Updated: 12/10/2024
This Data Processing Addendum (“DPA”) forms part of any agreement between Tribe Prospecting LLC d.b.a. TitanX, on behalf of itself and its Affiliates (collectively, “TitanX”), and Customer (identified below) for the purchase by Customer of online data scoring, data-as-a-service, and data analytics-as-a-service to assist Customer in identifying contact data and contact’s propensity to be reached via the phone from TitanX or its Affiliate (identified collectively either as the “Service” or otherwise in the applicable agreement, and hereinafter defined as the “Service”), and each such agreement with Customer is hereinafter defined as the “Agreement.”
Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent TitanX processes Personal Data for which such Authorized Affiliates qualify as the Controller. In providing the Service to Customer pursuant to the Agreement, TitanX may Process Personal Data on behalf of Customer, and TitanX and Customer (the "parties") agree to comply with the following provisions with respect to any such Personal Data. This DPA is effective as of the last date signed by both TitanX and Customer. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
This DPA consists of distinct parts: this body and its set of definitions and provisions, the Standard Contractual Clauses, and related Appendices.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to the Agreement. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Customer's Affiliate(s) permitted to use the Service pursuant to the Agreement between Customer and TitanX.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer Data” means all electronic data submitted by or on behalf of Customer, or an Authorized Affiliate, to the Service.
“Data Protection Laws and Regulations” means all laws and regulations of the European Union, the European Economic Area and their member states, Canada, Switzerland and the United Kingdom (“UK”), applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person subject to the Data Protection Laws and Regulations to whom Personal Data relates.
"European Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) in respect of the United Kingdom the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); and (iii) the Swiss Federal Data Protection Act ("Swiss GDPR"); and collectively the above are referred to hereunder as the “GDPR.”
“Personal Data” shall have the meaning assigned to the term “personal data” under applicable Data Protection Laws and Regulations, provided such personal data is Customer Data.
“Processing” (including its root word, “Process”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the natural or legal person, public authority, agency, or other entity which Processes Personal Data on behalf of the Controller subject to this Addendum.
“Security Program” means TitanX' written security program that includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Data (a current version of which can be provided upon request), and which includes TitanX' security policies and procedures, its current SOC 2 Type II report and the security measures set forth on Annex II, as may be updated periodically, and made reasonably available by TitanX.
“TitanX” means Tribe Prospecting LLC dba TitanX, a company incorporated in Tennessee and its primary address as 35 Market Square, Suite 201, Knoxville, TN, 37902, USA, on behalf of itself and each Affiliate, as applicable.
"Standard Contractual Clauses" means: (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs") plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, and as can be found at https://ico.org.uk/media/for organisations/documents/4019539/international-data-transfer-addendum.pdf (or as it may be amended or replaced) (the “UK Addendum”); and (iii) where the Swiss GDPR applies, the applicable standard data protection clauses issued, approved or recognised by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs").
“Sub-processor” means any Processor engaged by TitanX.
“Supervisory Authority” means an independent public authority which is established by an EU Member State, the UK or Switzerland pursuant to the applicable European Data Protection Law.
A. The Parties’ Roles. TitanX provides the Service to Customer under the Agreement. Where Data Protection Laws and Regulations provide for the roles of “controller,” “processor,” and “subprocessor”: (a) where Customer is a controller of the personal data covered by this DPA, TitanX shall be a processor processing personal data on behalf of the Customer and this DPA shall apply accordingly; (b) where Customer is a processor of the personal data covered by this DPA, TitanX shall be a Sub-processor of the personal data and this DPA shall apply accordingly, and in each case TitanX will engage Sub-processors pursuant to the requirements of this DPA.
B. Customer Responsibilities. Customer shall ensure that its submission of Personal Data to TitanX and instructions for the Processing of Personal Data will comply with Data Protection Laws and Regulations. Customer shall also, in its use of the Service, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data it submits to TitanX and the means by which Customer acquired Personal Data.
C. Processing Purposes. TitanX shall keep Personal Data confidential and shall only Process Personal Data to the extent necessary pursuant to Customer’s instructions and as set forth in the Agreement and this DPA. Customer instructs and authorizes TitanX to Process Personal Data: (i) in accordance with the Agreement and applicable Order Form(s); (ii) as initiated by Users in their use of the Service; and (iii) to comply with other documented, reasonable instructions provided by Customer (for example, via email) where such instructions are consistent with the terms of the Agreement. TitanX shall not be required to comply with or observe Customer’s instructions if such instructions would violate the GDPR or other EU law or EU member state data protection provisions. TitanX will, unless legally prohibited from doing so, inform Customer if it reasonably believes that an instruction from Customer is in conflict with the Data Protection Laws and Regulations applicable to TitanX' Processing of Personal Data.
