Effective on: 2023-07-20
This Data Processing Addendum, including its schedules (“DPA”) is incorporated by reference into and made part of the Master Service Agreement (the “Agreement”) entered into between MadKudu, Inc. (“MadKudu”) acting on its own behalf and as agent for each MadKudu Affiliate and the customer identified in the Agreement (“Customer”) (each a “Party” and together, the “Parties”) acting on its own behalf and as agent for each Customer Affiliate. This DPA sets forth certain duties and obligations of the Parties with respect to the protection, security, processing, and privacy of Personal Data collected, provided or made available to MadKudu by Customer as part of the services provided by MadKudu for Customer under the Agreement (“Services”). This DPA shall supplement (and not supersede) the Agreement, and shall take precedence solely to the extent of any conflict between this DPA and the Agreement. All capitalized terms used and not expressly defined in this DPA shall have the meanings given to them in the Agreement. This DPA will apply on the effective date of the Agreement (the “Effective Date”).
In the course of providing the Services, MadKudu may Process certain Personal Data provided or made available to MadKudu by Customer on behalf of Customer and the Parties agree to comply with the following provisions with respect to any such Personal Data, each acting reasonably and in good faith.
This DPA has two sets of terms, the Processor Terms and the Controller Terms to govern the different transfers of Personal Data.
- The Processor Terms apply to any Personal Data that MadKudu and MadKudu Affiliates processes as Customer Data, acting as a Processor on behalf of Customer, as more particularly described in Schedule A of the Processor Terms of this DPA.
- The Controller Terms apply to any Personal Data (referred as “Controller Data” and “Enriched Data”) that MadKudu collects, processes, provides or makes available to Customer as an independent Controller for the purpose of the MadKudu ABM features (“MadKudu ABM”), as more particularly described in Schedule A of the Controller Terms of this DPA.
When Customer shares Personal Data for the purpose of MadKudu ABM or other features clearly labeled by MadKudu as subject to the Controller Terms, the copy(ies)/version(s) of the Personal Data ingested by MadKudu for MadKudu ABM will solely be governed by the Controller Terms as MadKudu assumes the role of a Controller. The Processor Terms continue to apply to the source copy(ies)/version(s), and the Controller Terms apply and take precedence over the Processor Terms with respect to the copy(ies)/version(s) ingested by MadKudu for MadKudu ABM.
If a section in the Controller Terms includes a reference to a section of the DPA, the reference is to the relevant section in the Controller Terms. If a section in the Processor Terms includes a reference to a section of the DPA, the reference is to the relevant section in the Processor Terms.
1. DEFINITIONS
1.1 “EU 2021 Standard Contractual Clauses” means the standard contractual clauses adopted by the Commission Implementing Decision (EU) 2021/679 of 4 June 2021 “on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council,” which are incorporated into this DPA by reference.
1.2 “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either MadKudu or Customer respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.3 “Controller” means the natural or legal person who alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.4 “Customer Data” is defined in the Agreement as “[Customer Data]”.
1.5 “Controller Data” means Personal Data that MadKudu collects from Customer in connection with the Service, as more particularly described in Schedule A to the Controller Terms. Personal Data that is shared by a Customer with MadKudu through the Services for the purpose of MadKudu ABM becomes Controller Data once it is ingested by MadKudu for that purpose.
1.6 “Data Protection Laws and Regulations” means all relevant data protection and data privacy laws, rules and regulations, as may be amended from time to time, which are or will come into force during the term of the Agreement to which the Personal Data are subject. Data Protection Laws and Regulations shall include, but not be limited to (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, the “CCPA”); (ii) the Virginia Consumer Data Protection Act (“VCPDA”); (iii) the Colorado Privacy Act and its implementing regulations (“CPA”); (iv) the Utah Consumer Privacy Act (“UCPA”); (v) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”); (vi) the General Data Protection Regulation (EU 2016/679) (the “GDPR”); (vii) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the United Kingdom Data Protection Act of 2018 or any successor law (the “UK GDPR”); and (viii) the Swiss Federal Act on Data Protection (“Swiss FADP”).
1.7 “Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.8 “Enriched Data” means Personal Data that MadKudu provides or make available to Customer in connection with the Services under the Agreement, as more particularly described in Schedule A of this DPA Controller Terms. Enriched Data may include Personal Data from MadKudu customers that became Controller Data for the purpose of the MadKudu ABM (see “Controller Data”).
1.9 “Personal Data” means personal data (as defined under Data Protection Laws and Regulations) that is uploaded or submitted to the Services by Customer.
1.10 “Process,” “Processes”, “Processing”, “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.11 “Processor” means any entity that Processes Personal Data under the Controller’s instructions.
1.12 “Security Documentation” means MadKudu’s security documentation applicable to the Services, as made available by MadKudu.
1.13 “Sell,” “Sale,” “Share,” or “Sharing” means selling, sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data or Enriched Data to a third party (for cross-context behavioral advertising in the event of “sharing”), whether or not for monetary or other valuable consideration, including (in the event of “sharing”) transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
1.14 “Sub-processor” means any Processor (including any third party and any Affiliate) engaged by a Processor to Process Personal Data on behalf of a Controller.
1.15 “Supervisory Authority” means an independent competent public authority which is established or recognized under Data Protection Laws and Regulations.
1.16 “UK Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
1. PROCESSING OF PERSONAL DATA
1.1 Roles. Customer is the Controller and MadKudu is the Processor with regard to the Processing of Personal Data under the Agreement. While providing the Services to Customer and Customer Affiliates pursuant to the Agreement, MadKudu and MadKudu Affiliates may Process Personal Data on behalf of Customer or any Customer Affiliate as per the terms of this DPA. MadKudu agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer or any Customer Affiliate to the Services or otherwise Processed for Customer or any Customer Affiliate by MadKudu or any MadKudu Affiliate.
