Data Processing Addendum
This Data Processing Addendum (“DPA”) is entered into by and between G2.com, Inc. (“G2”) and the entity identified as Client on the Service Order (“Client”) and is incorporated into the Master Service Agreement (“Agreement”) entered into by both parties. Capitalized terms used but not defined herein have the meanings given to them in the Agreement.
This DPA sets forth how Personal Data (or a similar term as defined by applicable Privacy Laws) provided to G2 in connection with the Agreement will be protected and Processed. “Process”, including its cognates, has the meaning attributed to it in the applicable Privacy Laws. The parties agree to comply with any applicable data protection laws including but not limited to, California Consumer Protection Act (“CCPA”), European Union (“EU”) General Data Protection Regulation (“EU GDPR”) and United Kingdom (“UK”) General Data Protection Regulation (“UK GDPR”), as such laws may be amended from time to time (collectively, “Privacy Laws”).
- SCOPE. As between Client and G2, Client is the Controller and data exporter. However, in the instance of an integration of the Services with a third-party application where the third-party application provider is the Controller (“Third-Party Controller”), Client is a Processor. G2 is the Processor and data importer. “Controller” means the natural or legal person that determines the purposes and means of the Processing of Personal Data and/or “controller,” “business” or similar term as defined by applicable Privacy Laws. “Processor” means the natural or legal person that Processes Personal Data on behalf of the Controller and/or “processor,” “service provider” or similar term as defined by applicable Privacy Laws. The subject details of the Processing are described in Appendix A. This DPA applies only to the extent that G2 Processes Personal Data in the course of providing the Services to Client.
- OBLIGATIONS OF CLIENT. Client is solely responsible for, and G2 shall have no obligation with respect to, (a) providing any notice and/or obtaining any consent from an identified or identifiable natural person to whom Personal Data relates (“Data Subject”) as required under Privacy Laws as needed in connection with G2’s Processing of Personal Data in connection with the Agreement; (b) making available to G2 the minimum amount of Personal Data necessary for G2 to carry out G2’s obligations under the Agreement and/or this DPA; (c) ensuring the accuracy and completeness of any Personal Data and making any updates, including requests for deletion of Personal Data, to reflect changes requested by Data Subjects; (d) any unauthorized Processing of Personal Data not under the control of G2 or a Subprocessor; (e) ensuring Personal Data does not and will not contain Special Categories of Personal Data, as defined in Article 9.1 of the EU GDPR and UK GDPR or Sensitive Personal Information as defined by CCPA; (f) any communications, notifications, assistance and/or authorizations that may be required in connection with a Third-Party Controller; and (g) reviewing the information made available by G2 relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Privacy Law. Client will not require or request that G2 undertake any Processing that will violate the Privacy Laws; however, If, in G2’s opinion, the instructions provided by Client violate Privacy Laws, G2 can refuse to undertake such Processing without any penalties. If there are additional specific legal requirements under Privacy Laws that are not addressed under this DPA, it is Client’s responsibility to notify G2 at firstname.lastname@example.org. G2 will not be responsible for initiating this process and may refuse, without incurring any penalties, to Process Personal Data if the requirements exceed what is outlined in this DPA.
- USE OF PERSONAL DATA. Client instructs G2 to Process Personal Data (a) to perform its obligations under the Agreement and for the specific purposes outlined in Appendix A, (b) for the duration specified in Appendix A; (c) as required by law and in compliance with Privacy Laws , or (d) for any other purposes permitted by Client in writing. G2 may aggregate, deidentify, or anonymize Personal Data so it no longer meets the definition of Personal Data (“Non-Personal Data”) and may Process such Non-Personal Data for its own purposes. G2 will not re-identify any such Non-Personal Data. Solely with respect to any Personal Data that is subject to CCPA (i) G2 will not retain, use or disclose the Personal Data for any purpose other than for performing the Services or as otherwise permitted by CCPA; (ii) G2 will comply with applicable provisions of CCPA and provide the same level of privacy protection for relevant Personal Data as required by CCPA; (iii) Client has the right to take reasonable and appropriate steps to help ensure that G2 uses Personal Data in a manner consistent with Client’s obligations under CCPA; (iv) G2 will notify Client if G2 makes a determination that it can no longer meet its obligations under CCPA; and (v) Client has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data by G2.
