Data Processing Addendum

This Data Processing Addendum (“DPA”) is between  G2.com, Inc. (“G2”) and the entity identified in the Service Order (“Customer”) and is incorporated into the Master Service Agreement (“Agreement”), or a similar agreement regarding the Services, between the  parties. Capitalized terms not defined herein have the meanings assigned in the Agreement. 

This DPA applies only when Personal Data is transferred by Customer (Controller) to G2 (Processor) for the following purposes:      

Purpose	Data Subject	Personal Data Transferred from Customer to G2
Review Campaign	Customer’s clients	First Name + Email
Invitation to my.G2	Customer’s employees	First Name + Last Name + Email

1. Scope.

This DPA sets forth how G2 will Process Personal Data (or a similar term as defined by applicable Privacy Laws) provided by Customer under  the Agreement. The parties agree to comply with applicable data protection laws (“Privacy Laws”). Details of the Processing are in Appendix A. “Process” (and its cognates) is defined according to applicable Privacy Laws. 

2. Obligations of Customer.

Customer is solely responsible for (a) providing notice or obtaining consent from a person to whom Personal Data relates (“Data Subject”) as required by Privacy Laws; (b) supplying only the minimum necessary Personal Data for G2 to fulfill its obligations; (c) ensuring the accuracy and completeness of Personal Data and making updates, including handling Personal Data deletion requests; (d) any unauthorized Processing  outside the  control of G2 or a Subprocessor; (e) ensuring Personal Data does not contain Special Categories or Sensitive Personal Data (as defined by Privacy Laws); (f) managing third-party controller communications; and (g) reviewing G2’s data security information to meet  legal obligations. Customer must  not request G2 to Process  in violation of Privacy Laws. If G2 believes an instruction violates Privacy Laws, G2 may refuse to Process without any penalties. For any  legal requirements not covered by this DPA, Customer must notify G2 at legal@g2.com. G2 is not responsible for initiating this process and may refuse, without incurring any penalties, to Process Personal Data if the requirements exceed this DPA. 

3. Use Of Personal Data.

Customer instructs G2 to Process Personal Data (a) to perform its obligations under the Agreement and in accordance with  Appendix A, (b) as required by law and in compliance with Privacy Laws, or (c) for any other purposes permitted by Customer in writing. G2 will not “share” or “sell” Personal Data (as defined by CCPA). 

4. Privacy and Security.

G2 will implement reasonable security measures to protect Personal Data , as outlined in Appendix B. Third-party certifications and audits are available upon Customer’s written request to security@g2.com (“Safeguards”). G2 can update Safeguards without prior notice to or approval from Customer, but will not  materially reduce the current standards.

5. Subprocessors.

Customer authorizes G2 to engage third parties or subcontractors to Process Personal Data its behalf (“Subprocessors”). G2 will ensure Subprocessors agree to similar data protection obligations as outlined in this DPA. Except as stated in the Agreement or this DPA, G2’s liability for Subprocessors is limited to the extent as if G2 were performing the services directly, and will not exceed the amount actually recovered by G2 from that Subprocessor. Customer provides G2 with a general authorization to engage Subprocessors. 

G2 maintains a list of its Subprocessors at https://legal.g2.com/subprocessors, where Customer is required to  subscribe to notifications of new Subprocessors(“Subprocessor Notification”). . If Customer objects to a new Subprocessor, Customer must notify G2 in writing at privacy@G2.com within 10 business days of G2 sending a Subprocessor Notification. If an objection is made in time,  G2 will make  reasonable efforts to avoid using  the contested Subprocessor, but if no solution is found within within 30 business days, Customer may terminate the Agreement and DPA in accordance with the termination provisions of the Agreement.

6. Cooperation and Audits.

G2 will provide reasonable assistance to help Customer comply with Privacy Laws regarding (a) this DPA; (b) privacy impact assessments or  (c) subject to the terms in this Section 6, audits of G2 as required under Privacy Laws (collectively, “G2 Audit Obligations”); Customer may audit G2 once in any  12-month rolling period, unless otherwise required by Privacy Laws. 

Regarding G2 Audit Obligations, subject to the confidentiality obligations set forth in the Agreement and upon Customer’s  written request, G2 will provide to Customer or, if required by Privacy Laws, Customer’s competent regulatory authority, (a) a summary of recent third-party audits or certifications, (b) similar reports from  Subprocessors to G2, or (c) other information required by Privacy Laws.