D. Scope of Processing. The subject matter of Processing of Personal Data by TitanX is the performance of the Service pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Appendix 1 to this DPA.
E. Data Subject Requests. To the extent legally permitted, TitanX shall promptly notify Customer if TitanX receives a request from a Data Subject related to Personal Data to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). TitanX shall only respond to a Data Subject Request upon written authorization from Customer, except to the extent legally prohibited. To the extent Customer, in its use of the Service does not have the ability to address a Data Subject Request, TitanX shall, upon Customer’s request and factoring into account the nature of the Processing, assist Customer by appropriate organizational and technical measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from TitanX' provision of such assistance.
F. TitanX Personnel. TitanX shall ensure that access to Personal Data is limited to its personnel engaged in the Processing of Personal Data (“TitanX Personnel”), who are informed of the confidential nature of the Personal Data, have received appropriate training regarding their responsibilities, and have executed written confidentiality agreements. TitanX shall take commercially reasonable steps to ensure the reliability of any TitanX Personnel.
G. Data Protection Officer. TitanX has appointed a data protection officer if and where such appointment is required by Data Protection Laws and Regulations. Any such appointed person may be reached at: [email protected].
H. Privacy Notice. TitanX shall inform Data Subjects in a transparent and easily accessible format on its website of a contact point authorized to handle complaints. TitanX shall deal promptly with any complaints it receives from a Data Subject related to Personal Data.
I. TitanX' Sub-processors. Customer has instructed or authorized the use of Sub- processors to assist TitanX with respect to the performance of TitanX' obligations under the Agreement and TitanX agrees to be responsible for the acts or omissions of such Sub-processors to the same extent as TitanX would be liable if performing the services of the Sub-processors under the terms of the Agreement. All such Sub-processors must agree to maintain the confidentiality of the Personal Data or be under an appropriate statutory or contractual obligation of confidentiality, and enter a written contract with TitanX that provides for substantially the same data protection obligations between TitanX and Sub-processor as between TitanX and Customer herein. TitanX will regularly review each Sub-processor’s compliance with its obligations. Customer acknowledges and agrees that
(a) TitanX' Affiliates may be retained as Sub-processors; and
(b) TitanX and TitanX' Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Service.
TitanX will notify Customer via email prior to replacing or appointing new Sub-processors and Customer shall have the right to object, as follows: In order to exercise its right to object to TitanX' use of a new Sub-processor, Customer shall notify TitanX promptly in writing within ten (10) business days after receipt of TitanX' notice. In the event Customer has legitimate objections to the new Sub-Processor, the parties will work together in good faith to resolve the grounds for the objection, which could include recommending a commercially-reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Sub-processor, provided that if the parties fail to agree upon a resolution within thirty (30) days, Customer may upon ten (10) days written notice to TitanX terminate the applicable Order Form(s) with respect to those aspects of the Service performed by TitanX through the use of the objected-to new Sub-processor.
J. International Transfers. To the extent such authorization is required by Data Protection Laws and Regulations, Customer authorizes TitanX and its Sub-processors to transfer Personal Data across international borders, including without limitation from the EEA, Switzerland and the UK to the US. Any cross-border transfer of Personal Data must be supported by an approved, encrypted transfer mechanism. Such mechanisms may include (without limitation) transferring Personal Data to a recipient in a country that the Supervisory Authority has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Data Protection Laws and Regulations, or to a recipient that has executed standard contractual clauses adopted or approved by the Supervisory Authority.
TitanX participates in the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework (together, “the Frameworks”). The parties agree that transfers of Personal Data to the United States that are subject to the Frameworks are transfers on the basis of an adequacy decision unless and until either: (i) TitanX discontinues its participation with the Frameworks, or (ii) a legally binding, final decision issues that the Frameworks do not ensure an adequate level of protection under Data Protection Laws and Regulations, whichever is earlier.
If the Frameworks do not apply to the transfer of Personal Data, then the following transfer mechanism will apply to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations, to the extent such transfers are subject to such Data Protection Laws and Regulations: The applicable Standard Contractual Clauses, which are deemed incorporated into and form a part of this DPA, as follows:
(1) In relation to transfers of Personal Data protected by the EU GDPR and processed in accordance with this DPA, the EU SCCs shall apply, completed as follows:
(i) Module Two or Module Three will apply (as applicable);
(ii) In Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section I of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA, as applicable; and
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA.