1.2 Customer’s Processing of Personal Data. Customer shall (a) collect and Process Personal Data, (b) use the Services, and (c) give MadKudu instructions regarding the Processing of Personal Data for Customer, in all cases, in accordance with the Data Protection Laws and Regulations, rules, and regulations, including the Data Protection Laws and Regulations. Customer is solely liable and responsible for the accuracy, quality, and legality of Personal Data and its Processing of Personal data. Customer is responsible for configuring the Service to meet its security and backup needs and requirements. Customer discloses Personal Data to MadKudu solely for: (i) valid Business Purposes (as defined under Data Protection Laws and Regulations); and (ii) to enable MadKudu to perform the Services.
1.3 MadKudu's Processing of Personal Data.
(a) MadKudu shall Process Personal Data in accordance with the requirements directly applicable to MadKudu’s provision of its Services under the Data Protection Laws and Regulations. Personal Data shall be considered Customer’s Confidential Information under the Agreement.
(b) MadKudu shall only Process Personal Data on behalf of and in accordance with Customer’s instructions set forth in this DPA and the Agreement for the specified purposes described in Schedule A to Processor Terms or as required by Data Protection Laws and Regulations.
(c) MadKudu shall immediately inform Customer if, in MadKudu’s opinion, a Processing instruction given by Customer may infringe Data Protection Laws and Regulations.
(d) The subject-matter and purpose of Processing of Personal Data by MadKudu is solely so MadKudu can provide the Services to Customer pursuant to the Agreement.
(e) The duration of the Processing shall be for the duration of the Agreement. Schedule A to the Processor Terms describes the nature of the Processing, the types of Personal Data Processed, and categories of Data Subjects for which Personal Data is Processed under this DPA.
(f) Service shall not: (i) Sell or Share Personal Data; (ii) retain, use or disclose Personal Data for a Commercial Purpose (as defined under Data Protection Laws and Regulations) other than providing the Services specified in the Agreement or as otherwise permitted by Data Protection Laws and Regulations; (iii) retain, use, or disclose Personal Data except where permitted under the Agreement between Customer and MadKudu; nor (iv) combine Personal Data with other information that MadKudu Processes on behalf of other persons or that MadKudu collects directly from the Data Subject, with the exception of Processing for Business Purposes. MadKudu certifies that it understands these prohibitions and agrees to comply with them for the duration of the term of the Processor Terms.
(g) MadKudu shall inform Customer, if MadKudu makes the determination that it can no longer comply with this DPA or Data Protection Laws and Regulations.
(h) Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate MadKudu’s unauthorized use of Personal Data, such as requiring MadKudu to provide documentation that verifies that MadKudu no longer retains or Processes Personal Data of Data Subjects that have made a valid request to delete their Personal Data to Customer.
1.4 Personnel. MadKudu shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written, industry standard confidentiality agreements. MadKudu shall ensure that MadKudu’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
2. RIGHTS OF DATA SUBJECTS
2.1 MadKudu shall, to the extent legally permitted, promptly notify Customer if MadKudu receives a request from a Data Subject to exercise a Data Subject’s right under the Data Protection Laws and Regulations (“Data Subject Request”). Taking into account the nature of the Processing, MadKudu shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, MadKudu shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent MadKudu is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from MadKudu’s provision of such assistance.
3. SUB-PROCESSORS
3.1 Appointment of Sub-processors. Customer acknowledges and agrees that MadKudu may engage third-party Sub-processors in connection with the provision of the Services. MadKudu has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
3.2 List of Current Sub-processors and Notification of New Sub-processors. MadKudu maintains a current list of Sub-processors for the Services in Schedule B to Processor Terms (“Sub-processors List”). Such Sub-processors list shall include the identities of those Sub-processors and their country of location. MadKudu shall provide Customer notification of potential new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data.
3.3 Objection Right for New Sub-processors. Customer may object to MadKudu’s use of a new Sub-processor by notifying MadKudu promptly in writing within ten (10) business days after receipt of MadKudu’s notice. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, MadKudu will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If MadKudu is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by MadKudu without the use of the objected-to new Sub-processor by providing written notice to MadKudu. MadKudu will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
3.4 Liability. MadKudu shall be liable for the acts and omissions of its Sub-processors to the same extent MadKudu would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
4. SECURITY
4.1 Controls for the Protection of Personal Data. MadKudu shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing. MadKudu’s measures will include those set forth in the Security Documentation. MadKudu regularly monitors compliance with these measures. MadKudu will not materially decrease the overall security of the Services during a subscription term.
5. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
5.1 MadKudu maintains security incident management policies and procedures specified in the Security Documentation and shall, notify Customer without undue delay, and in any event, within 48 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by MadKudu or its Sub-processors (a “Customer Data Incident”). Such notice shall summarize in reasonable detail the timing and nature of the Customer Data Incident, the impact on Customer, and/or the Data Subjects affected by such Customer Data Incident and the corrective action taken or proposed to be taken by MadKudu. MadKudu shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as MadKudu deems necessary and reasonable to remediate the cause of such a Customer Data Incident to the extent the remediation is within MadKudu’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users. The notification of or response to a Customer Data Incident under this Section 5 will not be construed as an acknowledgement by MadKudu of any fault or liability with respect to the Customer Data Incident.
6. RETURN AND DELETION OF CUSTOMER DATA
6.1 MadKudu shall return Customer Data to Customer or, to the extent allowed by Data Protection Laws and Regulations, delete Customer Data in accordance with the procedures and timeframes specified in the Security Documentation, or as requested by Customer.
7. DATA PROTECTION IMPACT ASSESSMENTS AND AUDIT RIGHTS
7.1 Assistance with Data Protection Impact Assessments and Prior Consultations. MadKudu shall provide Customer with relevant information and documentation, such as, if available, an audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with supervisory authorities when the Customer reasonably considers that such data protection impact assessments or prior consultations are required pursuant to the Data Protection Laws and Regulations but in each such case solely with regard to Processing of Personal Data by, and taking into account the nature of the Processing and information available to MadKudu.