In Privacy Laws mandate an onsite audit (“On-Site Audits”), Customer and G2 will agree on scope, timing and duration at least 30 days in advance of any such audit. On-Site Audits will be limited to G2 facilities only, Customer will cover all costs, participants must comply with confidentiality and other requirements, solely to be determined by G2, and must occur during G2’s normal business hours. Unless otherwise required by Privacy Laws, Customer must submit Customer’s request for an On-Site Audit to G2 at privacy@g2.com with at least 30 days written notice.  G2 is not required to violate Privacy Laws or other legal or contractual obligations it has to its customers or its users. Customer must inform G2 of any compliance issues found during the On-Site Audit within 10 business days. G2 may adapt the scope of an On-Site Audit to avoid risks with respect to its legal and contractual obligations to other G2 customers and users. 

Audits under the EU and UK Standard Contractual Clauses (“SCCs”) will follow this Section 6.

7. Cross Border Data Transfers.

G2 Processes Personal Data in the United States. Transfers of Personal Data from the EU or UK to a jurisdiction which is not recognized by the EU or UK as having adequate data protection, or where data transfers contemplated by this DPA are not otherwise restricted under Privacy Laws, the EU SCCs andUK International Data Transfer Agreement (“UK Agreement”) apply, as incorporated by Appendix C. By signing  the Service Order, both parties accept the EU SCCs and UK Agreement.

For transfers of Personal Data from the EU (“EU Personal Data”) to the U.S., G2 participates in the EU-U.S. Data Privacy Framework Program  (“DPF”) and agrees to comply with the DPF to the extent Customer also participates in the DPF.

8. Personal Data Breach.

If G2 is negligent and materially compromises or causes accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer’s Personal Data or other event impacting Customer’s Personal Data that triggers an obligation for G2 to notify Customer under Privacy Laws related to security breach notification (collectively, a “Personal Data Breach”), G2 will notify Customer without delay of G2’s confirmation of such Personal Data Breach at the Security Email set forth in the Service Order. G2 will share the following information as it becomes available to G2: (a) a brief description of the Personal Data Breach, including its date, (b) details of the impacted Personal Data, (c) actions G2 is taking to investigate and mitigate, (d) contact information for further inquiries, and (e) any other information required under Privacy Laws. 

If Privacy Laws require notifying third parties, G2 will reimburse the Customer for reasonable costs directly related to the notification and any required credit monitoring (“Notification Costs”), excluding legal fees or related costs incurred by Customer.

G2 will cooperate with Customer’s reasonable investigation, as required by Privacy Laws. If Privacy Laws require notifying third parties, G2 will reimburse Customer for reasonable costs directly incurred by Customer for this legally required notification and any legally required credit monitoring (“Notification Costs”). Notification Costs shall not include any legal fees or related costs incurred by Customer.

9. Information Management.

After completing the  Services, G2 will return or delete all copies of Personal Data, unless retention is required by law or otherwise infeasible, in which case G2 will retain the Personal Data only as necessary and may process it solely for the purpose of preventing return or deletion.

10. Indemnification.

Subject to Section 12 of the Agreement, Customer agrees that Customer will reimburse, indemnify and hold G2 harmless for all costs incurred in responding to or mitigating any losses suffered by G2, including, but not limited to, any losses relating to a third-party claim brought against G2 regarding the Processing of Personal Data where such Processing is consistent with Customer’s Processing instructions, the Agreement and/or this DPA. 

11. Limitation of Liability.

Except as otherwise explicitly stated in this DPA, G2’s sole liability and Customer’s sole remedy for G2’s breach of this DPA will not exceed the fees paid by Customer to G2 under the Service Order giving rise to the claim in the 12 months preceding the claim. In no circumstances will G2 be liable for any special, indirect, incidental, consequential, or punitive damages, including lost profits incurred by Customer. 

12. Interpretation and Updates.

G2 will update this DPA periodically, without notice to Customer, in material compliance with Privacy Laws and without materially lessening the protections set forth herein. The following order of precedence applies in the event of a conflict with respect to the Processing of Personal Data: (a) the International Data Transfer Agreement, (b) this DPA, (c) the Agreement, and (d) the Privacy Laws.

13. Term.

This DPA begins on the Effective Date and remains in force until the Agreement terminates, or until G2 stops Processing Personal Data on behalf of Customer.

