Data Processing Addendum
This Data Processing Addendum (“DPA”) is entered into by G2.com, Inc. (“G2”) and the entity identified as Client on the Service Order (“Client”) and is incorporated into the Master Service Agreement (“Agreement”), or a similar agreement regarding the Services, entered into by both parties. Capitalized terms used but not defined herein have the meanings given to them in the Agreement.
- SCOPE. This DPA sets forth how Personal Data (or a similar term as defined by applicable Privacy Laws) provided to G2 by Client in connection with the Agreement will be protected and Processed. “Process”, including its cognates, has the meaning attributed to it in the applicable Privacy Laws. The parties agree to comply with any applicable data protection laws including but not limited to, California Consumer Protection Act (“CCPA”),as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CDPA”), Utah Consumer Privacy Act (“UCPA”), European Union (“EU”) General Data Protection Regulation (“EU GDPR”) and United Kingdom (“UK”) General Data Protection Regulation (“UK GDPR”), as such laws may be amended from time to time (collectively, “Privacy Laws”). The subject details of the Processing are described in Appendix A. This DPA applies only to the extent that G2 Processes Personal Data in the course of providing the Services to Client.
- OBLIGATIONS OF CLIENT. Client is solely responsible for, and G2 shall have no obligation with respect to, (a) providing any notice and/or obtaining any consent from an identified or identifiable natural person to whom Personal Data relates (“Data Subject”) as required under Privacy Laws as needed in connection with G2’s Processing of Personal Data in connection with the Agreement; (b) making available to G2 the minimum amount of Personal Data necessary for G2 to carry out G2’s obligations under the Agreement and/or this DPA; (c) ensuring the accuracy and completeness of any Personal Data and making any updates, including requests for deletion of Personal Data, to reflect changes requested by Data Subjects; (d) any unauthorized Processing of Personal Data not under the control of G2 or a Subprocessor; (e) ensuring Personal Data does not and will not contain Special Categories of Personal Data, as defined in Article 9.1 of the EU GDPR and UK GDPR or Sensitive Personal Information as defined by Privacy Laws; (f) any communications, notifications, assistance and/or authorizations that may be required in connection with a Third-Party Controller; and (g) reviewing the information made available by G2 relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Privacy Law. Client will not require or request that G2 undertake any Processing that will violate the Privacy Laws; however, if, in G2’s opinion, the instructions provided by Client violate Privacy Laws, G2 can refuse to undertake such Processing without any penalties. If there are additional specific legal requirements under Privacy Laws that are not addressed under this DPA, it is Client’s responsibility to notify G2 at email@example.com. G2 will not be responsible for initiating this process and may refuse, without incurring any penalties, to Process Personal Data if the requirements exceed what is outlined in this DPA.
- USE OF PERSONAL DATA. Client instructs G2 to Process Personal Data (a) to perform its obligations under the Agreement and for the specific purposes outlined in Appendix A, (b) for the duration specified in Appendix A; (c) as required by law and in compliance with Privacy Laws, or (d) for any other purposes permitted by Client in writing. G2 may aggregate, deidentify, or anonymize Personal Data so it no longer meets the definition of Personal Data (“Non-Personal Data”) and may Process such Non-Personal. G2 will not re-identify any such Non-Personal Data. Solely with respect to any Personal Data that is subject to CCPA (i) G2 will not retain, use or disclose the Personal Data for any purpose other than for the limited and specific purposes of performing the Services, as agreed to in writing by G2 and Client or as otherwise permitted by CCPA; (ii) G2 will not “share” or “sell” Personal Data (as these terms are defined by CCPA); (iii) G2 will only retain, use, or disclose the Personal Data for “business purposes,” as defined by CCPA, as authorized by the Agreement or this DPA or as otherwise permitted by the CCPA; (iv) G2 will not retain, use, or disclose the Personal Data for any “commercial purposes” other than the “business purposes” (as these terms are defined by CCPA) specified in the Agreement, unless expressly permitted by CCPA; (v) G2 will not retain, use, or disclose the Personal Data outside the direct business relationship between G2 and Client, unless expressly permitted by the CCPA; (vi) G2 will comply with applicable provisions of CCPA and provide