7.2 Demonstrating Compliance with this DPA. Where Customer is entitled to and desires to review MadKudu’s compliance with this DPA, Customer may request, and MadKudu will provide (subject to obligations of confidentiality) relevant documentation, or any relevant audit report MadKudu might have been issued. If Customer, after having reviewed such audit report(s), still reasonably deems that it requires additional information, MadKudu shall further reasonably assist and make available to Customer, upon a written request and subject to obligations of confidentiality, all other information (excluding legal advice) and/or documentation necessary to demonstrate its compliance with this DPA, and the obligations pursuant to Articles 32 to 36 of the GDPR and UK GDPR in particular, and shall allow for and contribute to audits, including remote inspections of the Services, by Customer or an auditor mandated by Customer with regard to the Processing of the Personal Data by MadKudu. MadKudu shall provide the assistance described in this sub-section 7.2 insofar as in MadKudu’s reasonable opinion such audits, and the specific requests of Customer, do not interfere with MadKudu’s business operations or cause MadKudu to breach any legal or contractual obligation to which it is subject.
8. TRANSFERS OF PERSONAL DATA FROM CUSTOMER TO MADKUDU
8.1 EUROPEAN ECONOMIC AREA.
(a) With regard to any Restricted International Transfer subject to EEA Data Protection Laws from Customer to MadKudu, one of the following transfer mechanisms shall apply, in the following order of precedence:
(i) A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR
(ii) The appropriate Standard Contractual Clauses adopted by the European Commission from time to time.
(iii) Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws, as the case may be.
(b) This DPA hereby incorporates the EU 2021 Standard Contractual Clauses for any transfers of Personal Data under this DPA governed by the GDPR from Customer in any member state of the European Economic Area to MadKudu in countries which do not ensure an adequate level of data protection within the meaning of the data protection laws and regulations of the European Economic Area, to the extent such transfers are subject to such data protection laws and regulations. Customer (which will take on the obligations of “data exporter” for the purposes of the EU 2021 Standard Contractual Clauses) and MadKudu (which will take on the obligations of “data importer” for the purposes of the EU 2021 Standard Contractual Clauses) hereby enter into, as of the Effective Date, the EU 2021 Standard Contractual Clauses. The EU 2021 Standard Contractual Clauses are applicable provided that the content of its appendices is set forth in the DPA and the Schedules to Processor Terms. The Parties are deemed to have signed, accepted, and executed the EU 2021 Standard Contractual Clauses in their entirety, including its two annexes. The terms included in Schedule C to Processor Terms serve to supplement the EU 2021 Standard Contractual Clauses. For the purpose of the EU 2021 Standard Contractual Clauses:
(i) The Parties agree to apply Module two of the EU 2021 Standard Contractual Clauses in accordance with the controllership roles set out in Section 1.1 of this Processor Terms.
(ii) The Parties elect not to include Clause 7 of the EU 2021 Standard Contractual Clauses.
(iii) With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the “Option 2 General Written Authorisation” and the time period set forth in Section 3.3 of this Processor Terms.
(iv) With respect to Clause 11 of the EU 2021 Standard Contractual Clauses, the Parties agree not to provide the right to lodge a complaint with a dispute resolution body.
(v) With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the law of the Republic of Ireland.
(vi) With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
(vii) With respect to Annex I.C and Clause 13 of the EU 2021 Standard Contractual Clauses, the Parties select the Data Protection Commission (Ireland) as the competent supervisory authority for situations where Customer is not established within a country of the European Economic Area and has not appointed a data protection representative in the European Economic Area.
8.2 UNITED KINGDOM.
(a) With regard to any Restricted International Transfer subject to UK Protection Laws from Customer to MadKudu, one of the following transfer mechanisms shall apply, in the following order of precedence:
(i) A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the UK GDPR.
(ii) The appropriate Standard Contractual Clauses and the UK Transfer Addendum.
(iii) Any other lawful data transfer mechanism, as laid down UK Data Protection Laws, as the case may be.
(b) The UK Transfer Addendum applies to any transfers of Personal Data under this DPA from Customer in the United Kingdom to MadKudu’s facilities in countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations governing and applicable to the Processing of Personal Data in the United Kingdom, to the extent such transfers are subject to such data protection laws and regulations. This DPA hereby incorporates by reference any additional modifications and amendments required by the UK Transfer Addendum for use by the relevant authorities within the United Kingdom to make the EU 2021 Standard Contractual Clauses applicable transfers of Personal Data subject to the Data Protection Laws and Regulations in the United Kingdom. The Parties are deemed to have signed, accepted, and executed the EU 2021 Standard Contractual Clauses in their entirety, including its two annexes. The content of tables 1 and 3 to the UK Transfer Addendum is set out in Schedules A and B to this DPA. For the purposes of Table 4, the Importer may end the UK Transfer Addendum. The Parties incorporate and adopt the EU 2021 Standard Contractual Clauses for transfers of Personal Data from the UK in the same manner set forth in Section 8.1 of this Processor Terms (including, for the avoidance of doubt, the applicability of Schedule C) with the following distinctions:
(i) With respect to Clause 13 and Annex I.C, the competent authority shall be the UK Information Commissioner’s Office.
(ii) With respect to Clause 17, the EU 2021 Standard Contractual Clauses, including the incorporated UK Transfer Addendum, shall be governed by the laws of England and Wales.
(iii) With respect to Clause 18, any dispute arising from the EU 2021 Standard Contractual Clauses or the UK Transfer Addendum shall be resolved by the courts of England and Wales. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts for the purposes of the EU 2021 Standard Contractual Clauses.
8.3 SWITZERLAND.
(a) With regard to any Restricted International Transfer subject to Swiss Data Protection Laws from Customer to MadKudu within the scope of this DPA, one of the following transfer mechanisms shall apply, in the following order of precedence:
(i) The inclusion of the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Personal Data within the meaning of the FADP.
(ii) The Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Swiss Data Protection Laws).
(iii) Any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.
