DATA PROCESSING ADDENDUM

Last updated and effective as of March 1, 2024 (the “DPA Effective Date”).

This Data Processing Addendum (“DPA”), forms part of the Software-as-a-Service Subscription Agreement or other agreement or terms of service (in each case, the “Agreement”) between ThoughtMetric, Inc. (“ThoughtMetric”) and the entity that has engaged ThoughtMetric to provide the Service (“Customer”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. In the event of a conflict between this DPA and any other terms in the Agreement, the terms of this DPA will govern. Each of ThoughtMetric and Customer is referred to in this DPA individually as a “party”, collectively the “parties”. By entering into the Agreement, the parties are deemed to have signed all Exhibits, Attachments, Annexes, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.

  1. Definitions.

 

  1. “CCPA” means (to the extent applicable) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder.

  1. “DPA Data” means any information Processed by ThoughtMetric solely on behalf of Customer, including without limitation any EU Personal Data, UK Personal Data, California Personal Data, and/or State Laws Data.

  1. “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.

  1. “GDPR” means the General Data Protection Regulation (EU) 2016/679.

 

  1. “Personal Data” means any information relating to any identified or identifiable individual or household.

 

  1. “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means or manual means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, including the actions of a person directing a third party to Process data on behalf of such person.

  1. “State Data Protection Laws” means (in each case to the extent effective and applicable): (i) the Colorado Privacy Act, together with any regulations promulgated thereunder; (ii) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, together with any regulations promulgated thereunder; (iii) the Utah Consumer Privacy Act, together with any regulations promulgated thereunder; (iv) the Virginia Consumer Data Protection Act, together with any regulations promulgated thereunder; (v) the Delaware Personal Data Privacy Act, together with any regulations promulgated thereunder; (vi) the Indiana Consumer Data Protection Act, together with any regulations promulgated thereunder; (vii) the Iowa Consumer Data Protection Act, together with any regulations promulgated thereunder; (viii) the Montana Consumer Data Privacy Act, together with any regulations promulgated thereunder; (ix) the Oregon Consumer Privacy Act, together with any regulations promulgated thereunder; (x) the Tennessee Information Protection Act, together with any regulations promulgated thereunder; (xi) the Texas Data Privacy and Security Act, together with any regulations promulgated thereunder; (xii) New Jersey SB 332, together with any regulations promulgated thereunder; and/or (xiii) other U.S. state laws that are substantially similar to items (i) through (xii) that may become effective from time to time.

  1. “State Laws Data” means any Personal Data contained within DPA Data and that is regulated by any State Data Protection Laws.

  1. “UK” means the United Kingdom.

  1. “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).

  1. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.

  1. To the extent ThoughtMetric Processes Personal Data regulated by the GDPR solely on behalf of Customer (“EU Personal Data”), and to the extent Customer is a controller (as defined in the GDPR) and ThoughtMetric is a processor (as defined in the GDPR) on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to ThoughtMetric and to ThoughtMetric’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit A. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.

  1. To the extent ThoughtMetric Processes EU Personal Data, and to the extent Customer is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and ThoughtMetric is a processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to ThoughtMetric and to ThoughtMetric’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit B. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.

  1. To the extent ThoughtMetric Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Customer (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx (the “UK DTA”) will apply to the transfer of such UK Personal Data by Customer to ThoughtMetric and to ThoughtMetric’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK DTA, which is hereby incorporated into the Agreement in its entirety and as set forth in Exhibit C. In the event of a conflict between the Agreement and the UK DTA, the UK DTA will control to the extent applicable to the UK Personal Data.

 

  1. To the extent Customer makes available to ThoughtMetric Personal Data regulated by the CCPA for a business purpose pursuant to the Agreement and/or to the extent ThoughtMetric Processes Personal Data regulated by the CCPA solely on behalf of Customer (collectively, “California Personal Data”), then to the extent required by the CCPA, the California Data Exhibit (attached hereto as Exhibit D, the “California Data Exhibit”) will apply to ThoughtMetric’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the California Data Exhibit, the California Data Exhibit will control to the extent applicable to the California Personal Data.

  1. To the extent Customer makes available to ThoughtMetric State Laws Data, then to the extent required by State Data Protection Laws, the Other States Data Exhibit (attached hereto as Exhibit E, the “Other States Data Exhibit”) will apply to ThoughtMetric’s Processing of such State Laws Data and the parties hereby agree to comply with such Other States Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the Other States Data Exhibit, the Other States Data Exhibit will control to the extent applicable to the State Laws Data.