the same level of privacy protection for relevant Personal Data as required by CCPA; (vii) Client has the right to take reasonable and appropriate steps to help ensure that G2 uses Personal Data in a manner consistent with Client’s obligations under CCPA; (viii) G2 will notify Client if G2 makes a determination that it can no longer meet its obligations under CCPA; and (ix) Client has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data by G2; and (x) Client will inform G2 of any Data Subject request made pursuant to CCPA with which G2 may need to comply and Client will provide the information necessary for G2 to comply with the request. Solely with respect to any Personal Data that is subject to VCDPA, CPA, CDPA or UCPA (collectively, the “Other United States Privacy Laws”) (i) the type of Personal Data subject to Processing in connection with the Services, and the duration of such Processing, is outlined in Appendix A or will otherwise be agreed to in writing by G2 and Client; (ii) G2 will, subject to Section 9 of this DPA, delete or return all Personal Information at the completion of Services, unless retention of the Personal Information is required by law, (iii) G2 will take reasonable steps to ensure that each person Processing Personal Information in connection with the Services is subject to a duty of confidentiality with respect to the Personal Information, (iv) G2 will, subject to Section 6 of this DPA and solely to the extent explicitly required by Other United States Privacy Laws, make available to Client information necessary to demonstrate compliance with the obligations under Other United States Privacy Laws and cooperate with reasonable audits and inspections by Customer solely in connection to its obligations under Other United States Privacy Laws, and (v) subject to Section 5 of this DPA, G2 will engage Subprocessors (as defined in this DPA) and will provide Client the opportunity to object to such Subprocessors.
- PRIVACY AND SECURITY. G2 will implement and maintain, at its own cost and expense, commercially reasonable technical, organizational and physical security measures designed to protect the privacy and security of Personal Data it Processes, as outlined in Appendix B, and the third-party certifications and audits that are available upon Client’s written request to firstname.lastname@example.org (the “Privacy and Security Safeguards”). G2 reserves the right to change and update the Privacy and Security Safeguards without prior notice to, or approval from, Client, however, it will not materially lessen these measures from the standards that are in place as of the date that Client entered into this DPA.
- SUBPROCESSORS. Client authorizes G2, on Client’s behalf, to engage third parties or subcontractors, to Process Personal Data (“Subprocessors”). G2 will require Subprocessors to agree in writing to comply with materially similar data protection obligations as those contained in this DPA. Except as set forth in the Agreement or this DPA, G2 will be liable for the acts and omissions of its Subprocessors only to the same extent G2 would be liable if it was performing the services of each Subprocessor directly and such liability will not exceed the amount actually recovered by G2 from that Subprocessor. For purposes of International Data Transfer agreement, Client provides G2 with a general authorization to engage Subprocessors.
G2 will maintain a list of its Subprocessors at https://legal.g2.com/subprocessors. G2 will make available to Client a mechanism to affirmatively subscribe to notifications of new Subprocessors (the “Subprocessor Notification”). Client is solely responsible for subscribing to the Subprocessor Notification. If Client objects to G2’s use of a new Subprocessor, Client is required to notify G2 in writing at privacy@G2.com within 10 business days after G2 sends a Subprocessor Notification. In the event Client objects to a new Subprocessor through this process and within the specified timeframe, G2 will use reasonable efforts to avoid Processing Client’s Personal Data by the objected-to new Subprocessor. If G2 is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) business days, Client may terminate the Agreement and DPA in accordance with the termination provisions of the Agreement.
- COOPERATION AND AUDITS. G2 will provide reasonable assistance, information and cooperation to Client to help Client comply with obligations required under Privacy Laws with respect to (a) compliance with this DPA; (b) privacy impact assessments and/or (c) subject to the terms in this Section 6, audits of G2 as required under Privacy Laws or G2’s compliance with this DPA (collectively, “G2 Audit Obligations”); Client will not audit G2 more than once in any 12-month rolling period, unless otherwise required under Privacy Laws.