- PRIVACY AND SECURITY. G2 will implement and maintain, at its own cost and expense, commercially reasonable technical, organizational and physical security measures designed to protect the privacy and security of Personal Data it Processes, as outlined in Appendix B, and the third-party certifications and audits that are available upon Client’s written request to email@example.com (the “Privacy and Security Safeguards”). G2 reserves the right to change and update the Privacy and Security Safeguards without prior notice to, or approval from, Client, however, it will not materially lessen these measures from the standards that are in place as of the date that Client entered into this DPA.
- SUBPROCESSORS. Client authorizes G2, on Client’s behalf, to engage third parties or subcontractors, to Process Personal Data (“Subprocessors”). G2 will require Subprocessors to agree in writing to comply with materially similar data protection obligations as those contained in this DPA. Except as set forth in the Agreement or this DPA, G2 will be liable for the acts and omissions of its Subprocessors only to the same extent G2 would be liable if it was performing the services of each Subprocessor directly and such liability will not exceed the amount actually recovered by G2 from that Subprocessor. For purposes of Clause 9 of the standard contractual clauses set forth under the EU GDPR (the “EU SCCs”) and the UK GDPR (the “UK SCCs”), Client provides G2 with a general authorization to engage Subprocessors.
- G2 will maintain a list of its Subprocessors at https://sell.g2.com/legal/subprocessor_page. G2 will make available to Client a mechanism to affirmatively subscribe to notifications of new Subprocessors used by G2 (the “Subprocessor Notification”). Client is solely responsible for subscribing to the Subprocessor Notification. If Client objects to G2’s use of a new Subprocessor, Client is required to notify G2 in writing at firstname.lastname@example.org within 10 business days after G2 sends a Subprocessor Notification. In the event Client objects to a new Subprocessor through this process and within the specified timeframe, G2 will use reasonable efforts to avoid Processing Client’s Personal Data by the objected-to new Subprocessor. If G2 is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) business days, Client may terminate the Agreement and DPA in accordance with the termination provisions of the Agreement.
- COOPERATION AND AUDITS. G2 will provide reasonable assistance, information and cooperation to Client to help Client comply with obligations required under Privacy Laws with respect to (a) compliance with this DPA; (b) privacy impact assessments and/or (c) subject to the terms in this Section 6, audits of G2 as required under Privacy Laws or G2’s compliance with this DPA (collectively, “G2 Audit Obligations”); Client will not audit G2 more than once in any 12-month rolling period, unless otherwise required under Privacy Laws.
With respect to G2 Audit Obligations, subject to the confidentiality obligations set forth in the Agreement and upon your written request, G2 will provide to Client or, if required by Privacy Laws, Client’s competent regulatory authority, (a) a summary copy of G2’s then most recent third-party audits or certifications, (b) any similar reports that have been provided by the Subprocessor to G2, or (c) other information, solely to the extent G2 or a Subprocessor is required to provide this information under Privacy Laws.
In the event that Client is required under Privacy Laws to undertake an on-site audit of G2 (“On-Site Audits”), Client and G2 will mutually agree upon the scope, timing and duration of the audit at least 30 days in advance of any such audit. Client acknowledges that (a) On-Site Audits will be limited to G2 facilities only, (b) Client is responsible for all costs of the On-Site Audit, (c) Client’s participants in the On-Site Audit must comply with all reasonable confidentiality and other requirements imposed by G2, solely to be determined by G2 at the time of Client’s request, (d) G2 operates a shared cloud environment and will reasonably adapt the scope of any On-Site Audit to avoid or mitigate risks with respect to its legal and contractual obligations to other G2 customers and users, (e) all On-Site Audits must take place during G2’s normal business hours, and (f) unless otherwise required by Privacy Laws, Client must submit Client’s request for an On-Site Audit to G2 at email@example.com with at least 30 calendar days written notice. Nothing in this Section will require G2 to violate Privacy Laws or other legal or contractual obligations it has to its customers or its users. Client must notify G2 within ten business days following the completion of the On-Site Audit of any compliance issues discovered during the course of an On-Site Audit.
The parties agree that the audits described in Clause 8.9 of the EU Standard Contractual Clauses (“EU SCCs”) and the UK Standard Contractual Clauses (“UK SCCs”, and collectively with the EU SCCs, “SCCs”) will be carried out in accordance with this Section 6 of this DPA.