(b) This DPA hereby incorporates the EU 2021 Standard Contractual Clauses for any transfers of Personal Data under this DPA from Customer in Switzerland to MadKudu’s facilities in countries which do not ensure an adequate level of data protection within the meaning of Swiss data protection laws and regulations, to the extent such transfers are subject to such data protection laws and regulations. The Parties are deemed to have signed, accepted, and executed the EU 2021 Standard Contractual Clauses in their entirety, including its two annexes. The Parties incorporate and adopt the EU 2021 Standard Contractual Clauses for transfers of Personal Data from Switzerland in the same manner set forth in Section 8.1 of this Processor Terms (including, for the avoidance of doubt, the applicability of Schedule C to Processor Terms) with the following distinctions:
(i) With respect to Clause 13 (Annex I.C), the competent authority shall be the Swiss Federal Data Protection and Information Commissioner. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief.
(ii) Clause 17: The clauses shall be governed by the laws of the Republic of Ireland.
(iii) Clause 18: The Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland. The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland.
(iv) The EU 2021 Standard Contractual Clauses references to "Regulation (EU) 2016/679" and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein for transfers from Switzerland.
(v) The EU 2021 Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised Federal Act on Data Protection of 19 June 1992.
9. INTERPRETATION OF THE EU 2021 STANDARD CONTRACTUAL CLAUSES AND THE UK TRANSFER ADDENDUM.
9.1 Instructions. For the purposes of Section 1 of the DPA and, Clause 8(1) of the EU 2021 Standard Contractual Clauses, the following acts are deemed an instruction by the Customer to Process Personal Data: (a) Customer’s entering into the Agreement and applicable Order Form(s) are deemed instructions to Process Personal Data as is necessary to perform the Services; (b) Users actions that initiate Processing while using the Services; and (c) Customer’s other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
9.2 Audits and Certifications. The Parties agree that the audits described Clause 8(9) of the EU 2021 Standard Contractual Clauses shall be carried out in accordance with the following specifications. Customer can request an on-site audit of the procedures relevant to the protection of Personal Data, and Customer and MadKudu shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. Customer shall promptly notify MadKudu with information regarding any non-compliance discovered during the course of an audit. Customer agrees to pay MadKudu, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended in the audit.
9.3 Conflict. In the event of any conflict or inconsistency between the terms of the DPA and the EU 2021 Standard Contractual Clauses (as applicable), the terms of the EU 2021 Standard Contractual Clauses (as applicable) shall prevail over the terms of the DPA. In the event of any conflict or inconsistency between the terms of the EU 2021 Standard Contractual Clauses (as applicable) and the terms of the UK Transfer Addendum (as applicable), the terms of the UK Transfer Addendum shall prevail over the terms of the EU 2021 Standard Contractual Clauses. In the event of any conflict or inconsistency between the terms of the UK Transfer Addendum (as applicable) and the terms of the DPA, the terms of the UK Transfer Addendum shall prevail over the terms of the DPA.
10. DESCRIPTION OF AND UPDATES TO THIS DPA AND ITS SCHEDULES.
10.1 List of Schedules. The DPA includes the following Schedules:
(a) Schedule A to Processor Terms (Details of Processing of Personal Data).
(b) Schedule B to Processor Terms (List of Sub-processors); and
(c) Schedule C to Processor Terms (Supplementary Measures to the EU 2021 Standard Contractual Clauses);
10.2 Updates to the Schedules to Processor Terms and the DPA. MadKudu reserves the right to update the Schedules mentioned in Section 10.1 from time to time and the DPA. In particular, MadKudu may unilaterally update:
(a) Schedule A to Processor Terms to reflect changes to the details of Processing of Personal Data, changes in the technical and organizational measures implemented by MadKudu or to conclude the Standard Contractual Clauses.
(b) Schedule B to Processor Terms to reflect changes to the List of Sub-processors.
(c) Schedule C to Processor Terms to supplement the Standard Contractual Clauses.
(d) The DPA to amend typos, clarify the wording, comply with the requirements of Data Protection Laws and Regulations, including requirements for the transfer of Personal Data, and to extend the scope of applicable Data Protection Laws and Regulations.
11. DATA PROTECTION OFFICER AND DATA PROTECTION REPRESENTATIVE.
11.1 Data Protection Officer.
(a) MadKudu has appointed a data protection officer. The appointed person may be reached at privacy@madkudu.com.
11.2 MadKudu’s Data Protection Representatives.
(a) MadKudu has designated data protection representatives in the EU:
Czech Republic:
VeraSafe Czech Republic s.r.o.
Klimentská 46, Prague 1, 11002
Czech Republic
Ireland:
VeraSafe Ireland Ltd
Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P
VeraSafe Ireland Ltd
Ireland
Phone: +1-617-398-7067
Contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative
(b) MadKudu has designated a data protection representative in the UK:
VeraSafe United Kingdom Ltd.
37 Albert Embankment London
SE1 7TL
United Kingdom Ltd.
Phone: +1-617-398-7067
Contact form: https://verasafe.com/public-resources/contact-data-protection-representative
The following details of Processing apply to circumstances in which MadKudu Processes Personal Data as a Data Processor. Where the EU 2021 Standard Contractual Clauses apply, these details are also deemed to constitute Appendix 1 thereto:
Data exporter
Name: the name provided by Customer (as defined in the DPA) in the Order Form.
Address: Customer’s address indicated in the Order Form
Contact person’s name, position, and contact details: the Customer’s contact persons indicated in the Order Form
Role (controller/processor): controller
Data Protection Officer: The identity and contact details of Customer’s Data Protection Officer provided by Customer in Exhibit B to the Agreement, if any.
Data Protection Representative in the EU: The identity and contact details of Customer Data Protection Representative in the EU provided by Customer in Exhibit B to the Agreement, if any.
Data importer
Name: MadKudu Inc., which offers a marketing operations platform and Processes Personal Data in accordance with the terms of the Agreement.