(2) In relation to transfers of Personal Data protected by the UK GDPR, the EU SCCs will also apply in accordance with paragraph (1) above, together with the UK Addendum, with the following modifications:
(i) tables 1 through 4 of the UK Addendum are populated in accordance with paragraph (1) above;
(ii) any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR;
(iii) references to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales; and
(iv) Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts in England. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts";
(v) unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR in which case the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Annexes I and II of this DPA (as applicable); and if neither the EU SCCs nor the UK SCCs applies, then the parties shall cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required to permitted by the UK Data Protection Laws without undue delay;
(3) In relation to transfers of Personal Data protected by the Swiss GDPR, the EU SCCs will also apply in accordance with paragraph (1) above, with the following modifications:
(i) any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss GDPR;
(ii) references to "EU," "Union," "Member State," and "Member State law," shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
(iii) references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland;
(iv) unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such Personal Data in compliance with the Swiss GDPR in which case the Swiss SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs shall be populated using the information contained in Annexes I and II to this DPA (as applicable);
(4) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict; and
(5) If TitanX adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses or other transfer mechanism adopted pursuant to Data Protection Laws and Regulations) for the transfer of Personal Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Law and extends to the territories to which Personal Data is transferred).
K. Security Measures. TitanX shall maintain appropriate organizational and technical measures for protection of the security (including protection against unauthorized or unlawful Processing, and against unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Personal Data), confidentiality, and integrity of Personal Data, as set forth in TitanX' applicable Security Program. TitanX regularly monitors compliance with these measures. TitanX will not materially decrease the overall security of the Service during Customer’s and/or Authorized Affiliates’ subscription term.
L. Security Incident. TitanX shall maintain reasonable and appropriate security incident management policies and procedures, as specified in the Security Program and shall notify Customer without undue delay after becoming aware of the unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise Processed by TitanX or its Sub-processors (hereinafter, a “Customer Data Security Incident”), as required to assist the Customer in ensuring compliance with its obligations to notify the Supervisory Authority in the event of a Customer Data Security Incident, taking into account the nature of Processing and the information available to TitanX. TitanX shall provide to Customer the following information as may be required under Article 33 of the GDPR:
(i) a description of the nature of the Customer Data Security Incident including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
(ii) the name and contact details of the data protection officer or other contact point where more information can be obtained;
(iii) a description of the likely consequences of the Customer Data Security Incident; and
(iv) a description of the measures taken or proposed to be taken by TitanX to address the Customer Data Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.
TitanX shall make reasonable efforts to identify the cause of such Customer Data Security Incident, and take those steps as TitanX deems necessary and reasonable in order to mitigate and remediate the cause of such a Customer Data Security Incident, to the extent that the mitigation and remediation is within TitanX' reasonable control; provided that Customer shall bear the cost of such mitigation and remediation to the extent such incidents are caused by either Customer or Customer’s Users. For avoidance of doubt, Customer Data Security Incident does not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. TitanX' obligation to report or respond to a Customer Data Security Incident under this Section L is not and will not be construed as an acknowledgment by TitanX of any fault or liability of TitanX with respect to the Customer Data Security Incident.
M. Return of Customer Data. TitanX shall return Personal Data to Customer and, to the extent allowed by applicable law, delete Personal Data in accordance with the procedures and time periods specified in the Agreement, unless the retention of the data is requested from TitanX according to mandatory statutory laws.
N. Authorized Affiliates. The parties agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliate(s), thereby establishing a separate DPA between TitanX and each such Authorized Affiliate, subject to the provisions of the Agreement. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. An Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Service by Authorized Affiliate(s) must comply with the terms and conditions of the Agreement and any violation thereof by an Authorized Affiliate shall be deemed a violation by Customer.
O. Communications. Customer, as a contracting party to the Agreement, shall remain responsible for coordinating all communication with TitanX under this DPA, and shall be entitled to transmit and receive any communication in relation to this DPA on behalf of its Authorized Affiliate(s).
P. Exercise of Rights. Where an Authorized Affiliate becomes a party to the DPA, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against TitanX directly by itself, the parties agree that
(i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and
(ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA in a combined manner for all of its Authorized Affiliates together, instead of doing so separately for each Authorized Affiliate.