- CROSS BORDER DATA TRANSFERS. G2 Processes Personal Data in the United States (or anywhere G2 or its Subprocessors maintains facilities). For any transfers of Personal Data from EU or UK to a country which is not an Approved Jurisdiction, such transfers and Processing shall be governed by a valid mechanism for the lawful transfer of Personal Data recognized under Privacy Laws, such as (a) for transfers of Personal Data protected by EU GDPR, such transfers shall be subject to the EU Standard Contractual Clauses, including Appendix C (“EU SCCs”), and (b) with respect to transfers of Personal Data protected by UK GDPR, such transfers shall be subject to the UK International Data Transfer Addendum to the EU SCCs (“UK Addendum”, and collectively with the EU SCCs, “SCCs”), including Appendix C. “Approved Jurisdiction” means a jurisdiction that has either been approved as having adequate legal protections for data by the European Commission or the UK Information Commissioner’s Office, or where data transfers contemplated by this DPA are not otherwise restricted under the Privacy Laws. Each party’s signature to the Service Order shall be considered a signature to the SCCs.
- PERSONAL DATA BREACH. In the event of any negligent act or omission by G2 that materially compromises or results in any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client’s Personal Data or other event impacting Client’s Personal Data that triggers an obligation for G2 to notify client under Privacy Laws related to security breach notification (collectively, a “Personal Data Breach”), G2 will notify Client without undue delay of G2’s confirmation of such Personal Data Breach at the Security email set forth in the Service Order. G2 will provide the following information to Client, as this information becomes available to G2: (a) a brief description of the Personal Data Breach, including the date of the Personal Data Breach; (b) a description of the Personal Data that has been, or is reasonably believed by G2 to have been, impacted by the Personal Data Breach; (c) a description of what G2 is doing to investigate the Personal Data Breach, to mitigate potential harm caused by the Personal Data Breach and to protect against another similar Personal Data Breach; (d) contact information that Client can use to get more information from G2 about the Personal Data Breach; and (e) any other information that G2 is required to provide to Client about the Personal Data Breach under Privacy Laws. G2 will cooperate with Client in Client’s reasonable investigation of the Personal Data Breach, including as required by Privacy Laws. If notification to any third party is required under Privacy Laws, G2 will reimburse Client for reasonable costs directly incurred by Client for the provision of this legally required notification and any legally required credit monitoring (the “Notification Costs”). The Notification Costs shall not include any legal fees or related costs incurred by Client.
- INFORMATION MANAGEMENT. G2 shall upon the termination of the Agreement at Client’s written request, either delete or return any Personal Data to Client once Processing by G2 is no longer required for G2’s performance of its obligations under the Agreement or this DPA. Upon completion of the Services under this Agreement, G2 will return or delete all existing copies of Personal Data, unless retention of Personal Data is required by applicable law or is otherwise infeasible, in which case G2 will continue to retain the Personal Data subject to the requirements of this DPA and may only Process such Personal Data for the purposes that make return or deletion infeasible.
- INDEMNIFICATION. Subject to Section 11 of the Agreement, Client agrees that Client will reimburse, indemnify and hold G2 harmless for all costs incurred in responding to or mitigating any losses suffered by G2, including, but not limited to, any losses relating to a third-party claim brought against G2 regarding the Processing of Personal Data where such Processing is consistent with Client’s Processing instructions, the Agreement and/or this DPA.
- LIMITATION OF LIABILITY. Except as otherwise explicitly stated in this DPA, G2’s sole liability and Client’s sole remedy for G2’s breach of this DPA will not exceed the fees paid by Client to G2 under the Service Order giving rise to the claim in the 12 months preceding the claim. In no circumstances will G2 be liable for any special, indirect, incidental, consequential, or punitive damages, including lost profits incurred by Client.
- INTERPRETATION AND UPDATES. G2 will update this DPA periodically, without notice to Client, in material compliance with Privacy Laws and without materially lessening the protections set forth herein. The following order of precedence applies in the event of a conflict with respect to the Processing of Personal Data: (a) the SCCs, (b) this DPA, (c) the Agreement, and (d) the Privacy Laws.
- TERM. This DPA begins on the Effective Data (as defined in the Agreement) and is in effect until the Agreement terminates or expires, or until such time as G2 no longer Processes Personal Data on behalf of Client.
APPENDIX ADESCRIPTION OF TRANSFER/PROCESSING
Data Exporter & Controller: Client
Client information is as set forth in the Service Order.
Data Importer & Processor: G2.com, Inc.