Address: 333 W Maude Ave, Sunnyvale, CA 94085, United States of America
Contact person’s name, position, and contact details: privacy@madkudu.com
Purpose of Processing
The general purpose of the Processing of Personal Data is to provide the Services detailed in the Agreement. The specific purposes are:
(a) To comply with the Agreement and applicable Order Form(s);
(b) To comply with applicable Data Protection Laws and Regulations;
(c) To process requests initiated by Users in their use of the Services; and
(d) To comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
Data Subjects
The categories of Data Subjects to whom the Personal Data relates are: Users of the Services, employees or contact persons of Customer’s prospects, customers, business partners and vendors.
Categories of Personal Data
The Personal Data transferred concern the following categories of data (please specify):
Contact information
(a) name;
(b) email address;
(c) work phone number.
Professional records
(a) job title;
(b) job location (work address);
(c) company.
Identifiers
(a) IP address
Other:
(a) information relevant to sales, such as details about past or scheduled meetings;
(b) behavior on the Customer’s website;
(c) lead score; and
(d) web application usage data.
Special categories of data (if appropriate)
The Personal Data transferred concern the following special categories of data (please specify): None
Nature of the Processing
The basic Processing operations to which the Personal Data will be subject include but are not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment, or combination, blocking, erasure, and destruction. The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
Frequency of Processing/the transfer
The frequency of the transfer of Personal Data is determined be Customer. Personal Data is transferred each time that Customer instructs MadKudu to Process Personal Data.
Duration of Processing
The duration of Processing of Personal Data is generally determined by Customer and is subject to the term of this DPA and the Agreement, respectively, in the context of the contractual relationship between Customer and MadKudu.
Maximum data retention periods, if applicable
The retention period of Personal Data is generally determined by Customer and is subject to the term of this DPA and the Agreement, respectively, in the context of the contractual relationship between Customer and MadKudu.
Description of the technical and organizational security measures implemented by MadKudu
MadKudu will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Security Documentation made reasonably available by data importer, including but not limited to the information available at https://www.madkudu.com/security. MadKudu will not materially decrease the overall security of the Services during a subscription term.
Last updated: July 18, 2023
Description of July 18, 2023 updates:
By this Schedule B to Controller Terms and Schedule C to Processor Terms, as relevant (this “Schedule”), the Parties provide additional safeguards to and additional redress to the Data Subjects to whom Personal Data relates. This Schedule supplements and is made part of, but is not in variation or modification of, the EU 2021 Standard Contractual Clauses that may be applicable to a transfer of Personal Data.
1. APPLICABILITY OF THIS SCHEDULE.
1.1 This Schedule only applies to transfers of Personal Data governed by the EU 2021 Standard Contractual Clauses in accordance with Section 8 of the Processor Terms and Section 6 of the Controller Terms.
2. DEFINITIONS
2.1 For the purpose of interpreting this Section, the following terms shall have the meanings set out below:
(a) “Data Importer” and “Data Exporter” shall have the same meaning assigned to them in the Schedule A.
(b) “FISA” means the U.S. Foreign Intelligence Surveillance Act.
(c) “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.
3. APPLICABILITY OF SURVEILLANCE LAWS TO THE DATA IMPORTER.
3.1 U.S. Surveillance Laws
(a) The Data Importer represents and warrants that, as of the date of the DPA, it has not received any national security orders of the type described in paragraphs 150-202 of the Schrems II Judgment.
(b) The Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
(c)The Data Importer does not believe that it qualifies as an “electronic communication MadKudu” within the meaning of 50 U.S.C. § 1881(b)(4) and is therefore ineligible to receive any process issued under FISA Section 702 for the Services it provides to its Customers;
(d) No court has found the Data Importer to be an entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication MadKudu” within the meaning of 50 U.S.C. § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
(e) If the Data Importer were to be found eligible for FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.
(f) Executive Order 12333 does not provide the U.S. government the ability to order or demand Data Importer to provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to it.
4. GENERAL PROVISIONS ABOUT SURVEILLANCE LAWS APPLICABLE TO DATA IMPORTER.
4.1 Customer warrants that it has no reason to believe that the laws and practices in the third country of destination of Personal Data applicable to the Processing of Personal Data by MadKudu, including any requirements to disclose Personal Data or measures authorizing access by public authorities, prevent MadKudu from fulfilling its obligations under the EU 2021 Standard Contractual Clauses (where applicable).
4.2 Data Importer commits to provide upon request information about the laws and regulations in the destination countries of the transferred data applicable to Data Importer that would permit access by public authorities to the transferred Customer Personal Data, in particular in the areas of intelligence, law enforcement, administrative and regulatory supervision applicable to the transferred data. In the absence of laws governing the public authorities’ access to data, Data Importer shall provide Data Exporter with information and statistics based on the experience of the Data Importer or reports from various sources (such as partners, open sources, national case law and decisions from oversight bodies) on access by public authorities to Personal Data in situations of the kind of the data transfer at hand. The Data Importer providing the information referred to in this sub-section may choose the means to provide the information.
4.3 Data Importer shall monitor any legal or policy developments that might lead to its inability to comply with its obligations under the EU 2021 Standard Contractual Clauses and this Schedule, and promptly inform the Data Exporter of any such changes and developments. When possible, the Data Importer shall inform the Data Exporter of any such changes and developments ahead of their implementation.
5. BACKDOORS
5.1 The Data Importer certifies that:
(a) it has not purposefully created back doors or similar programming that could be used to access the Data Importer’s systems and/or Personal Data;
(b) it has not purposefully created or changed its business processes in a manner that facilitates governmental access to Personal Data or systems, and
(c) that national law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Personal Data or systems or for Data Importer to be in possession or to hand over the encryption key.
5.2 The Data Exporter will be entitled to terminate the contract on short notice in those cases in which the Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform the other Party once their existence comes to its knowledge.
6. INFORMATION ABOUT LEGAL PROHIBITIONS.
6.1 Where allowed by law, the Data Importer will provide the Data Exporter information about the legal prohibitions on the Data Importer to provide information under this Schedule. Data Importer may choose the means to provide this information.