With respect to G2 Audit Obligations, subject to the confidentiality obligations set forth in the Agreement and upon your written request, G2 will provide to Client or, if required by Privacy Laws, Client’s competent regulatory authority, (a) a summary copy of G2’s then most recent third-party audits or certifications, (b) any similar reports that have been provided by the Subprocessor to G2, or (c) other information, solely to the extent G2 or a Subprocessor is required to provide this information under Privacy Laws.
In the event that Client is required under Privacy Laws to undertake an on-site audit of G2 (“On-Site Audits”), Client and G2 will mutually agree upon the scope, timing and duration of the audit at least 30 days in advance of any such audit. Client acknowledges that (a) On-Site Audits will be limited to G2 facilities only, (b) Client is responsible for all costs of the On-Site Audit, (c) Client’s participants in the On-Site Audit must comply with all reasonable confidentiality and other requirements imposed by G2, solely to be determined by G2 at the time of Client’s request, (d) G2 operates a shared cloud environment and will reasonably adapt the scope of any On-Site Audit to avoid or mitigate risks with respect to its legal and contractual obligations to other G2 customers and users, (e) all On-Site Audits must take place during G2’s normal business hours, and (f) unless otherwise required by Privacy Laws, Client must submit Client’s request for an On-Site Audit to G2 at privacy@G2.com with at least 30 calendar days written notice. Nothing in this Section will require G2 to violate Privacy Laws or other legal or contractual obligations it has to its customers or its users. Client must notify G2 within ten business days following the completion of the On-Site Audit of any compliance issues discovered during the course of an On-Site Audit.
The parties agree that the audits described in Clause 8.9 of the EU Standard Contractual Clauses (“EU SCCs”) and the UK Standard Contractual Clauses (“UK SCCs”, and collectively with the EU SCCs, “SCCs”) will be carried out in accordance with this Section 6 of this DPA.
- CROSS BORDER DATA TRANSFERS. G2 Processes Personal Data in the United States. For any transfers of Personal Data from the UK to a country which is not an Approved Jurisdiction, such transfers and Processing of Personal Data protected by UK GDPR shall be governed by a valid mechanism for the lawful transfer of Personal Data recognized under Privacy Laws, including the UK International Data Transfer Agreement (“UK Agreement) as incorporated by Appendix C. “Approved Jurisdiction” means a jurisdiction that has either been approved as having adequate legal protections for data by the UK Information Commissioner’s Office, or where data transfers contemplated by this DPA are not otherwise restricted under Privacy Laws. Each party’s signature to the Service Order shall be considered a signature to the UK Agreement. With respect to any transfer of Personal Data from the EU to the United States, G2 acknowledges that it participates in the EU-U.S. Data Privacy Framework Program (the “DPF”) to effectuate transfers of Personal Data protected by EU GDPR (“EU Personal Data”). In connection with its participation in the DPF, G2 agrees as follows with respect to EU Personal Data: (a) G2 acknowledges it is Processing EU Personal Data for the limited and specific purposes contemplated by this DPA; (b) G2 will provide the level of protection to EU Personal Data as required by the DPF; (c) subject to Section 6 of this DPA, Client may take reasonable and appropriate steps to ensure that G2 Processes EU Personal Data in a manner consistent with the DPF; (d) G2 will notify Client if G2 makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the DPF; (e) upon notice, and subject to Section 6 of this DPA, including following G2’s notification under (d), take reasonable and appropriate steps to stop and remediate unauthorized Processing; and (f) provide a summary or a representative copy of the relevant privacy provisions of this DPA and the Agreement to the United States Department of Commerce (the “Department”) upon the Department’s or Client’s request.
