Data Transfer Addendum

This Data Transfer Addendum (“DTA”) is between G2.com, Inc. (“G2”) and the Customer identified in the Service Order (“Customer”) and is incorporated into the Master Service Agreement (“Agreement”), or a similar agreement regarding the Services, between the parties. Capitalized terms not defined herein have the meanings assigned  in the Agreement. 

This DTA applies only when Personal Data is transferred by G2 (Controller) to Customer (Controller) to provide the Service in the following limited instances:    

G2 Service	Data Subject	Personal Data Transferred from Customer to G2
Reviews	Website users of G2.com	First Name + Last Initial
Leads	Website users of G2.com	First and Last Names, Email, Phone + Employer

1. Scope.

This DTA sets forth how Customer will Process  Personal Data (or a similar term as defined by applicable Privacy Laws) provided to Customer by G2 under the Agreement (the “Services”). The parties agree to comply with applicable data protection laws (“Privacy Laws”). Details of the transfer of Personal Data are in Appendix A. “Process” (and its cognates) is defined according to applicable Privacy Laws. 

2. Obligations of Customer.

Customer is solely responsible for, and G2 shall have no obligation with respect to Customer’s own The Customer is solely responsible for complying with Privacy Laws and any unauthorized processing of Personal Data, with no obligation on G2's part. If additional legal requirements exist under Privacy Laws not covered by this DTA, Customer must inform G2 at legal@g2.com. G2 is not responsible for initiating this process and may refuse to provide Personal Data, without incurring any penalties, if the requirements go beyond this DTA.

3. Use of Personal Data.

Customer will solely Process Personal Data for the purposes strictly related to the Services or as otherwise agreed to by G2 in writing. Customer may not aggregate, deidentify, or anonymize Personal Data. For avoidance of doubt, Customer shall not Process Personal Data in any manner that may constitute a “sale” of Personal Data under Privacy Laws.

4. Privacy and Security.

Customer will implement and maintain, at its own cost and expense, commercially reasonable technical, organizational and physical security measures designed to protect the privacy and security of Personal Data it Processes, including from accidental, unauthorized or unlawful use, destruction, loss, disclosure, acquisition, alteration or access (“Privacy and Security Safeguards”). The Privacy and Security Safeguards shall, at a minimum, comply with Privacy Laws. With respect to Personal Data that is subject to CCPA: (i) G2 is has made Personal Data available to Customer only for the limited and specified purposes set forth within the Agreement and this DTA and Customer acknowledges and agrees that it is only authorized to use Personal Data for these limited and specific purposes;  (ii) Customer shall comply with all applicable sections of the CCPA, including by providing the same level of privacy protection as required of G2 under CCPA; (iii) G2 has the right to take reasonable and appropriate steps to ensure that Customer uses Personal Data in a manner consistent with G2’s obligations under the CCPA; (iv) G2 has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data made available to Customer, including by requiring Customer to provide documentation that verifies that Customer no longer retains or uses the Personal Data of Data Subjects who have submitted requests to opt-out of “sharing” or “selling” (as these terms are defined by CCPA) of Personal Data; and (v) Customer shall notify G2 after Customer makes a determination that it can no longer meet its obligations under CCPA.

5. Audits.

Customer agrees that G2 may take reasonable steps to audit Customer’s compliance with this DTA, including audits related to Customer’s use of Personal Data. G2 will not audit Customer more than once in any 12-month rolling period, unless as otherwise required under Privacy Laws or if G2 becomes aware of a Personal Data Breach or violation of this DTA.

6. Cross Border Data Transfers.

G2 Processes Personal Data in the United States.  For any transfers of Personal Data from the UK to a country which is not an Approved Jurisdiction, such transfers and Processing of Personal Data protected by UK GDPR shall be governed by a valid mechanism for the lawful transfer of Personal Data recognized under Privacy Laws, including the UK International Data Transfer Agreement  (“UK Agreement”) as incorporated by Appendix B. “Approved Jurisdiction” means a jurisdiction that has either been approved as having adequate legal protections for data by the UK Information Commissioner’s Office, or where data transfers contemplated by this DTA are not otherwise restricted under the Privacy Laws.  Each party’s signature to the Service Order shall be considered a signature to the International Data Transfer Agreement. With respect to any transfer of Personal Data from the EU to the United States, G2 acknowledges that it participates in the EU-US Data Privacy Framework Program  (the “DPF”) to effectuate transfers of Personal Data that is protected by EU GDPR (“EU Personal Data”). G2 and Customer agree that each will comply with the DPF’s principles regarding notice and choice. Customer further understands and agrees that (a) it may only Process EU Personal Data for the limited and specified purposes consistent with the consent provided by a Data Subject; (b) it will provide the level of protection to EU Personal Data as required by the DPF and it will notify G2 if Customer makes a determination that it can no longer meet this obligation; and (c) if Customer makes the determination contemplated by (b) it will cease EU Personal Data Processing activities or take other reasonable and appropriate remediation steps.