7. OTHER MEASURES TO PREVENT AUTHORITIES FROM ACCESSING PERSONAL DATA.
7.1 Notwithstanding the application of the security measures set forth in Schedule A to the DPA, the Data Importer will implement internal policies establishing that:
(a) where the Data Importer is prohibited by law from notifying The Data Exporter of an order from a public authority for Personal Data, the Data Importer shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent supervisory authorities;
(b) the Data Importer shall require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to Personal Data;
(c) the Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request it considers to be invalid; and
(d) if the Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request.
8. TERMINATION
8.1 This Schedule shall automatically terminate if the Parties implement a valid transfer under the Data Protection Laws and Regulations that would be applicable to the data transfers covered by the EU 2021 Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Schedule will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Schedule.
1. PROCESSING OF CONTROLLER DATA
1.1 Roles. Customer is a Controller and MadKudu is an independent Controller with regard to their Processing of Controller Personal Data and Enriched Data under the Agreement. While providing and receiving the Services pursuant to the Agreement, the Parties may Process Controller Personal Data and Enriched Data as per the terms of this DPA and agree to comply with the following terms.
(a) Customer agrees to provide the relevant disclosures applicable to Customer’s use of MadKudu’s Services under the Agreement, including providing a conspicuous link to MadKudu’s Controller Privacy Notice and description of how to access a choice mechanism to opt-out of the MadKudu cookie, as well as any other information required to comply with the transparency requirements of Data Protection Laws and Regulations.
(b) Where Customer is required to obtain consent on behalf of MadKudu to the collection and Processing of Personal Data and/or the use of the MadKudu cookie, Customer represents and warrants that it shall at all times maintain and make operational a mechanism for obtaining and recording such consent and to enable such consent to be withdrawn, in accordance with Data Protection Laws and Regulations. Customer agrees to provide such consent records to MadKudu promptly upon request.
1.2 MadKudu's Processing of Controller Data and Enriched Data
(a) MadKudu shall Process Personal Data in accordance with the requirements directly applicable to MadKudu’s provision of its Services under the Data Protection Laws and Regulations. Personal Data shall be considered Customer’s Confidential Information under the Agreement.
(b) Customer provides Controller Data to MadKudu, and allows MadKudu to collect Controller Data, only for the specified purposes described in Schedule A to the Controller Terms. When Customer provides Controller Data for MadKudu ABM, but later decides to withdraw from participation in MadKudu ABM, that withdrawal will apply on a go-forward basis and Personal Data that has already become Controller Data will remain Controller Data.
(c) MadKudu shall immediately inform Customer if it makes the determination that it can no longer meet its obligations under Data Protection Laws and Regulations.
(d) The details of Processing of Controller Data and Enriched Data are described in Schedule A to the Controller Terms
(e) Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate MadKudu’s unauthorized use of Controller Data and Enriched Data, such as requiring MadKudu to provide documentation that verifies that MadKudu no longer Processes Controller Data and Enriched Data of Data Subjects that have made a valid request to opt out of the Sale or Sharing of their Controller Data and Enriched Data.
1.3 Customer’s Processing of Enriched Data.
(a) Customer shall Process Enriched Data in accordance with the requirements under Data Protection Laws and Regulations and provide the level of protection to Enriched Data required under Data Protection Laws and Regulations.
(b) MadKudu provides Enriched Data to Customer, and allows Customer to collect Enriched Data, only for the specified purposes described in Schedule A to the Controller Terms. Customer will not sell, disclose, or share Enriched Data (or any part or derivative thereof) with any third party (except for any third parties, including service providers or processors, required to provide the services to Customer).
(c) Customer shall immediately inform MadKudu if it makes the determination that it can no longer meet its obligations under Data Protection Laws and Regulations.
(d) The details of Processing of Enriched Data are described in Schedule A to the Controller Terms.
(e) MadKudu has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Customer’s unauthorized use of Enriched Data, such as requiring Customer to provide documentation that verifies that Customer no longer Processes Enriched Data of Data Subjects that have made a valid request to opt out of the Sale or Sharing of their Enriched Data.
2. RIGHTS OF DATA SUBJECTS
2.1 Mechanism. Each Party shall, to the extent legally required, implement mechanisms to receive and process requests from a Data Subject to exercise a Data Subject’s right under the Data Protection Laws and Regulations, and process such requests in accordance with Data Protection Laws and Regulations.
3. SECURITY
3.1 Controls for the Protection of Controller Data and Enriched Data. Each Party shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing. The Parties shall regularly monitor compliance with these measures. The Parties shall not materially decrease the overall security of the Services during a subscription term. MadKudu’s security measures will include those set forth in the Security Documentation.
4. AUDIT RIGHTS
4.1 Demonstrating Compliance with this DPA and Data Protection Laws and Regulations. Where either Party is entitled to and desires to review the other Party’s compliance with obligations directly applicable to such Party under Data Protection Laws and Regulations for the Processing of Controller Data and Enriched Data, either Party may request, and the other Party will provide (subject to obligations of confidentiality) relevant documentation, or any relevant audit report such Party might have been issued. The demonstrating Party will make reasonable efforts to provide the requested documentation to the requesting Party in a timely manner, allowing for a reasonable time frame for gathering and preparing the necessary information.
5. TRANSFERS OF CONTROLLER DATA AND ENRICHED DATA BETWEEN CUSTOMER TO MADKUDU
5.1 EUROPEAN ECONOMIC AREA.
(a) With regard to any Restricted International Transfer subject to EEA Data Protection Laws from Customer to MadKudu, one of the following transfer mechanisms shall apply, in the following order of precedence:
(i) A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR
(ii) The appropriate Standard Contractual Clauses adopted by the European Commission from time to time.
(iii) Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws, as the case may be.
