Data Transfer Addendum

Personal Data transferred by G2 (Independent Controller) to Client (Independent Controller) is limited as follows:     

This Data Transfer Agreement (“DTA”) is entered into by G2.com, Inc. (“G2”) and the entity identified as Client on the Service Order (“Client”) and is incorporated into the Master Service Agreement (“Agreement”), or a similar agreement regarding the Services, entered into by both parties. Capitalized terms used but not defined herein have the meaning given to them in the Agreement. 

1. SCOPE. This DTA sets forth how Personal Data (or a similar term as defined by applicable Privacy Laws) provided to Client by G2 in connection with the services outlined in the Service Description that is incorporated into the Agreement (the “Services”) will be protected and Processed. “Process”, including its cognates, has the meaning attributed to it in the applicable data protection laws including but not limited to, California Consumer Protection Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CDPA”), Utah Consumer Privacy Act (“UCPA”), European Union (“EU”) General Data Protection Regulation (“EU GDPR”) and United Kingdom (“UK”) General Data Protection Regulation (“UK GDPR”), as such laws may be amended from time to time (collectively, “Privacy Laws”). The subject details of the Processing are described in Appendix A. This DTA applies only to the Personal Data that Client receives from G2 in connection with the Services.
2. COMPLIANCE WITH PRIVACY LAWS. In connection with this DTA, Client and G2 each agree to comply with their respective obligations under Privacy Laws, including as applicable, their obligations under Articles 13 and 14 of GDPR. If there are additional specific legal requirements under Privacy Laws that are not addressed under this DTA, it is Client’s responsibility to notify G2 at legal@g2.com. G2 will not be responsible for initiating this process and may refuse, without incurring any penalties, to provide Personal Data to Client if the requirements exceed what is outlined in this DTA.
3. OBLIGATIONS OF CLIENT. Client is solely responsible for, and G2 shall have no obligation with respect to Client’s own obligations regarding compliance with Privacy Laws and any Processing of Personal Data that is not authorized by this DTA. Client shall not provide any Personal Data to G2 pursuant to this DTA except to return Personal Data that was previously provided by G2 or to otherwise comply with its obligations under this DTA or the Agreement.
4. USE OF PERSONAL DATA. Client will solely Process Personal Data for the purposes strictly related to the Services or as otherwise agreed to by G2 in writing. Client may not aggregate, deidentify, or anonymize Personal Data. For avoidance of doubt, Client shall not Process Personal Data in any manner that may constitute a “sale” of Personal Data under Privacy Laws.
5. PRIVACY AND SECURITY. Client will implement and maintain, at its own cost and expense, commercially reasonable technical, organizational and physical security measures designed to protect the privacy and security of Personal Data it Processes, including from accidental, unauthorized or unlawful use, destruction, loss, disclosure, acquisition, alteration or access (the “Privacy and Security Safeguards”). The Privacy and Security Safeguards shall, at a minimum, comply with Privacy Laws. With respect to Personal Data that is subject to CCPA: (i) G2 is has made Personal Data available to Client only for the limited and specified purposes set forth within the Agreement and this DTA and Client acknowledges and agrees that it is only authorized to use Personal Data for these limited and specific purposes;  (ii) Client shall comply with all applicable sections of the CCPA, including by providing the same level of privacy protection as required of G2 under CCPA;  (iii) G2 has the right to take reasonable and appropriate steps to ensure that Client uses Personal Data in a manner consistent with G2’s obligations under the CCPA; (iv) G2 has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data made available to Client, including by requiring Client to provide documentation that verifies that Client no longer retains or uses the Personal Data of Data Subjects who have submitted requests to opt-out of “sharing” or “selling” (as these terms are defined by CCPA) of Personal Data; and (v) Client shall notify G2 after Client makes a determination that it can no longer meet its obligations under CCPA. 
6. AUDITS. Client agrees that G2 may take reasonable steps to audit Client’s compliance with this DTA, including audits related to Client’s use of Personal Data. G2 will not audit Client more than once in any 12-month rolling period, unless as otherwise required under Privacy Laws or if G2 becomes aware of a Personal Data Breach or violation of this DTA.