100 South Wacker Drive, Suite 600, Chicago, IL 60606
|Categories of Data Subjects Whose Personal Data is Transferred
- Client’s prospects, customers, and business partners, and employees or contact persons of the foregoing
- Client’s employees, consultants, contractors, agents and/or third parties with whom Client conducts business
- Client’s authorized Users
|Categories of Personal Data Transferred
- First and last name
- Contact information (company, email, phone, physical business address)
- ID data
- Professional life data
- Personal life data
- Location data
|Sensitive Data Transferred
||Client will not transfer sensitive data to G2.
|Frequency of the Transfer
|Nature of the Processing
||To provide the Services.
|Purpose of Processing, Data Transfer and Further Processing
||To provide the Services.
|Duration of Processing
||As set forth in Section 13.
||As set forth in Section 5.
APPENDIX BTECHNICAL AND ORGANIZATIONAL MEASURES
G2 has implemented the following technical and organizational measures for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Offerings:
|Access Control: Preventing Unauthorized Product Access
- Outsourced processing: G2 hosts its Offering with outsourced cloud infrastructure providers. Additionally, G2 maintains contractual relationships with vendors in order to provide the Offerings in accordance with our Data Processing Agreement. G2 relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
- Physical and environmental security: G2 hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type I and ISO 27001, 27017, 17018 compliance, among other certifications.
- Authentication: G2 implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non- public customer data.
- Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of G2’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
- Application Programming Interface (API) access: Public product APIs may be accessed using an API.
|Access Control: Preventing Unauthorized Product Use
- G2 implements industry standard access controls and detection capabilities for the internal networks that support its products.
- Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
- Intrusion detection and prevention: G2 implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
- Static code analysis: Security reviews of code stored in G2’s source code repositories is performed. Checking for coding best practices and identifiable software flaws.
- Penetration testing: G2 maintains relationships with industry recognized penetration testing service providers for one annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
|Access Control: Limitations of Privilege & Authorization Requirements
- Product access: A subset of G2’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. All such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated regularly. Employee roles are reviewed at least once every six months.
- Background checks: All G2 employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
- In-transit: G2 requires HTTPS encryption (also referred to as SSL or TLS) on every one of its login interfaces. G2’s HTTPS implementation uses industry standard algorithms and certificates.
- At-rest: G2 stores user passwords following policies that follow industry standard practices for security. G2 has implemented technologies to ensure that stored data is encrypted at rest.
- Detection: G2 designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. G2 personnel, including security, operations, and support personnel, are responsive to known incidents.
- Response and tracking: G2 maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, G2 will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
- Communication: If G2 becomes aware of unlawful access to non-G2 Data stored within its Offerings, G2 will: 1) notify the affected customers of the incident; 2) provide a description of the steps G2 is taking to resolve the incident; and 3) provide status updates to the customer contact, as G2 deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form G2 selects, which may include via email or telephone.
- Infrastructure availability: The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
- Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores.
- Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
- G2’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists G2 operations in maintaining and updating the product applications and backend while limiting downtime.
APPENDIX CSTANDARD CONTRACTUAL CLAUSES
Table 1: EU Standard Contractual Clauses
For data transfers from the EU that are subject to the EU SCCs, the UE SCCs will be deemed entered into (and incorporated into this DPA by reference) and completed as follows:
Table 2: UK Standard Contractual Clauses
|EU SCC Term
||Module 2 (Controller to Processor).
|Clause 7 (Docking Clause)
||Option is not included.
|Clause 9 (Use of Sub-Processors)
||Option 2 shall apply. As set forth in Appendix 1.
|Clause 11 (Redress)
||Option is not included.
|Clause 13 (Supervision)
Options are included, as applicable.
|Clause 17 (Governing Law)
|Clause 18 (Choice of Forum and Jurisdiction)
|Annex I.A (List of Parties)
||As set forth in Appendix A.
|Annex I.B (Description of the Transfer)
||As set forth in Appendix A.
| Annex I.C (Competent Supervisory Authority)
|| As set forth in Appendix A.
|Annex II (Technical and Organisational Measures)
||As set forth in Appendix B.
For data transfers from the UK that are subject to the UK GDPR, the UK Addendum will be deemed entered into (and incorporated into this DPA by reference) and completed as follows:
|UK Addendum Term
|Table 1: Start Date
||As set forth in Section 13.
|Table 1: Parties
||As set forth in Appendix A.
|Table 2: Addendum EU SCC
||As set forth in Table 1 of this Appendix C.
|Table 3: Appendix Information
||As set forth in Table 1 of this Appendix C.
|Table 4: Ending this Addendum