  1. Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all DPA Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable ThoughtMetric to lawfully Process DPA Data as permitted by the Agreement and/or this DPA, including without limitation all consents and rights required to place cookies on the browsers of data subjects to whom DPA Data relates; (ii) it has (and will continue to have) full right and authority to make the DPA Data available to ThoughtMetric under the Agreement and this DPA; and (iii) ThoughtMetric’s Processing of the DPA Data in accordance with the Agreement, this DPA, and/or Customer’s instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend and hold ThoughtMetric harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 7. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 7 shall not be subject to any limitations of liability set forth in the Agreement.

  1. Following termination or expiration of the Agreement (unless prohibited by applicable law): Customer may retrieve DPA Data for up to thirty (30) days following termination or expiration of the Agreement; at the end of such 30-day period, DPA Data may be destroyed and may be destroyed by ThoughtMetric.

  1. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that ThoughtMetric shall have a right to use and disclose data relating to the operation, support and/or use of the Service for its legitimate business purposes, such as product development and improvement, security, and sales and marketing. To the extent any such data is regulated by the European Data Protection Laws, CCPA, or State Data Protection Laws, as applicable, then, to the extent ThoughtMetric is subject to the European Data Protection Laws, CCPA, or State Data Protection Laws (in each case to the extent applicable) as a controller, business, or other equivalent term (as defined in the European Data Protection Laws, CCPA, or State Data Protection Laws, as applicable), ThoughtMetric is the controller, business, or other equivalent term (as defined in the European Data Protection Laws, CCPA, or State Data Protection Laws, as applicable) of such data and accordingly shall Process such data as permitted by the European Data Protection Laws, CCPA, or State Data Protection Laws (in each case to the extent applicable).

  1. This DPA (together with the Agreement), constitutes the entire agreement between the parties and supersedes all prior undertakings and agreements between the parties, whether written or oral, with respect to the subject matter of this DPA. ThoughtMetric reserves the right, in its sole discretion, to change, modify, replace, add to, supplement or delete any terms and conditions of this DPA at any time by posting an updated version of this DPA on this webpage.

  1. In this DPA, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by the Agreement; (iii) reference to any gender includes each other gender; (iv) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (vi) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; (vii) “including” (including grammatically inflected forms thereof) means including without limiting the generality of any description preceding such term; (viii) all references to “days” refer to calendar days; and (ix) the word “or” is not exclusive. This DPA has been executed in English and the English language version shall control notwithstanding any translations of this DPA.

Exhibit A

 MODULE 2 – CONTROLLER TO PROCESSOR

STANDARD CONTRACTUAL CLAUSES

  1. For the purposes of the Controller to Processor Standard Contractual Clauses:
  1. Clause 7. The parties agree that the optional language in Clause 7 is included.
  2. Clause 9(a). The parties agree that under Option 2, ThoughtMetric has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). ThoughtMetric will inform Customer in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
  3. Clause 11. The parties agree that the optional language in Clause 11 is excluded.
  4. Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
  5. Clause 17. Option 1 shall apply and the Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
  6. Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
  7. Annex I.A.
  1. The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth in the Agreement.
  2. The name and address of ThoughtMetric, and the name, position, and contact details of the contact person of ThoughtMetric (which is the data importer) are as set forth in the Agreement.
  3. The activities relevant to the data transferred are the provision and receipt of the Service as described in the Agreement.
  4. The signature and date are the signature and date set forth in the Agreement.
  5. The roles of the parties are as follows: ThoughtMetric is a processor and Customer is a controller.
  1. Annex I.B.
  1. The categories of data subjects are individuals whose personal data is contained within DPA Data, which may include but are not limited to individuals who visit or engage with Customer’s websites, and/or purchase products and/or services from Customer online, and/or engage with Customer’s online marketing channels, advertising, and/or social media outlets.
  2. The categories of personal data transferred are the categories of personal data contained within DPA Data and which are determined and controlled by Customer and which may include but are not limited to: name; e-mail address; e-commerce transaction data, including products viewed or purchased; online identifiers, such as IP addresses and cookies; survey responses; and interactions with Customer’s websites, online marketing channels, advertising, and/or social media outlets.
  3. The categories of sensitive data transferred are the categories of sensitive data contained within DPA Data and which are determined and controlled by Customer.
  4. The frequency of the transfer shall be on a continuous basis.
  5. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Service by data importer to the data exporter in accordance with the terms of the Agreement.
  6. The purpose of the data transfer and further processing is provision of the Service by data importer to data exporter.
  7. The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses).
  8. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Service to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Service to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
  1. Annex I.C.
  1. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
  1.  Annex II.
  1. The data importer employs the following technical and organisational measures:

 

Additional Safeguards

Where required by European Data Protection Laws, the following safeguards shall apply with respect to personal data transferred under these Clauses:

(A) The data importer shall have in place and maintain network protection intended to deny attackers the ability to intercept personal data and encryption of personal data while in transit and at rest intended to deny attackers the ability to read personal data.