7. CROSS BORDER DATA TRANSFERS. G2 Processes Personal Data in the United States.  For any transfers of Personal Data from the UK to a country which is not an Approved Jurisdiction, such transfers and Processing of Personal Data protected by UK GDPR shall be governed by a valid mechanism for the lawful transfer of Personal Data recognized under Privacy Laws, including the UK International Data Transfer Agreement  (“UK Agreement) as incorporated by Appendix B “Approved Jurisdiction” means a jurisdiction that has either been approved as having adequate legal protections for data by the UK Information Commissioner’s Office, or where data transfers contemplated by this DTA are not otherwise restricted under the Privacy Laws.  Each party’s signature to the Service Order shall be considered a signature to the International Data Transfer Agreement. With respect to any transfer of Personal Data from the EU to the United States, G2 acknowledges that it participates in the EU-US Data Privacy Framework Program  (the “DPF”) to effectuate transfers of Personal Data that is protected by EU GDPR (“EU Personal Data”). G2 and Client agree that each will comply with the DPF’s principles regarding notice and choice. Client further understands and agrees that (a) it may only Process EU Personal Data for the limited and specified purposes consistent with the consent provided by a Data Subject; (b) it will provide the level of protection to EU Personal Data as required by the DPF and it will notify G2 if Client makes a determination that it can no longer meet this obligation; and (c) if Client makes the determination contemplated by (b) it will cease EU Personal Data Processing activities or take other reasonable and appropriate remediation steps.
8. PERSONAL DATA BREACH. In the event of any accidental, unauthorized or unlawful use, destruction, loss, disclosure, acquisition, alteration or access of Personal Data (a “Personal Data Breach”), Client will notify G2 at security@g2.com within 24 hours of Client’s discovery of the Personal Data Breach. Client will provide the following information to G2, as this information becomes available to Client: (a) a brief description of the Personal Data Breach, including the date of the Personal Data  Breach; (b) a description of the Personal Data that has been, or is reasonably believed by Client to have been, impacted by the Personal Data Breach; (c) a description of what Client is doing to investigate the Personal Data Breach, to mitigate potential harm caused by the Personal Data Breach and to protect against another similar Personal Data Breach; (d) contact information that G2 can use to get more information from Client about the Personal Data Breach; and (e) any other information that Client is required to provide to G2 about the Personal Data Breach under Privacy Laws. Client will cooperate with G2 in G2’s reasonable investigation of the Personal Data Breach, including as required by Privacy Laws, and will reimburse G2 for all reasonable costs incurred by G2 in its investigation and response to the breach, including any notification costs.
9. DATA SUBJECT RIGHTS. G2 and Client will reasonably assist each other in fulfilling their respective obligations to respond to requests from Data Subjects exercising their rights under Privacy Laws (collectively, “Data Subject Request”). Client will submit Data Subject Requests to privacy@g2.com.
10. INFORMATION MANAGEMENT. Client will, upon the termination of the Services, either securely delete or securely return any Personal Data to G2, unless retention of Personal Data is required by applicable law or is otherwise infeasible, in which case Client will continue to retain the Personal Data subject to the requirements of this DTA and may only Process such Personal Data for the purposes that make return or deletion infeasible.
11. INDEMNIFICATION. Subject to Section 11 of the Agreement, Client agrees that Client will reimburse, indemnify and hold G2 harmless for all costs incurred in responding to or mitigating any losses suffered by G2, including, but not limited to, any losses relating to a third-party claim brought against G2 regarding the Processing of Personal Data that is Processed by Client in a manner that is inconsistent with the Agreement and/or this DTA.
12. LIMITATION OF LIABILITY. Except as otherwise explicitly stated in this DTA, G2’s sole liability and Client’s sole remedy for G2’s breach of this DTA will not exceed the fees paid by Client to G2 under the Service Order giving rise to the claim in the 12 months preceding the claim. In no circumstances will G2 be liable for any special, indirect, incidental, consequential, or punitive damages, including lost profits incurred by Client.
13. INTERPRETATION AND UPDATES. G2 will update this DTA periodically, without notice to Client, in material compliance with Privacy Laws and without materially lessening the protections set forth herein. The following order of precedence applies in the event of a conflict with respect to the Processing of Personal Data: (a) the International Data Transfer Agreement,  (b) this DTA, (c) the Agreement, and (d) the Privacy Laws.
14. TERM. This DTA begins on the Effective Date (as defined in the Agreement) and is in effect until the Agreement terminates or expires, or until such time as Client no longer Processes Personal Data that is subject to this DTA.