- PERSONAL DATA BREACH. In the event of any negligent act or omission by G2 that materially compromises or results in any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client’s Personal Data or other event impacting Client’s Personal Data that triggers an obligation for G2 to notify client under Privacy Laws related to security breach notification (collectively, a “Personal Data Breach”), G2 will notify Client without undue delay of G2’s confirmation of such Personal Data Breach at the Security email set forth in the Service Order. G2 will provide the following information to Client, as this information becomes available to G2: (a) a brief description of the Personal Data Breach, including the date of the Personal Data Breach; (b) a description of the Personal Data that has been, or is reasonably believed by G2 to have been, impacted by the Personal Data Breach; (c) a description of what G2 is doing to investigate the Personal Data Breach, to mitigate potential harm caused by the Personal Data Breach and to protect against another similar Personal Data Breach; (d) contact information that Client can use to get more information from G2 about the Personal Data Breach; and (e) any other information that G2 is required to provide to Client about the Personal Data Breach under Privacy Laws. G2 will cooperate with Client in Client’s reasonable investigation of the Personal Data Breach, including as required by Privacy Laws. If notification to any third party is required under Privacy Laws, G2 will reimburse Client for reasonable costs directly incurred by Client for the provision of this legally required notification and any legally required credit monitoring (the “Notification Costs”). The Notification Costs shall not include any legal fees or related costs incurred by Client.
- INFORMATION MANAGEMENT. G2 shall upon the termination of the Agreement at Client’s written request, either delete or return any Personal Data to Client once Processing by G2 is no longer required for G2’s performance of its obligations under the Agreement or this DPA. Upon completion of the Services under this Agreement, G2 will return or delete all existing copies of Personal Data, unless retention of Personal Data is required by applicable law or is otherwise infeasible, in which case G2 will continue to retain the Personal Data subject to the requirements of this DPA and may only Process such Personal Data for the purposes that make return or deletion infeasible.
- INDEMNIFICATION. Subject to Section 11 of the Agreement, Client agrees that Client will reimburse, indemnify and hold G2 harmless for all costs incurred in responding to or mitigating any losses suffered by G2, including, but not limited to, any losses relating to a third-party claim brought against G2 regarding the Processing of Personal Data where such Processing is consistent with Client’s Processing instructions, the Agreement and/or this DPA.
- LIMITATION OF LIABILITY. Except as otherwise explicitly stated in this DPA, G2’s sole liability and Client’s sole remedy for G2’s breach of this DPA will not exceed the fees paid by Client to G2 under the Service Order giving rise to the claim in the 12 months preceding the claim. In no circumstances will G2 be liable for any special, indirect, incidental, consequential, or punitive damages, including lost profits incurred by Client.
- INTERPRETATION AND UPDATES. G2 will update this DPA periodically, without notice to Client, in material compliance with Privacy Laws and without materially lessening the protections set forth herein. The following order of precedence applies in the event of a conflict with respect to the Processing of Personal Data: (a) the International Data Transfer Agreement, (b) this DPA, (c) the Agreement, and (d) the Privacy Laws.
- TERM. This DPA begins on the Effective Date (as defined in the Agreement) and is in effect until the Agreement terminates or expires, or until such time as G2 no longer Processes Personal Data on behalf of Client.
APPENDIX ADESCRIPTION OF TRANSFER/PROCESSING
Data Exporter & Controller: Client
Client information is as set forth in the Service Order.
Data Importer & Processor: G2.com, Inc.
100 South Wacker Drive, Suite 600, Chicago, IL 60606
“Controller” means the natural or legal person that determines the purposes and means of the Processing of Personal Data and/or “controller,” “business” or similar term as defined by applicable Privacy Laws.
“Processor” means the natural or legal person that Processes Personal Data on behalf of the Controller and/or “processor,” “service provider” or similar term as defined by applicable Privacy Laws.
|Categories of Data Subjects Whose Personal Data is Transferred & Categories of Personal Data Transferred
||If purchasing G2 Marketplace:
Review Campaign (if applicable)
- Data Subject: Client’s customers
- Personal Data: First name and email
If purchasing G2 Track:
- Data Subject: Client’s employees and contractors
- Personal Data: First and last names, job title, email, phone number, employer, and address
|Sensitive Data Transferred
||Client will not transfer sensitive data to G2.
|Frequency of the Transfer
|Nature of the Processing
||To provide the Services.
|Purpose of Processing, Data Transfer and Further Processing
||To provide the Services.
|Duration of Processing
||As set forth in Section 13.
||As set forth in Section 5.