 

APPENDIX A

Description of Processing 

Parties	Exporter & Controller: Customer Customer information is as set forth in the Service Order.
	Importer & Processor: G2.com, Inc. 100 South Wacker Drive, Suite 600, Chicago, IL 60606
Categories of Data Subjects Whose Personal Data is Transferred & Categories of Personal Data Transferred	Review Campaign (if applicable) Data Subject: Customer’s customers Personal Data: First name and email
Sensitive Data Transferred	Customer will not transfer Sensitive Data to G2.
Frequency of the Transfer	Continuous.
Nature of the Processing	To provide the Services.
Purpose of Processing, Data Transfer and Further Processing	To provide the Services.
Duration of Processing	As set forth in Section 13.
Subprocessor Transfers	As set forth in Section 5.

APPENDIX B

Technical and Organizational Measures

G2 has implemented the following technical and organizational measures for the protection of the security, confidentiality and integrity of Personal Data:

Access Control: Preventing Unauthorized Product Access	Outsourced processing: G2 hosts its Services with outsourced cloud infrastructure providers. G2 maintains contractual relationships with vendors in order to provide the Services in accordance with its  DPA. G2 relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
	Physical and environmental security: G2 hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type I and ISO 27001, 27017, 17018 compliance, among other certifications.
	Authentication: G2 implemented a uniform password policy for its Customer’s products. Customers who interact with the products via the user interface must authenticate before accessing non-public Customer data.
	Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of G2’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
	Application Programming Interface (API) access: Public product APIs may be accessed using an API.
Access Control: Preventing Unauthorized Product Use	G2 implements industry standard access controls and detection capabilities for the internal networks that support its products.
	Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
	Intrusion detection and prevention: G2 implemented a Web Application Firewall (WAF) solution to protect hosted Customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
	Static code analysis: Security reviews of code stored in G2’s source code repositories is performed. Checking for coding best practices and identifiable software flaws.
	Penetration testing: G2 maintains relationships with industry recognized penetration testing service providers for one annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
Access Control: Limitations of Privilege & Authorization Requirements	Product access: A subset of G2’s employees have access to the products and to Customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective Customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. All such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated regularly. Employee roles are reviewed at least once every 6 months.
	Background checks: All G2 employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
Transmission Control	In-transit: G2 requires HTTPS encryption (also referred to as SSL or TLS) on every one of its login interfaces. G2’s HTTPS implementation uses industry standard algorithms and certificates.
	At-rest: G2 stores user passwords following policies that follow industry standard practices for security. G2 has implemented technologies to ensure that stored data is encrypted at rest.
Input Control	Detection: G2 designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. G2 personnel, including security, operations, and support personnel, are responsive to known incidents.
	Response and tracking: G2 maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, G2 will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
	Communication: If G2 becomes aware of unlawful access to non-G2 Data stored within its Services, G2 will: 1) notify the affected Customers of the incident; 2) provide a description of the steps G2 is taking to resolve the incident; and 3) provide status updates to the Customer contact, as G2 deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form G2 selects, which may include via email or telephone.
Availability Control	Infrastructure availability: The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
	Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores.
	Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
	G2’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists G2 operations in maintaining and updating the product applications and backend while limiting downtime.

APPENDIX C

EU & UK GDPR

Section 1 - EU:For data transfers from the EU, the EU SCCs are incorporated into this DPA as follows:

EU SCC Term	Amendment/Selected Option
Module	Module 2 (Controller to Processor).
Clause 7 (Docking Clause)	Option is not included.
Clause 9 (Use of Sub-Processors)	Option 2 shall apply. As set forth in Appendix .
Clause 11 (Redress)	Option is not included.
Clause 13 (Supervision)	Options are included, as applicable.
Clause 17 (Governing Law)	Ireland.
Clause 18 (Choice of Forum and Jurisdiction)	Ireland.
Annex I.A (List of Parties)	As set forth in Appendix A.
Annex I.B (Description of the Transfer)	As set forth in Appendix A.
Annex I.C (Competent Supervisory Authority)	As set forth in Appendix A.
Annex II (Technical and Organisational Measures)	As set forth in Appendix B.

Section 2 - UK: For data transfers from the UK, the UK Addendum is incorporated into this DPA as follows:

UK Addendum Term	Amendment/Selected Option
Table 1: Start Date	As set forth in Section 13.
Table 1: Parties	As set forth in Appendix A.
Table 2: Addendum EU SCC	As set forth in Section 1 of this Appendix C.
Table 3: Appendix Information	As set forth in Section 1 of this Appendix C.
Table 4: Ending this Addendum	Importer.
Mandatory Clauses	The Mandatory Clauses are incorporated into this Appendix C. The ‘Alternative Part 2 Mandatory Clauses’ are not selected.