Q. Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and TitanX, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. The foregoing shall not limit a party’s liability with respect to a data subject’s rights to the extent such liability may not be limited under the applicable SCCs.
R. Data Protection Impact Assessment and Prior Consultation. Upon Customer’s request, TitanX agrees to provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Service, where in Customer’s judgment the Processing performed by TitanX is likely to result in a high risk to the rights and freedoms of natural persons, and to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to TitanX. TitanX shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks, to the extent required under the GDPR.
S. Standard Contractual Clauses. The Standard Contractual Clauses apply to the legal entity that has executed the Standard Contractual Clauses as a data exporter and its Authorized Affiliates. For the purpose of the Standard Contractual Clauses the aforementioned entities shall be deemed “data exporters.”
T. Customer’s Processing Instructions. This DPA and the Agreement are Customer’s complete and final instructions at the time of signature of the Agreement to TitanX for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 8.1 (a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data: (a) Processing in accordance with the Agreement and applicable Order Form(s); (b) Processing initiated by Users in their use of the Service and (c) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
U. Records and Audits.
(1) TitanX will keep records of its Processing in compliance with applicable Data Protection Laws and Regulations and provide necessary records to Customer to demonstrate compliance upon reasonable request. TitanX has attained the third-party certifications and audit results set forth in the Security Program. The parties agree that the audits described in Clause 8.9(c) and Clause 13(b) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications: Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, TitanX shall make available to Customer a copy of TitanX’ then most recent third-party certifications or audit results, as applicable.
(2) In deciding on a further review or audit, Customer may take into account relevant certifications held by TitanX. For any audit request by Customer beyond review of TitanX' third-party certifications and audit results, Customer may contact TitanX in accordance with the “Notices” Section of the Agreement to request an audit of the procedures relevant to the protection of Personal Data as necessary to demonstrate compliance with Data Protection Laws and Regulations as follows:
(i) Following any notice from TitanX to Customer of a Customer Data Security Incident;
(ii) As required by governmental regulators; or
(iii) If neither of the above apply, no more than once annually.
(3) Any audits described in Section (2) above shall be: Conducted either by Customer’s regulator, or through a third-party independent auditor mutually agreed upon by the parties; conducted during reasonable times; and to the extent possible, conducted upon reasonable advance notice to TitanX; and shall be of reasonable duration and shall not unreasonably interfere with TitanX' day-to-day operations. The third-party auditors shall be required to enter into a non-disclosure agreement containing confidentiality provisions reasonably acceptable to TitanX to protect TitanX' and its customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.
(4) Customer shall reimburse TitanX for any time expended for any such audit at the TitanX' then current professional services rates, which shall be made available to Customer upon request. All reimbursement rates shall be reasonable, taking into account the resources expended by TitanX. Customer shall promptly notify TitanX and provide information about any actual or suspected non compliance discovered during an audit. The provision in this section shall by no means derogate from or materially alter the provisions on audits as specified in the Standard Contractual Clauses.
V. Data Retention and Deletion. TitanX shall retain Personal Data for the duration of the Agreement and as specified in the Agreement. Upon expiration or termination of the Agreement, TitanX will delete or return Personal Data pursuant to the terms of the Agreement regarding transition of Customer Data. The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 of the Standard Contractual Clauses shall be provided by TitanX to Customer only upon Customer’s request.
W. Variation. If TitanX or Customer cannot provide compliance with this DPA or the SCCs for any reason, or any variation is required to this DPA as a result of a change in Data Protection Law and Regulations, then either Party may provide written notice to the other party of that non-compliance or that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA or processes with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as reasonably practicable, provided that a party may suspend or terminate the applicable Order Form(s) with respect to those aspects of the Service affected by the requirements identified in the notice if compliance is not achievable despite the good faith efforts of the Parties.
X. Order of Precedence. This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligation of the parties vis-à-vis each other, in the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. In the event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
EXPLANATORY NOTE:
It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can be achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.
Data importer(s):
1. Name: TitanX
2. Address: 35 Market Square, Suite 201, Knoxville, TN 37902, USA
3. Contact details: [email protected]
4. Activities relevant to the data transferred under these Clauses: TitanX, when acting as a data importer, receives Personal Data from the Customer, the data exporter (and from its Customer’s Affiliates, if applicable) for purposes of Processing such Personal Data on behalf of such Customer under the terms of the agreement for services between the parties.