(B) The data importer will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the personal data protected under the European Data Protection Laws, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”).

(C) If the data importer becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the personal data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:

1. The data importer will notify the data exporter within a reasonable time after first becoming aware of such demand for access to personal data and provide the data exporter with relevant details of the same, unless and to the extent legally prohibited to do so;

2. The data importer shall inform the relevant government authority that the data importer is a processor of the personal data and that the data exporter has not authorized the data importer to disclose the personal data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the personal data should therefore be notified to or served upon the data exporter in writing;

3. The data importer will use commercially reasonable legal mechanisms to challenge any such demand for access to personal data which is under the data importer’s control. Notwithstanding the above, (a) the data exporter acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to personal data, the data importer has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, the first sentence of this subsection (3) shall not apply. In such event, the data importer shall notify the data exporter, as soon as possible, following the access by the government authority, and provide the data exporter with relevant details of the same, unless and to the extent legally prohibited to do so.

(D) No more than once during any 12-month period, upon written request of the data exporter and to the extent permitted by applicable law, the data importer will provide the data exporter a summary of the types of binding legal demands for personal data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.

  1. Annex III.
  1. Customer hereby authorizes the use of the following sub-processors:
  1. Google
  2. DataDog

Exhibit B

MODULE 3 – PROCESSOR TO PROCESSOR

STANDARD CONTRACTUAL CLAUSES

  1. For the purposes of the Processor to Processor Standard Contractual Clauses:
  1. Clause 7. The parties agree that the optional language in Clause 7 is included.
  2. Clause 9(a). The parties agree that under Option 2, ThoughtMetric has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). ThoughtMetric will inform Customer in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
  3. Clause 11. The parties agree that the optional language in Clause 11 is excluded.
  4. Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
  5. Clause 17. Option 1 shall apply and the Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
  6. Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
  7. Annex I.A.
  1. The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth in the Agreement.
  2. The name and address of ThoughtMetric, and the name, position, and contact details of the contact person of ThoughtMetric (which is the data importer) are as set forth in the Agreement.
  3. The activities relevant to the data transferred are the provision and receipt of the Service as described in the Agreement.
  4. The signature and date are the signature and date set forth in the Agreement.
  5. The roles of the parties are as follows: ThoughtMetric is a processor and Customer is a processor.
  1. Annex I.B.
  1. The categories of data subjects are individuals whose personal data is contained within DPA Data, which may include but is not limited to individuals who visit or engage with Customer’s (and/or Customer’s customers) websites, and/or purchase products and/or services from Customer (and/or Customer’s customers) online, and/or engage with Customer’s (and/or Customer’s customers) online marketing channels, advertising, and/or social media outlets.
  2. The categories of personal data transferred are the categories of personal data contained within DPA Data and which are determined and controlled by Customer and which may include but are not limited to: name; e-mail address; e-commerce transaction data, including products viewed or purchased; online identifiers, such as IP addresses and cookies; survey responses; and interactions with Customer’s (and/or Customer’s customers) websites, online marketing channels, advertising, and/or social media outlets.
  3. The categories of sensitive data transferred are the categories of sensitive data contained within DPA Data and which are determined and controlled by Customer.
  4. The frequency of the transfer shall be on a continuous basis.
  5. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Service by data importer to the data exporter in accordance with the terms of the Agreement.
  6. The purpose of the data transfer and further processing is provision of the Service by data importer to data exporter.
  7. The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses).
  8. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Service to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Service to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
  1. Annex I.C.
  1. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
  1.  Annex II.
  1. Section (a)(10)(i) of Exhibit A is incorporated herein by reference.
  1.  Annex III.
  1. Section (a)(11)(i) of Exhibit A is incorporated herein by reference.