(b) This DPA hereby incorporates the EU 2021 Standard Contractual Clauses for any transfers of Personal Data under this DPA governed by the GDPR from Customer to MadKudu’s facilities in countries which do not ensure an adequate level of data protection within the meaning of the data protection laws and regulations of the European Economic Area, as well as transfers of Enriched Data under this DPA governed by the GDPR from MadKudu to Customer’s facilities in countries which do not ensure an adequate level of data protection within the meaning of the data protection laws and regulations of the European Economic Area, to the extent such transfers are subject to such data protection laws and regulations. Customer (which will take on the obligations of “data exporter” for the purposes of the EU 2021 Standard Contractual Clauses upon a transfer of Personal Data, and “data importer” upon a transfer of Enriched Data) and MadKudu (which will take on the obligations of “data importer” for the purposes of the EU 2021 Standard Contractual Clauses upon a transfer of Personal Data, and “data exporter” upon a transfer of Enriched Data) hereby enter into, as of the Effective Date. The EU 2021 Standard Contractual Clauses are applicable provided that the content of its appendices is set forth in the DPA and the Schedules to the DPA. The Parties are deemed to have signed, accepted, and executed the EU 2021 Standard Contractual Clauses in their entirety, including its two annexes. The terms included in Schedule B to Controller Terms serve to supplement the EU 2021 Standard Contractual Clauses. For the purpose of the EU 2021 Standard Contractual Clauses:
(i) The Parties agree to apply Module One of the EU 2021 Standard Contractual Clauses in accordance with the controllership roles set out in Section 1.1 of this Processor Terms.
(ii) The Parties elect not to include Clause 7 of the EU 2021 Standard Contractual Clauses.
(iii) With respect to Clause 11 of the EU 2021 Standard Contractual Clauses, the Parties agree not to provide the right to lodge a complaint with a dispute resolution body.
(iv) With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the law of the Republic of Ireland.
(v) With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
(vi) With respect to Annex I.C and Clause 13 of the EU 2021 Standard Contractual Clauses, the Parties select the Data Protection Commission (Ireland) as the competent supervisory authority for situations where Customer is not established within a country of the European Economic Area and has not appointed a data protection representative in the European Economic Area.
5.2 UNITED KINGDOM.
(a) With regard to any Restricted International Transfer subject to UK Protection Laws from Customer to MadKudu, one of the following transfer mechanisms shall apply, in the following order of precedence:
(i) A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the UK GDPR.
(ii) The appropriate Standard Contractual Clauses and the UK Transfer Addendum.
(iii) Any other lawful data transfer mechanism, as laid down UK Data Protection Laws, as the case may be.
(b) The UK Transfer Addendum applies to any transfers of Personal Data under this DPA from Customer in the United Kingdom to MadKudu’s facilities in countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations governing and applicable to the Processing of Personal Data in the United Kingdom, as well as transfers of Enriched Data under this DPA from MadKudu in the United Kingdom to Customer’s facilities in countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations governing and applicable to the Processing of Enriched Data in the United Kingdom, to the extent such transfers are subject to such data protection laws and regulations. This DPA hereby incorporates by reference any additional modifications and amendments required by the UK Transfer Addendum for use by the relevant authorities within the United Kingdom to make the EU 2021 Standard Contractual Clauses applicable transfers of Personal Data and Enriched Data subject to the Data Protection Laws and Regulations in the United Kingdom. The Parties are deemed to have signed, accepted, and executed the EU 2021 Standard Contractual Clauses in their entirety, including its two annexes. The content of tables 1 and 3 to the UK Transfer Addendum is set out in Schedule A to this DPA. For the purposes of Table 4, the Importer may end the UK Transfer Addendum. The Parties incorporate and adopt the EU 2021 Standard Contractual Clauses for transfers of Personal Data and Enriched Data from the UK in the same manner set forth in Section 5.1 of the DPA (including, for the avoidance of doubt, the applicability of Schedule B) with the following distinctions:
(i) With respect to Clause 13 and Annex I.C, the competent authority shall be the UK Information Commissioner’s Office.
(ii) With respect to Clause 17, the EU 2021 Standard Contractual Clauses, including the incorporated UK Transfer Addendum, shall be governed by the laws of England and Wales.
(iii) With respect to Clause 18, any dispute arising from the EU 2021 Standard Contractual Clauses or the UK Transfer Addendum shall be resolved by the courts of England and Wales. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts for the purposes of the EU 2021 Standard Contractual Clauses.
5.3 SWITZERLAND.
(a) With regard to any Restricted International Transfer subject to Swiss Data Protection Laws from Customer to MadKudu within the scope of this DPA, one of the following transfer mechanisms shall apply, in the following order of precedence:
(i) The inclusion of the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Personal Data within the meaning of the FADP.
(ii) The Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Swiss Data Protection Laws).
(iii) Any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.
(b) This DPA hereby incorporates the EU 2021 Standard Contractual Clauses for any transfers of Personal Data under this DPA from Customer in Switzerland to MadKudu’s facilities in countries which do not ensure an adequate level of data protection within the meaning of Swiss data protection laws and regulations, to the extent such transfers are subject to such data protection laws and regulations. The Parties are deemed to have signed, accepted, and executed the EU 2021 Standard Contractual Clauses in their entirety, including its two annexes. The Parties incorporate and adopt the EU 2021 Standard Contractual Clauses for transfers of Personal Data from Switzerland in the same manner set forth in Section 8.1 of this Processor Terms (including, for the avoidance of doubt, the applicability of Schedule C to Processor Terms) with the following distinctions:
(i) With respect to Clause 13 (Annex I.C), the competent authority shall be the Swiss Federal Data Protection and Information Commissioner. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief.
(ii) Clause 17: The clauses shall be governed by the laws of the Republic of Ireland.
(iii) Clause 18: The Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland. The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland.
(iv) The EU 2021 Standard Contractual Clauses references to "Regulation (EU) 2016/679" and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein for transfers from Switzerland.
(v) The EU 2021 Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised Federal Act on Data Protection of 19 June 1992.
