Data Processing Addendum - ThirdPartyTrust

TPT Data Sharing Agreement

Last Updated: November 15, 2022

This data sharing agreement (the “Data Sharing Agreement”) is by and between ThirdPartyTrust, LLC (“TPT”) and you as a customer receiving the TPT Services (the “Customer”) and is effective as of the effective date (the “Effective Date”) of that certain TPT Master Subscription Agreement by and between the Parties (the “Subscription Agreement”). This Data Sharing Agreement forms part of, and is incorporated into, the Subscription Agreement.

A. Definitions.

Capitalized terms not defined herein have the meaning given to them in the Subscription Agreement. The following definitions apply to this Data Sharing Agreement:

“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this Data Sharing Agreement, in each case as amended from time to time, including without limitation the European Data Protection Laws, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, “CCPA”), and Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados.
“TPT Privacy Policy” means the privacy policy of TPT available at https://www.thirdpartytrust.com/privacy/, or such other updated link provided by TPT to Customer from time to time.
“TPT Services” means the services and/or products to be provided by TPT to Customer under the Subscription Agreement, including any required, usual, appropriate or acceptable methods to perform activities related to the TPT Services, including (a) carrying out the TPT Services or the business of which the TPT Services are a part, (b) carrying out any benefits, rights and obligations related to the TPT Services, (c) maintaining records relating to the TPT Services, and (d) complying with any legal or self-regulatory obligations related to the TPT Services.
“Business” and “Service Provider” each has the meaning given to it in the CCPA.
“Controller”, “Personal Data Breach”, “Processing” and “Processor” each has the meaning given to it in Applicable Data Protection Laws.
“Data Subject” means a User.
“European Data Protection Laws” means the EU’s General Data Protection Regulation 2016/679 (the “EU GDPR”), the EU GDPR in such form as incorporated into the law of England and Wales, Scotland and Northern Ireland and the UK Data Protection Act 2018 (the “UK GDPR”), and the Swiss Federal Act on Data Protection, and any other applicable law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument implementing any of the foregoing (in each case as amended, consolidated, re-enacted or replaced from time to time).
“Personal Data” means Personal Data as defined by the Applicable Data Protection Laws, only to the extent such information relates to Users.
“Standard Contractual Clauses” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time. The Standard Contractual Clauses are hereby incorporated herein to the extent applicable.

B. Parties’ Obligations

To the extent that the information disclosed by Customer to TPT in connection with the performance of the TPT Services contains Personal Data, the following provisions shall apply:
- a. Customer warrants that it has complied and continues to comply with the Applicable Data Protection Laws, in particular that is has obtained any necessary consents and/or provided any necessary notices, and otherwise has a legitimate ground to disclose the Personal Data to TPT to enable TPT to use and Process the Personal Data as contemplated by this Data Sharing Agreement and TPT Privacy Policy.
- b. Customer shall protect, defend, indemnify and hold harmless TPT and its directors, officers, employees, and representatives from and against any third-party claim (including claims by Data Subjects), demand, proceeding, action, liability, suit, expense, fine, penalty, damage, loss and cost (including without limitation legal and other professional advisers fees) (each a “Claim”) including a Claim brought by a supervisory authority or other regulator, relating to, arising out of or resulting from Customer’s failure to comply with Applicable Data Protection Laws in the collection, Processing and disclosure to TPT of Personal Data or TPT’s use of the Personal Data as envisaged by this Data Sharing Agreement.
- c. By using the TPT Services and providing TPT with Personal Data, Customer acknowledges that Customer’s information may be used as described in the Subscription Agreement and the TPT Privacy Policy and Customer agrees to TPT Processing Personal Data in the United States.
- d. TPT shall promptly notify Customer on becoming aware of any unauthorized processing, including a breach of its obligations as a Service Provider or Processor or any known breach of its sub-contractors’ obligations as data processors, including under this Data Sharing Agreement, and/or any actual data security incident involving the actual unlawful access, loss, destruction, restriction, anonymization and/or deletion of Personal Data in TPT’s possession or control;
- e. promptly notify Customer (no later than as required by Applicable Data Protection Laws) if TPT determines if can no longer meet its obligations under the Applicable Data Protection Laws; and
- f. TPT shall provide reasonable assistance upon the request of Customer to enable Customer to comply with its obligations of providing access to Personal Data and the deletion and correction of Personal Data in response to requests made under the Applicable Data Protection Laws and, if required by Customer, to return or delete all copies of the Personal Data. To the extent TPT is Processing Personal Data on behalf of Customer, TPT shall promptly notify Customer of any such request received pursuant to the Applicable Data Protection Laws.