Exhibit C

  1. For the purposes of the UK DTA:
  1. For the purposes of Table 1 of the UK DTA, the start date shall be the later of the DPA Effective Date or the date the Agreement is entered into by the parties, and the names of the parties, their roles and their details shall be as set out in Exhibit A Section (a)(7) and Exhibit B Section (a)(7), respectively;
  2. For the purposes of Tables 2 and 3 of the UK DTA, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Exhibit A Section (a)(8), (10), and (11)(i) and Exhibit B Section (a)(8), (10), and (11)(i), respectively, shall apply; and
  3. For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.

Exhibit D

California Data Exhibit

  1. This California Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable). The following types of California Personal Data will be subject to processing hereunder: The categories of California Personal Data contained within DPA Data and which are determined and controlled by Customer and which may include but are not limited to: name; e-mail address; e-commerce transaction data, including products viewed or purchased; online identifiers, such as IP addresses and cookies; survey responses; and interactions with Customer’s (and/or Customer’s customers) websites, online marketing channels, advertising, and/or social media outlets.
  2. CCPA Provisions.
  1. In this Exhibit, the following terms have the meanings given in the CCPA: “business purpose”, “personal information”, “processing”, “service provider”, “contractor”, “person”, “share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”.
  2. Except as otherwise required by applicable law or as otherwise permitted by the CCPA, ThoughtMetric shall:
  1. not sell or share California Personal Data;
  2. not retain, use, or disclose California Personal Data for any purpose other than for the business purposes of providing the Service specified in the Agreement for the Customer, nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA;
  3. not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties;
  4. not combine California Personal Data, which ThoughtMetric receives pursuant to the Agreement or from or on behalf of Customer, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CCPA;
  5. reasonably cooperate with Customer in responding to any requests from any individual regarding California Personal Data relating to such individual, including reasonably assisting Customer in deletion, correction, or limitation of the use of such California Personal Data where required under the CCPA, and including instructing ThoughtMetric’s service providers and/or contractors (if any) to so reasonably cooperate in such response;
  6. reasonably assist Customer through appropriate technical and organizational measures in Customer’s complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100 of the CCPA, taking into account the nature of the California Personal Data processing by ThoughtMetric;
  7. implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure;
  8. comply with all applicable obligations under the CCPA and provide the same level of privacy protection with respect to California Personal Data as required by the CCPA;
  9. notify Customer if ThoughtMetric determines it can no longer meet its obligations under the CCPA; and

 

  1. comply with Section 1798.140(m) of the CCPA with respect to deidentified data (as defined in the CCPA) received by ThoughtMetric from Customer.

To the extent ThoughtMetric is a contractor, ThoughtMetric certifies that ThoughtMetric understands the restrictions provided in Sections 2(b)(i), 2(b)(ii), 2(b)(iii), and 2(b)(iv) and will comply with them.

  1. ThoughtMetric acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and ThoughtMetric further acknowledges and agrees Customer shall have the right: (i) to take reasonable and appropriate steps to ensure that ThoughtMetric uses California Personal Data in a manner consistent with Customer’s obligations under the CCPA; and (ii) upon notice from Customer to ThoughtMetric, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data.
  2. To the extent required by the CCPA and to the extent ThoughtMetric is a contractor, ThoughtMetric shall permit, subject to agreement of the parties, Customer to monitor ThoughtMetric’s compliance with this Exhibit through measures, including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing once every twelve (12) months (each, an “Audit”), upon reasonable prior notice from Customer, provided that no third-party auditor (each an “Auditor”) shall be a competitor of ThoughtMetric, nor shall any Auditor be compensated on a contingency basis, and provided further that in no event shall Customer or any Auditor have access to the information of any other client of ThoughtMetric and the disclosures made pursuant to this Section 2(d) (“Audit Information”) shall be held in confidence as ThoughtMetric’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no Audit shall be undertaken unless or until Customer has requested, and ThoughtMetric has provided, information about ThoughtMetric’s data protection practices and Customer reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this Exhibit. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of Audit Information by Customer or its agents.
  3. If ThoughtMetric engages any other person to assist ThoughtMetric in processing California Personal Data for a business purpose on behalf of Customer, ThoughtMetric shall notify Customer of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe substantially similar requirements to those set forth in this Exhibit. ThoughtMetric hereby notifies Customer that ThoughtMetric may engage the persons listed in Section (a)(11)(i) of Exhibit A to this DPA to assist ThoughtMetric in processing California Personal Data for a business purpose on behalf of Customer.

Exhibit E

Other States Data Exhibit

  1. State Data Protection Laws. This Other States Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable).

  1. Instructions. Customer hereby instructs ThoughtMetric to Process State Laws Data to the extent necessary to provide the Service.