7. Personal Data Breach.

In the event of any accidental, unauthorized or unlawful use, destruction, loss, disclosure, acquisition, alteration or access of Personal Data (“Personal Data Breach”), Customer will notify G2 at security@g2.com within 24 hours of Customer’s discovery of the Personal Data Breach. Customer will provide the following information to G2, as this information becomes available to Customer: (a) a brief description of the Personal Data Breach, including the date of the Personal Data  Breach; (b) a description of the Personal Data that has been, or is reasonably believed by Customer to have been, impacted by the Personal Data Breach; (c) a description of what Customer is doing to investigate the Personal Data Breach, to mitigate potential harm caused by the Personal Data Breach and to protect against another similar Personal Data Breach; (d) contact information that G2 can use to get more information from Customer about the Personal Data Breach; and (e) any other information that Customer is required to provide to G2 about the Personal Data Breach under Privacy Laws. Customer will cooperate with G2 in G2’s reasonable investigation of the Personal Data Breach, including as required by Privacy Laws, and will reimburse G2 for all reasonable costs incurred by G2 in its investigation and response to the breach, including any notification costs.

8. Data Subject Rights.

G2 and Customer will reasonably assist each other in fulfilling their respective obligations to respond to requests from Data Subjects exercising their rights under Privacy Laws (collectively, “Data Subject Request”). Customer will submit Data Subject Requests to privacy@g2.com.  

9. Information Management.

Customer will, upon the termination of the Services, either securely delete or securely return any Personal Data to G2, unless retention of Personal Data is required by applicable law or is otherwise infeasible, in which case Customer will continue to retain the Personal Data subject to the requirements of this DTA and may only Process such Personal Data for the purposes that make return or deletion infeasible.

10. Indemnification.

Subject to Section 12 of the Agreement, Customer agrees that Customer will reimburse, indemnify and hold G2 harmless for all costs incurred in responding to or mitigating any losses suffered by G2, including, but not limited to, any losses relating to a third-party claim brought against G2 regarding the Processing of Personal Data that is Processed by Customer in a manner that is inconsistent with the Agreement and/or this DTA.

11. Limitation of Liability.

Except as otherwise explicitly stated in this DTA, G2’s sole liability and Customer’s sole remedy for G2’s breach of this DTA will not exceed the fees paid by Customer to G2 under the Service Order giving rise to the claim in the 12 months preceding the claim. In no circumstances will G2 be liable for any special, indirect, incidental, consequential, or punitive damages, including lost profits incurred by Customer.

12. Interpretation and Updates.

G2 will update this DTA periodically, without notice to Customer, in material compliance with Privacy Laws and without materially lessening the protections set forth herein. The following order of precedence applies in the event of a conflict with respect to the Processing of Personal Data: (a) the International Data Transfer Agreement, (b) this DTA, (c) the Agreement, and (d) the Privacy Laws.

13. Term.

This DPA begins on the Effective Date and remains in force until the Agreement terminates, or until G2 stops Processing Personal Data that is subject to this DTA..

APPENDIX A

Description of Processing

Parties	Data Exporter & Controller: G2.com, Inc.
	100 South Wacker Drive, Suite 600, Chicago IL, 60606
	Data Importer & Controller: Customer
	Customer information is set forth on the Service Order.
	“Controller” means the natural or legal person that determines and means of the Processing of Personal Data and/or “controller,” “business” or similar term as defined by Privacy Laws.
Categories of Data Subjects Whose Personal Data is Transferred & Categories of Personal Data Transferred	Leads: Data Subject: Website users of www.g2.com. Personal Data: First and last name, [business] email, phone number, company name Reviews: First name and last initial
Sensitive Data Transferred	No sensitive data is anticipated to be transferred.
Frequency of the Transfer	Continuous.
Nature of the Processing	To provide the Services.
Purpose of the Data Transfer and Further Processing	To provide the Services.
Duration of Processing	As set forth in Section 14.

APPENDIX B

EU & UK GDPR

Section 1 - EU:For data transfers from the EU, the EU SCCs are incorporated into this DPA as follows:

EU SCC Term	Amendment/Selected Option
Module	Module 1 (Controller to Controller).
Clause 7 (Docking Clause)	Option is not included.
Clause 11 (Redress)	Option is not included.
Clause 13 (Supervision)	Irish Data Protection Commission.
Clause 17 (Governing Law)	Ireland.
Clause 18 (Choice of Forum and Jurisdiction)	Ireland.
Annex I.A (List of Parties)	As set forth in Appendix A.
Annex I.B (Description of the Transfer)	As set forth in Appendix A.
Annex I.C (Competent Supervisory Authority)	Irish Data Protection Commission.
Annex II (Technical and Organisational Measures)	The parties shall maintain appropriate technical and organizational measures.

Section 2 - UK: For data transfers from the UK, the UK Addendum is incorporated into this DPA as follows:

UK Addendum Term	Amendment/Selected Option
Table 1: Start Date	As set forth in Section 13.
Table 1: Parties	As set forth in Appendix A.
Table 2: Addendum EU SCC	Module 1 (Controller-Controller) of the EU SCCs apply.
Table 3: Appendix Information	As set forth in Section 1 of this Appendix B.
Table 4: Ending this Addendum	Exporter.
Mandatory Clauses	The Mandatory Clauses are incorporated into this Appendix C. The ‘Alternative Part 2 Mandatory Clauses’ are not selected.