5. Role (controller/processor): Processor
B. Description of Transfer:
Data subjects
The personal data transferred concerns the following categories of data subjects (please specify):
The categories of data subjects whose personal data may be transferred in connection with the Services are determined and controlled by the data exporter in its sole discretion and may include but not limited to: Customers and prospects of the data exporter and/or data importer; employees or contractors of the data exporter’s prospects and customers, and employees and contractors of the data exporter.
Categories of data
The personal data transferred concern the following categories of data (please specify):
The categories of personal data are determined by the data exporter in its sole discretion and may include but not limited to:
Frequency of Transfer
Continuous for the term of the Agreement
Duration of Processing
During the term of the Agreement and as specified in the Agreement
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
TitanX processes first names, last names, company names, emails, LinkedIn URLs, phone numbers, data sources, and any other relevant data provided by the Customer. The processing activities involve live scoring of the submitted data to deliver up-to-date and accurate scoring signals, focusing on identifying high-propensity phone answerers. This includes validation, verification, and activity tracking using third-party data sources. All data is encrypted at rest and in transit to ensure privacy and security.
TitanX correlates and aggregates this data to enhance its services, enabling the Customer to identify which prospects are more likely to respond to outreach efforts. For selected products, TitanX uses the personal contact data provided by the Customer to refine its scoring algorithm, ensuring that the data is aligned with the most current information available.
TitanX also monitors error rates closely, maintaining them below 0.05%, to ensure the reliability and accuracy of the scoring process. No data is shared with third parties outside the scope of these activities, and all processing is conducted in compliance with applicable privacy regulations as further set forth in the Agreement.
Period of Retention/Criteria Used to Determine Period of Retention:
Personal Data will be retained in accordance with Section V of the DPA.
C. Competent Supervisory Authority:
Competent Supervisory Authority/ies in accordance with Clause 13:
The competent supervisory authority in accordance with the Clause 13 of the 2021 Standard Contractual Clauses is the Republic of Ireland unless Customer is established in the European Union or has appointed a representative pursuant to Article 27(1) of the GDPR; with respect to the processing of Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”).
ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational security measures implemented by TitanX (the data importer) in accordance with Annex II of the Standard Contractual Clauses:
1. PURPOSE. This Annex describes the minimum information security standards that TitanX maintains to protect the confidentiality, integrity, and availability of Customer Data.
2. SECURITY PROGRAM. TitanX maintains a written security program that includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Data. TitanX agrees that it will not materially diminish the protections and controls of its Security Program during the term of the Agreement with Customer.
3. PSEUDONYMISATION AND ENCRYPTION OF PERSONAL DATA. TitanX pseudonymizes Personal Data where appropriate, and encrypts Personal Data in transit and at rest using encryption in accordance with its Security Program.
4. BUSINESS CONTINUITY PLAN. TitanX has a business continuity and disaster recovery plan in place to manage significant disruptions to TitanX' operations and infrastructure. The plan is appropriate based on the size, scope and complexity of TitanX' operations.
5. AVAILABILITY CONTROL. TitanX has backup procedures for its assets. TitanX has processes in place to monitor availability of its systems.
6. ACCESS CONTROL. TitanX has access controls in place designed to maintain the confidentiality and security of Customer Data. Controls include, as appropriate, authorization and authentication processes for physical and logical access to facilities, systems, networks and devices that handle Customer Data. Access is granted based on the principle of least privilege. As appropriate TitanX logs, monitors and reviews access on a regular basis at a frequency commensurate with risk. TitanX enforces its Password Policy (a current copy of which can be provided upon request) with respect to password management.
7. PHYSICAL SECURITY. TitanX has physical and environmental controls that are commensurate to the risk for Customer Data and for the TitanX equipment, assets, or facilities used to hold and process Customer Data.
8. LOG MANAGEMENT. TitanX collects and records log information and maintains system logs based on residual risk and commensurate with industry expected operating practices. System logs include, but are not limited to, operating system event logs, administrative access logs, user access logs and security event logs. Such logs facilitate identifying the root cause issues associated with a system issue or a Customer Data Security Incident.
9. ASSET MANAGEMENT. TitanX has an asset management program in place that appropriately classifies and facilitates control and management of hardware and software assets throughout their lifecycle.
10. RISK MANAGEMENT. TitanX has a documented risk assessment and management process to identify, rate and treat all identified risks to TitanX' organization.
