defined complexity; and
  • if newly-issued, be changed after first use.

6.   Physical and environmental security of data centre, server room facilities and other areas containing Customer Personal Data designed to:
  • protect information assets from unauthorised physical access,
  • manage, monitor and log movement of persons into and out of Measurabl facilities, and
  • guard against environmental hazards such as heat, fire and water damage.

7.   Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Measurabl’s technology and information assets.

8.   Incident / problem management procedures designed to allow Measurabl to investigate, respond to, mitigate and notify of events related to Measurabl’s technology and information assets.

9.   Network security controls that provide for the use of enterprise firewalls, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

10.   Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

11.   Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
Measurabl may update or modify such Security Measures from time to time provided that such updates and modifications do notmaterially decrease the overall security of the Customer Personal Data.
MSR_Logo_Horz_800x200_White

Copyright © 2024 Measurabl, Inc.

Privacy Policy