6. INTERPRETATION OF THE EU 2021 STANDARD CONTRACTUAL CLAUSES AND THE UK TRANSFER ADDENDUM.
10.3 Conflict. In the event of any conflict or inconsistency between the terms of the DPA and the EU 2021 Standard Contractual Clauses (as applicable), the terms of the EU 2021 Standard Contractual Clauses (as applicable) shall prevail over the terms of the DPA. In the event of any conflict or inconsistency between the terms of the EU 2021 Standard Contractual Clauses (as applicable) and the terms of the UK Transfer Addendum (as applicable), the terms of the UK Transfer Addendum shall prevail over the terms of the EU 2021 Standard Contractual Clauses. In the event of any conflict or inconsistency between the terms of the UK Transfer Addendum (as applicable) and the terms of the DPA, the terms of the UK Transfer Addendum shall prevail over the terms of the DPA.
7. DESCRIPTION OF AND UPDATES TO THIS DPA AND ITS SCHEDULES.
7.1 List of Schedules. The DPA includes the following Schedules:
(a) Schedule A to Controller Terms (Details of Processing of Controller Data and Enriched Data).
(b) Schedule B to Controller Terms (Supplementary Measures to the EU 2021 Standard Contractual Clauses)
8.2 Updates to the Schedules to Processor Terms and the DPA. MadKudu reserves the right to update the Schedules mentioned in Section 7.1 from time to time and the DPA. In particular, MadKudu may unilaterally update:
(a) Schedule A to Controller Terms to reflect changes to the details of Processing of Controller Personal Data and Enriched Data, changes in the technical and organizational measures implemented by MadKudu or to conclude the Standard Contractual Clauses.
(b) Schedule B to Controller Terms to supplement the Standard Contractual Clauses.
(d) The DPA to amend typos, clarify the wording, comply with the requirements of Data Protection Laws and Regulations, including requirements for the transfer of Personal Data, and to extend the scope of applicable Data Protection Laws and Regulations.
The following details of Processing apply to circumstances in which the Parties Process Controller Personal Data and Enriched Data as independent Controllers. Where the EU 2021 Standard Contractual Clauses apply, these details are also deemed to constitute Appendix 1 thereto:
Data exporter
Name:
With respect to Controller Data: the name provided by Customer (as defined in the DPA) in the Order Form;
With respect to Enriched Data: MadKudu, Inc.
Address:
Customer: Customer’s address indicated in the Order Form;
MadKudu: 333 W Maude Ave, Sunnyvale, CA 94085, United States of America
Contact person’s name, position, and contact details:
Customer: the Customer’s contact person(s) indicated in the Order Form;
MadKudu: privacy@madkudu.com
Role (controller/processor):
Customer: Controller;
MadKudu: Controller
Data Protection Officer:
Customer: The identity and contact details of Customer’s Data Protection Officer provided by Customer in Exhibit B to the Agreement, if any;
MadKudu: MadKudu’s Data Protection Officer information is reflected in Section 8 of the DPA
Data importer
Name:
With respect to Controller Personal Data: MadKudu, Inc.
With respect to Enriched Data: the name provided by Customer (as defined in the DPA) in the Order Form
Address:
MadKudu: 796 Lakehaven Dr., Sunnyvale, CA 94089, United States of America;
Customer: Customer’s address indicated in the Order Form
Contact person’s name, position, and contact details:
MadKudu: privacy@madkudu.com;
Customer: the Customer’s contact person(s) indicated in the Order Form
Role (controller/processor):
MadKudu: Controller;
Customer: Controller
Data Protection Officer:
MadKudu: MadKudu’s Data Protection Officer information is reflected in Section 11 of the Processor Terms of this DPA;
Customer: The identity and contact details of Customer’s Data Protection Officer provided by Customer in Exhibit B to the Agreement, if any
Data Protection Representative in the EU:
MadKudu: MadKudu’s Data Protection Representative information is reflected in section 11 of the Processor Terms of this DPA;
Customer: The identity and contact details of the Data Protection Representative in the EU of the Customer provided by Customer in Exhibit B to the Agreement, if any
Purpose of Processing
The purposes of the Processing of Controller Data:
(a) To allow MadKudu to augment, create and validate Controller Data and derive data and business intelligence insights.
(b) To enable MadKudu to process Controller Data and Enriched Data as a Controller for the purposes permitted by the Agreement
(c) To create and enrich the MadKudu ABM features that includes but is not limited to maintaining a database of IP addresses and domains.
The purposes of the Processing of Enriched Data:
(a) To enable MadKudu customers to improve their marketing and sales strategy and activities
Data Subjects
The categories of Data Subjects to whom the Controller Data and Enriched Data relates are: Customer's website visitors and users.
Categories of Controller Data and Enriched Data
The Controller Data transferred concern the following categories of data (please specify):
Professional records
(c) company (via email domain).
Identifiers
(a) IP address
The Enriched Data transferred concern the following categories of data (please specify):
Professional records
(c) company (via email domain).
Identifiers
(a) IP address
Others
(a) Location data
Special categories of data (if appropriate)
The Controller Data and Enriched Data transferred concern the following special categories of data (please specify): None
Nature of the Processing
The basic Processing operations to which the Controller Data will be subject include but are not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment, or combination, blocking, erasure, and destruction. The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
Frequency of Processing/the transfer
Continuous basis.
Duration of Processing
MadKudu will Process Controller Data and Enriched Data for the duration necessary to fulfill the purposes of Processing outlined above, unless otherwise specified by applicable law.
Maximum data retention periods, if applicable
MadKudu will retain the Controller Data and Enriched Data until it has served its intended purpose or until a Data Subject exercises a data subject right that requires the deletion of their Controller Data and Enriched Data, whichever occurs earlier. In such cases, MadKudu will promptly and securely delete or anonymize the relevant Controller Data and Enriched Data in accordance with Data Protection Laws and Regulations.
Description of the technical and organizational security measures implemented by MadKudu
MadKudu will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Controller Data uploaded to the Services and Enriched Data in MadKudu’s possession, as described in the Security Documentation made reasonably available by data importer, including but not limited to the information available at https://www.madkudu.com/security. MadKudu will not materially decrease the overall security of the Services during a subscription term.