11. HUMAN RESOURCES SECURITY. Prior to hiring, engaging, or granting access to TitanX systems that store Customer Data, TitanX conducts background checks for its employees that will have access to Customer Data (“TitanX Personnel”) and provides security and privacy training. TitanX Personnel are subject to confidentiality provisions in their employment agreements or service contracts. TitanX ensures responsibilities for information security and privacy are acknowledged by TitanX Personnel and that TitanX Personnel comply with the terms of this Annex.
TitanX is responsible to Customer for any acts or omissions of TitanX Personnel that result in a breach of this Annex. TitanX has a disciplinary process for violations of Security Program requirements by TitanX Personnel.
12. NETWORK SECURITY. TitanX has appropriate network perimeter defense solutions in place, such as Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) and firewalls, to monitor, detect, and prevent malicious network activity and restrict access to authorized users and services. TitanX has appropriate monitoring in place to detect and take appropriate action. TitanX reviews firewall configurations and rules at least annually, and any significant changes to firewall rules follow a documented change management process.
13. DATA MINIMISATION. TitanX collects and processes Customer Data as necessary to provide the Services set forth in the Agreement and in accordance with the DPA.
14. SECURE DEVELOPMENT. TitanX has a software development lifecycle (“SDLC”) methodology in place that governs the acquisition, development, implementation, configuration, maintenance, modification, and management of TitanX' infrastructure and software components as applicable. TitanX has defined secure coding guidelines applicable to TitanX Personnel. Developers receive secure code training at least annually. TitanX' SDLC program includes, as appropriate, secure code reviews, vulnerability scanning and security architecture reviews.
15. CHANGE MANAGEMENT. TitanX follows documented change management policies and procedures for requesting, testing, and approving application, infrastructure, and product-related changes. Changes undergo review and testing prior to approval for implementation. Changes are approved prior to implementation to production, and only authorized individuals are allowed to move code into production. TitanX maintains separate environments for development, testing, and production.
16. THREAT AND VULNERABILITY MANAGEMENT AND SECURITY TESTING. TitanX has a threat and vulnerability management program that includes ongoing monitoring for vulnerabilities that are acknowledged by TitanX, reported by researchers, or discovered internally through vulnerability scans, or identified by TitanX Personnel. TitanX has processes in place to document vulnerabilities, risk rank the vulnerabilities, and take appropriate steps to remediate vulnerabilities based on risk. TitanX performs regular internal and external vulnerability scans. TitanX conducts internal and external penetration tests at least annually, and remediates vulnerabilities identified in accordance with its Security Program.
17. THIRD PARTY SECURITY. TitanX assesses the risks associated with any new and existing service providers with access to Customer Data. TitanX communicates security and confidentiality requirements, as well as operational responsibilities, through contractual agreements that are substantially as protective of Customer Data as the obligations within this Annex with such service providers. TitanX is responsible to Customer for the performance of service providers that TitanX uses to perform the Agreement and will remain liable to Customer for the acts or omissions of its service providers to the same extent as TitanX would be liable if performing the services of the service providers under the terms of the Agreement.
18. INCIDENT RESPONSE AND NOTIFICATION. In the event of a Customer Data Security Incident, TitanX takes reasonable and appropriate steps to investigate, mitigate, and remediate such incident in accordance with Section L of this DPA.
19. INSPECTION RIGHTS. Customer or its designated representative will have the right to review and assess TitanX' security practices related to handling of Customer Data (“Assessment”) in accordance with the procedures set forth in the “Records and Audits” section of the DPA.
20. DATA PORTABILITY & ERASURE. TitanX processes support data portability and erasure.
21. DATA SUBJECT REQUESTS. TitanX addresses Data Subject Requests in accordance with Section E of this DPA. In addition, if Customer elects TitanX Services that include access to Customer’s Customer Relationship Management platform (“CRM”) or Marketing Automation Platform (“MAP”), the TitanX Platform will sync CRM and MAP data via nightly syncs, depending on the CRM or MAP system used by Customer, such that data deleted by Customer in response to Data Subject Requests will be removed from Customer’s instance within the TitanX Platform. Additionally, Data Subject Requests can be submitted via [email protected].
22. SUBPROCESSORS. TitanX' contracts with Sub-processors that have access to Customer Data contain technical and organizational measures substantially as protective as those outlined herein.
23. DESTRUCTION OF DATA. Upon expiration or termination of the Agreement and in accordance with the relevant terms of the Agreement, Customer Data is deleted by purging or physical destruction commensurate with the Security Program.