C. CCPA

In some instances, pursuant to the Subscription Agreement, TPT will act as a Business under the CCPA, and in others, TPT will act as a Service Provider under the CCPA. Where TPT acts as a Service Provider, TPT shall not (a) retain, use, or disclose Personal Data (i) for any purpose other than for the specific purpose of providing the services specified in the Agreement, including for a commercial purpose other than providing the services specified in the Agreement; (ii) outside of the direct business relationship between TPT and Customer; or (iii) combine the Personal Data received from Customer with Personal Data that TPT receives from, or on behalf of, another person or company, except as permitted under Applicable Data Protection Laws (iv) or as otherwise prohibited by the CCPA; or (b) sell Personal Data. The Personal Data that Customer disclosed to TPT is provided to TPT for a Business Purpose, TPT shall not Sell or Share the Personal Data, as those terms are defined in the CCPA and the transfer of the Personal Data to TPT shall not be considered a “sale” as defined in the CCPA.

D. Cross-Border Transfers of Personal Data.

With respect to the transfer of Personal Data from Customer to TPT under the European Data Protection Laws where such transfer occurs from a European Union country to any third country within the meaning of European Data Protection Laws, the Parties agree to comply with the general clauses of this Data Sharing Agreement and with:
- a. when Customer and TPT are both acting as a controller, “Module One” (Transfer Controller to Controller) of the Standard Contractual Clauses, which are incorporated herein by reference;
- b. when Customer is acting as a controller and TPT as a processor, “Module Two” (Transfer Controller to Processor) of the Standard Contractual Clauses, which are incorporated herein by reference;
- c. when Customer and TPT are both acting as a processor, “Module Three” (Transfer Processor to Processor) of the Standard Contractual Clauses, which are incorporated herein by reference; or
- d. when TPT is acting as a controller and Customer as a processor, “Module Four” (Transfer Processor to Controller) of the Standard Contractual Clauses, which are incorporated herein by reference.
  