APPENDIX BTECHNICAL AND ORGANIZATIONAL MEASURES
G2 has implemented the following technical and organizational measures for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Offerings:
|Access Control: Preventing Unauthorized Product Access
- Outsourced processing: G2 hosts its Offering with outsourced cloud infrastructure providers. Additionally, G2 maintains contractual relationships with vendors in order to provide the Offerings in accordance with our Data Processing Agreement. G2 relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
- Physical and environmental security: G2 hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type I and ISO 27001, 27017, 17018 compliance, among other certifications.
- Authentication: G2 implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non- public customer data.
- Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of G2’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
- Application Programming Interface (API) access: Public product APIs may be accessed using an API.
|Access Control: Preventing Unauthorized Product Use
- G2 implements industry standard access controls and detection capabilities for the internal networks that support its products.
- Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
- Intrusion detection and prevention: G2 implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
- Static code analysis: Security reviews of code stored in G2’s source code repositories is performed. Checking for coding best practices and identifiable software flaws.
- Penetration testing: G2 maintains relationships with industry recognized penetration testing service providers for one annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
|Access Control: Limitations of Privilege & Authorization Requirements
- Product access: A subset of G2’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. All such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated regularly. Employee roles are reviewed at least once every six months.
- Background checks: All G2 employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
- In-transit: G2 requires HTTPS encryption (also referred to as SSL or TLS) on every one of its login interfaces. G2’s HTTPS implementation uses industry standard algorithms and certificates.
- At-rest: G2 stores user passwords following policies that follow industry standard practices for security. G2 has implemented technologies to ensure that stored data is encrypted at rest.
- Detection: G2 designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. G2 personnel, including security, operations, and support personnel, are responsive to known incidents.
- Response and tracking: G2 maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, G2 will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
- Communication: If G2 becomes aware of unlawful access to non-G2 Data stored within its Offerings, G2 will: 1) notify the affected customers of the incident; 2) provide a description of the steps G2 is taking to resolve the incident; and 3) provide status updates to the customer contact, as G2 deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form G2 selects, which may include via email or telephone.
- Infrastructure availability: The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
- Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores.
- Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
- G2’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists G2 operations in maintaining and updating the product applications and backend while limiting downtime.
APPENDIX CSTANDARD CONTRACTUAL CLAUSES
Table 1: EU Standard Contractual Clauses
For data transfers from the EU that are subject to the EU SCCs, the UE SCCs will be deemed entered into (and incorporated into this DPA by reference) and completed as follows:
Table 2: UK Standard Contractual Clauses
|EU SCC Term
||Module 2 (Controller to Processor).
|Clause 7 (Docking Clause)
||Option is not included.
|Clause 9 (Use of Sub-Processors)
||Option 2 shall apply. As set forth in Appendix 1.
|Clause 11 (Redress)
||Option is not included.
|Clause 13 (Supervision)
Options are included, as applicable.
|Clause 17 (Governing Law)
|Clause 18 (Choice of Forum and Jurisdiction)
|Annex I.A (List of Parties)
||As set forth in Appendix A.
|Annex I.B (Description of the Transfer)
||As set forth in Appendix A.
| Annex I.C (Competent Supervisory Authority)
|| As set forth in Appendix A.
|Annex II (Technical and Organisational Measures)
||As set forth in Appendix B.
For data transfers from the UK that are subject to the UK GDPR, the UK Addendum will be deemed entered into (and incorporated into this DPA by reference) and completed as follows:
|UK Addendum Term
|PART 1: TABLES
|Table 1: Start Date
||As set forth in Section 13.
|Table 1: Parties
||As set forth in Appendix A.
|Table 2: Addendum EU SCC
||As set forth in Table 1 of this Appendix C.
|Table 3: Appendix Information
||As set forth in Table 1 of this Appendix C.
|Table 4: Ending this Addendum
|PART 2: MANDATORY CLAUSES
||The Mandatory Clauses are incorporated into this Appendix C. The ‘Alternative Part 2 Mandatory Clauses’ are not selected.