1. Definitions
  2. Duration and Scope of Addendum
  3. Personal Data Processing
  4. Security
  5. Data Subject Rights
  6. Audits
  7. Subprocessors
  8. Termination
  9. Prohibited Data
  10. Miscellaneous
  11. Annex 1
  12. Annex 2

Data Processing Addendum

This Data Protection Addendum, including its appendices (the "Addendum"), supplements and forms part of the commercial agreement (as amended from time to time, the "Agreement") with Comparative, Inc. ("Provider"), under which Provider has agreed to provide the certain services described therein ("Services") to Customer

  1. Definitions

    For purposes of this Addendum, the terms below have the meanings set forth below. Capitalized
    terms that are used but not defined in this Addendum have the meanings given in the Agreement.

    1. Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where "control" refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

    2. Applicable Data Protection Laws means the laws of any jurisdiction applicable to the confidentiality, privacy and/or security of Personal Data or processing thereof under the Agreement, including, without limitation, the CCPA

    3. CCPA means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.

    4. Information Security Incident means a breach of Provider's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider's possession, custody or control.

    5. Personal Data means any information that Customer provides to Provider for the provision of the Service that constitutes "personal information", "personally identifiable information" "personal data" or similar information governed by the CPA or other Applicable Data Protection Laws, except that Personal Data does not include such information pertaining to Customer's personnel or representatives who are end users of the Services or business contacts of Provider.

    6. Security Measures has the meaning given in Section 4.1 (Provider's Security Measures).

    7. Subprocessors means third parties engaged by Provider who are authorized under this Addendum to process Personal Data in relation to the Service.

  2. Duration and Scope of Addendum
    1. This Addendum will, notwithstanding the expiration of the Agreement, remain in effect until, and automatically expire upon, Provider's deletion of all Personal Data.

    2. Annex 1 (California Annex) to this Addendum, applies to Personal Data or the processing thereof subject to the CCPA.

  3. Personal Data Processing

    Provider will process Personal Data only in compliance with Applicable Data Protection Laws and only as necessary to perform its obligations and exercise its rights under the Agreement.

  4. Security
    1. Provider Security Measures. Provider will implement and maintain reasonable technical and organizational measures designed to protect Personal Data against Information Security Incidents, including, without limitation, the measures described in Annex 2 (the "Security Measures"). Such Security Measures shall comply with Applicable Data Protection Laws.

    2. Information Security Incidents. If Provider becomes aware of an Information Security Incident, Provider will (a) notify Customer of the Information Security Incident without undue delay after becoming aware of the Information Security Incident and (b) take reasonable steps to identify the cause of such Information Security Incident, minimize harm and prevent a recurrence Notifications made pursuant to this Section 4.2 will describe, to the extent possible, details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Provider recommends Customer take to address the Information Security Incident.

  5. Data Subject Rights
    1. Customer's Responsibility for Requests. If Provider receives any request from an individual in relation to the data subject's Personal Data, Provider will notify Customer in writing of such requests promptly and in no event later than five (5) days of Provider's receipt thereof, and Provider shall not take any action in response to such request except in accordance with Customer's written instructions.

    2. Provider's Data Subject Request Assistance. Provider will (taking into account the nature of the processing of Personal Data) provide Customer with self-service functionality through the Service or other reasonable assistance as necessary for Customer to perform its obligation under Applicable Data Protection Law to fulfill requests by individuals to exercise their rights under Applicable Data Protection Laws within any deadlines imposed thereunder.

  6. Audits
    1. Customer may audit Provider's compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by Applicable Data Protection Laws.

    2. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer's audit request and Provider has certified in writing that there are no known material changes in the controls audited, Customer agrees to accept such report lieu of requesting an audit of such controls or measures.

    3. The audit must be conducted during regular business hours, and may not unreasonably interfere with Provider business activities.

    4. Any audits are at Customer's expense unless the audit identifies noncompliance with this Addendum in any material respect, in which case Provider will reimburse Customer for all of its out of pocket costs and expenses associated with the audit.

  7. Subprocessors
    1. Consent to Subprocessor Engagement. Subject to this Addendum, Customer generally authorizes the engagement of Subprocessors.

    2. Current Subprocessors. All Subprocessors engaged by Provider as of the date of this Addendum, if any, and a description of their functions are as follows:

      Entity Name Entity Type Service Type Entity Country
      Amazon Web Services, Inc. Corporation Storage, Computing,Relational Database USA
      DocuSign, Inc. Corporation Contract management USA
      Google Cloud Corporation Authentication Canada
      Google, Inc. Corporation Analytics USA
      HubSpot, Inc. Corporation Account management USA
      Zendesk Corporation Support USA
    3. Engaging New Subprocessors. When engaging any Subprocessor, Provider will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Addendum with respect to Personal Data. Provider shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor. Provider shall not permit any Subprocessor to process Personal Data in or from any location outside of the United States, Canada or the European Union without Customer's prior written consent.

    4. Opportunity to Object to Subprocessor Changes. When any new Subprocessor not listed in Section 7.2 is engaged during the term of the Agreement, Provider will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) at least 30 days prior to such engagement. If Customer objects to such engagement in a written notice to Provider within 30 days of being informed thereof on reasonable grounds relating to the protection of Personal Data, Customer and Provider will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Service by providing written notice to Provider and receive a refund of any prepaid fees under the Agreement.

  8. Termination

    Upon termination of Customer's access to the Service, Provider shall delete or cause the deletion of all Personal Data in the care, custody or control of Provider and any Subprocessor as soon as reasonably practicable, except to the extent retention thereof is required by law.

  9. Prohibited Data

    Customer represents and warrants to Provider that Customer has not provided and will not provide, without Provider's prior written consent, the following for Customer to Process: any social security numbers or other government-issued identification numbers; protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 13 years of age.

  10. Miscellaneous

    Except as expressly modified by the Addendum, the terms of the Agreement remain in full force and effect. The requirements of this Addendum are in addition to and not in lieu of the requirements of the Agreement. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement, this Addendum will govern.

Annex 1

California Annex

  1. Provider shall not retain, use, or disclose any Personal Data that constitutes "personal information" under the CPA ("CA Personal Information") for any purpose other than for the specific purpose of providing the Service, or as otherwise permitted by CPA, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in CPA) other than providing the Services.

  2. Provider shall not (a) sell any CA Personal Information; (b) retain, use or disclose any CA Personal Information for any purpose other than for the specific purpose of providing the Service, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in the CCPA) other than provision of the Service; or (c) retain, use or disclose the CA Personal Information outside of the direct business relationship between Provider and Customer. Provider hereby certifies that it understands its obligations under this Section 2 and will comply with them.

  3. Provision of the Services encompasses the processing authorized in Section 3 of the Addendum.

  4. Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that Provider's access to CA Personal Information is not part of the consideration exchanged by the parties in respect of the Agreement.

Annex 2

Security Measures

At all times that the Provider processes Personal Data, Provider will have implemented and maintain the Training all personnel with access to Personal Data on their and the Provider's data protection obligations.

  1. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data that is (a) transmitted over public networks (i.e. the Internet) or when transmitted wirelessly; or (b) at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).

  2. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g., granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access when employment terminates or changes in job functions occur).

  3. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Provider passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Provider's computer systems; (ili) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.

  4. Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Provider's technology and information assets.

  5. Incident / problem management procedures designed to allow Provider to investigate, respond to, mitigate and notify of events related to Provider's technology and information assets.

  6. AWS Network security controls that provide for the use of enterprise firewalls, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.