  1. Nature of the Processing; Purpose of the Processing. The nature of the Processing of State Laws Data is such that the State Laws Data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Service by ThoughtMetric to Customer in accordance with the terms of the Agreement. The purpose of the Processing of State Laws Data hereunder is the provision of the Service by ThoughtMetric to Customer.

  1. Types of State Laws Data. The types of State Laws Data subject to Processing hereunder are: The categories of State Laws Data contained within DPA Data and which are determined and controlled by Customer and which may include but are not limited to: name; e-mail address; e-commerce transaction data, including products viewed or purchased; online identifiers, such as IP addresses and cookies; survey responses; and interactions with Customer’s (and/or Customer’s customers) websites, online marketing channels, advertising, and/or social media outlets.

  1. Duration of Processing. The duration of the State Laws Data Processing shall continue as long as ThoughtMetric carries out State Laws Data Processing operations on behalf of Customer or until the termination of the Agreement (and all State Laws Data has been returned or deleted).

  1. Rights, Duties, and Obligations. Except as otherwise required or permitted by Applicable Law, ThoughtMetric shall:

  1. Ensure that each person Processing State Laws Data on behalf of ThoughtMetric is subject to a duty of confidentiality with respect to such State Laws Data;

  1. At Customer’s choice and direction, delete or return all State Laws Data to Customer as requested at the end of the provision of the Service, unless retention of such State Laws Data is required by Applicable Law;

  1. Make available to Customer all information necessary to demonstrate ThoughtMetric’s compliance with the obligations in the State Data Protection Laws;

  1. Taking into account the context of Processing, ThoughtMetric shall implement appropriate technical and organizational measures designed to ensure a level of security with respect to the State Laws Data appropriate to the risk in accordance with the Agreement and this DPA;

  1. Allow for, contribute to, and cooperate with reasonable audits, inspections, and/or assessments (each a “State Audit”) by Customer or Customer’s designated third-party representative (each, a “State Auditor”), provided that, to the extent permitted by State Data Protection Laws as an alternative, ThoughtMetric may arrange for a qualified and independent auditor or assessor to conduct (at least annually and at Customer’s expense (unless otherwise required by applicable law)) a State Audit of ThoughtMetric’s policies and technical and organizational measures in support of the obligations under the State Data Protection Laws using an appropriate and accepted control standard or framework and State Audit procedure for the State Audits as applicable and ThoughtMetric shall provide a report of such State Audit (and the results thereof) to Customer upon request. No third-party State Auditor appointed by Customer shall be a competitor of ThoughtMetric, nor shall any such State Auditor be compensated on a contingency basis. In no event shall Customer or any State Auditor have access to the information of any other Customer of ThoughtMetric and the disclosures made pursuant to this Section 1(e)(v) (“State Audit Information”) shall be held in confidence as ThoughtMetric’s Confidential Information and subject to the confidentiality obligations in the Agreement, and provided further that no State Audit under this Section 1(e)(v) shall be undertaken unless or until Customer has requested, and ThoughtMetric has provided, information about ThoughtMetric’s data protection practices and Customer reasonably determines that such a State Audit remains necessary to demonstrate material compliance with the obligations laid down in the State Data Protection Laws. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard State Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of State Audit Information by Customer or its agents; and

  1. Engage a subcontractor to Process State Laws Data on behalf of ThoughtMetric only after providing Customer with an opportunity to object, and ThoughtMetric shall bind each such subcontractor to a written contract in accordance with State Data Protection Laws that requires such subcontractor to comply with obligations of processors (as defined in the State Data Protection Laws) under the State Data Protection Laws and to meet equivalent obligations with respect to such State Laws Data as are set forth in this Other States Data Exhibit. Customer hereby consents to ThoughtMetric’s engagement of the subcontractors listed in Section (a)(11)(i) of Exhibit A to this DPA to Process State Laws Data.

  1. Deidentified Data. With respect to Deidentified Data received by ThoughtMetric from Customer, ThoughtMetric shall: (A) take reasonable measures to ensure that such data cannot be associated with an individual; (B) publicly commit to maintain, use, and process such Deidentified Data only in a de-identified fashion and not attempt to re-identify such Deidentified Data; and (C) comply with the State Data Protection Laws. “Deidentified Data” means data that cannot reasonably be used to infer information about, and that cannot otherwise be linked to, an identified individual or an identifiable individual, or to a device linked to such individual.

4855-6194-7305, v. 9