  In furtherance of the foregoing, the Parties agree that, for purposes of the Standard Contractual Clauses:
- e. Customer shall act and comply with the obligations as the “data exporter”, and TPT shall act and comply with the obligations as the “data importer”;
- f. Clause 7 of the Standard Contractual Clauses shall apply;
- g. for the purposes of Modules Two (Transfer Controller to Processor), Three (Transfer Processor to Processor) and Four (Transfer Processor to Controller) of the Standard Contractual Clauses, Option 2 in Clause 9(a) shall apply and the relevant time period shall be 72 hours;
- h. the optional wording in Clause 11(a) of the Standard Contractual Clauses shall not apply;
  - a. or the purposes of Clause 17 of the Standard Contractual Clauses, the Standard Contractual Clauses shall be governed by the laws of Portugal;
  - b. for the purposes of Clause 18(b) of the Standard Contractual Clauses, the Parties agree to submit to the jurisdiction of the courts of Portugal; and
  - c. Annex I to the Standard Contractual Clauses shall be completed as follows:
For the purposes of Section A (List of Parties) of Annex I, (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the European Union are those set forth in the Subscription Agreement, in an Order or as otherwise communicated by each Party to the other Party; (ii) where Module One applies, Customer is a Controller, and TPT is a Controller; where Module Two applies, Customer is a Controller, and TPT is a Processor; where Module Three applies, Customer is a Processor, and TPT is a Processor; and where Module Four applies, Customer is a Processor and TPT is a Controller; (iii) the activities relevant to the data transferred under the Standard Contractual Clauses relate to the provision of the TPT Services pursuant to the Subscription Agreement; and (iv) Customer’s entering into this Data Sharing Agreement shall be treated as Customer’s signature of Annex I, Section A;
For the purposes of Section B (Description of Transfer) of Annex I, (i) categories of data subjects are Data Exporter’s employees and contractors and any other individuals that it provides with access to the products and services under the Subscription Agreement; (ii) categories of personal data transferred are Personal Data submitted, stored, sent by, or received from, Customer or Users, including names, user IDs, email addresses, IP addresses and other electronic or technical data submitted, stored or sent by Users; (iii) no sensitive data is transferred; (iv) the frequency of the transfer is continuous (for as long as Customer or Users use the TPT Services); (v) the nature of the Processing include but is not limited to collection, storage, retrieval, use, disclosure, erasure, destruction and access to Personal Data. Processing will also include any Processing needed to provide the TPT Services and as described in the TPT Privacy Policy; (vi) the purpose(s) of the transfer and further processing is conducting the operations necessary for the provision of the TPT Services pursuant to the Subscription Agreement, including but not limited to communications regarding the TPT Services, setting up accounts and providing support and customer success activities, deriving statistical and performance information related to the operation of and provision of access to the TPT Services, and using such information to improve the TPT Services; (vii) Personal Data will be retained in accordance with TPT’s data retention policies. TPT may delete Personal Data by anonymizing it so it can no longer be associated with a Data Subject; (viii) in relation to the subject matter, nature and duration of transfers to (sub-)processors, the Parties acknowledge that the TPT Services are hosted by Amazon Web Services and that TPT uses third-party SaaS providers to support the provision of products and services as well as TPT’s subsidiaries. A list of sub-processors and the nature of the Processing activities can be found at: https://www.thirdpartytrust.com/subprocessors (“Subprocessor Page”). TPT shall inform Customer of any intended changes to its sub-processors at least fourteen (14) days in advance by updating the list of sub-processors on such site (which shall be deemed to be equivalent of written notice), thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). In the event that Customer reasonably objects to the use of a new sub-processor during the aforementioned time period and Customer and TPT cannot reach an agreement as to the use of the same, Customer’s sole remedy shall be termination of the portion of the TPT Services for which the sub-processor is engaged without refund.
For the purposes of Section C (Competent Supervisory Authority) of Annex I, the competent supervisory authority identified in accordance with Clause 13 is the competent supervisory authority communicated by Customer to TPT at TPT’s contact details listed in this annex.
The Parties agree that Section 8 of the TPT Master Subscription Agreement shall apply with respect to breaches of this Data Sharing Agreement or the subject matter hereof.
The Parties have agreed on the technical and organizational measures set forth at https://www.thirdpartytrust.com/security/for purposes of Annex II to the Standard Contractual Clauses. If TPT receives requests to provide a public authority with Personal Data, pursuant to Clause 15 of the Standard Contractual Clauses, it will comply with applicable law.
- a. If the parties are required to enter into personal data processing contractual provisions under European Data Protection Laws, the parties rely on the Standard Contractual Clauses for such matters as permitted by Article 28(7) EU GDPR.
With respect to the transfer of Personal Data from Customer to TPT under other Applicable Data Protection Laws:
- a. the Parties agree to comply with the requirements above to the extent standard contractual clauses are required to meet legal obligations regarding cross-border transfers under the relevant Applicable Data Protection Laws. In such case, (i) references in the Standard Contractual Clauses to the GDPR shall hereby be deemed to have the same meaning as the equivalent reference in the Applicable Data Protection Laws; (ii) references in the Standard Contractual Clauses to “Member State” or “Union” shall hereby be deemed to refer to the relevant jurisdiction where the Applicable Data Protection Laws are in force; and (iii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter is established shall hereby be deemed to refer to an obligation under the Applicable Data Protection Laws.
- b. If required under the UK GDPR, the parties hereby enter into and agree to be bound by the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner and as available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”). Part 1 of the UK Addendum will be deemed to be completed like its equivalent provisions in the Standard Contractual Clauses in Section 1 above. For the purposes of Table 2 of such Part 1 of the UK Addendum, the Module in operation shall be the module of the Standard Contractual Clauses that applies based on the nature of the relationship between the parties, as set out in clause D(1) above. For the purpose of Table 4 of such Part 1, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is TPT. For the purposes of any transfers covered by the UK data protection laws, the Standard Contractual Clauses will be deemed to be amended as set out in Part 2 of the UK Addendum. Any references to EU legislation, EU authorities and the EU Member States in the UK Standard Contractual Clauses are amended to reflect corresponding UK legislation, UK competent authorities as appropriate. The optional clauses in the UK Addendum shall not apply. Where processing contractual provisions are required under the UK GDPR, the parties rely on the Standard Contractual Clauses as supplemented by the UK Addendum for such matters as permitted by Article 28(7) UK GDPR.

E. General

The terms and conditions included in this Data Sharing Agreement shall supersede and replace any and all prior data protection agreements or prior versions of the Standard Contractual Clauses or data privacy or data protection terms included in any other agreements between the Parties relating to the subject-matter covered by this Data Sharing Agreement.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.