RocketReach Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the RocketReach Terms of Service ("Agreement") between you ("Customer") and RocketReach LLC ("RocketReach"). Customer and RocketReach may be referred to herein as the "Parties" and individually as a "Party". Except as supplemented or modified below, the terms of the Agreement remain in full force and effect and will be read and construed as one document with this DPA. RocketReach and Customer agree as follows:

DEFINITIONS

1.1. Capitalized terms not otherwise defined herein have the meaning given to them in the Agreement.

1.2. The following terms have the meanings set out below for this DPA:

1.2.1. "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Supervisory Authority" have the meaning given to them in Data Protection Law;

1.2.2. "Data Protection Law(s)" means Regulation (EU) 2016/679 ("GDPR"), Directive 2002/58/EC (as amended by Directive 2009/136/EC), and all other data protection laws of the European Union, the European Economic Area ("EEA"), and their respective member states, Switzerland and the United Kingdom ("UK"), and any legal instrument for International Data Transfers, each as applicable, and as may be amended or replaced from time to time;

1.2.3. "Data Subject Request" means a request from a Data Subject to exercise any right granted by Data Protection Law, including the right to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making;

1.2.4. "International Data Transfer" means any transfer of Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the UK, and includes any onward transfer of Personal Data from the international organization or the country outside of the EEA, Switzerland or the UK to another international organization or to another country outside of the EEA, Switzerland and the UK;

1.2.5. "RocketReach Personal Data" means any personal data which Customer access through RocketReach’ online database and platform for business contact details;

1.2.6. "Services" has the meaning given to it in Recital (A) of this DPA;

1.2.7. "Standard Contractual Clauses" means the clauses annexed to the EU Commission Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended from time to time;

1.2.8. "UK Standard Contractual Clauses" means the clauses annexed to the EU Commission Decision 2004/915/EC of December 27, 2004, amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, as applicable in the UK and as amended from time to time.

ROLES OF THE PARTIES

In the context of the DPA, the Parties agree that each Party acts as a separate and independent Controller in relation to the Personal Data processed under this DPA. The Parties acknowledge and confirm that neither Party acts as a Processor on behalf of the other Party and that the DPA, nor any other aspect of the Services, creates a joint-controllership between the Parties. Each Party shall comply with and process all Personal Data in accordance with their respective obligations under Data Protection Law. For the avoidance of doubt, Customer can access the Personal Data set out in Annex I to this DPA. Customer is responsible for its own Processing activities, including for the Processing of RocketReach Personal Data for Customer’s own purposes ("Customer Personal Data").

CUSTOMER’S RESPONSIBILITIES

Customer warrants and represents, on behalf of itself, its employees, sub-contractors and/or agents, that (a) it will comply with and Process all RocketReach Personal Data and Customer Personal Data in accordance with its respective obligations under Data Protection Law; (b) it will maintain a publicly accessible privacy policy on its website that satisfies the transparency disclosure requirements of Applicable Data Law, including Articles 13 and 14 of the GDPR; (c) it will conduct reasonable data protection due diligence on any third party to whom it will disclose RocketReach Personal Data; (d) it will ensure that any sharing of RocketReach Personal Data with, or subcontracting the Processing to third party partners will be completed under an agreement that imposes at least the same level of protection as is required by this DPA; and (e) it will cooperate with RocketReach in relation to any request from individuals to exercise their rights under Data Protection Laws if required.

DATA BREACH

In the event of a Personal Data Breach affecting RocketReach, Customer will notify RocketReach of the Personal Data Breach without undue delay and no later than within 48 hours from becoming aware of the Personal Data Breach.

INTERNATIONAL DATA TRANSFER

5.1. RocketReach hereby authorizes Customer to access and retain Rocketreach Personal Data subject to Data Protection Law to anycountry deemed adequate by the EU Commission, or for transfers from the UK deemed adequate by the UK Government; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses or the UK Standard Contractual Clauses.

5.2. By entering into this DPA, the Parties conclude Module One (controller-to-controller) of the Standard Contractual Clauses, for RocketReach Personal Data which is transferred outside of the EEA. The Standard Contractual Clauses are hereby incorporated and completed as follows: the "data exporter" is RocketReach; the "data importer" is Customer; the optional docking clause in Clause 7 is implemented; the optional paragraph in Clause 11(a) is struck; Clause 13 (a) paragraph 2 is implemented; the governing law in Clause 17 is the law of the Republic of Ireland and the courts in Clause 18(b) are the courts the Republic of Ireland; Annex 1 and 2 to the Standard Contractual Clauses are Annex I and II to this DPA respectively.

5.3. By signing this DPA, the Parties conclude the UK Standard Contractual Clauses for RocketReach Personal Data which is transferred outside of the UK. The UK Standard Contractual Clauses are hereby incorporated and completed as follows: the "data exporter" is RocketReach; the "data importer" is Customer; the governing law in Clause IV of the UK Standard Contractual Clauses is the law of England and Wales; option (iii) in Clause II(h) is selected and the optional commercial clauses are struck. Annex B to the UK Standard Contractual Clauses is completed as follows: the information on the data subjects, purpose of the transfer, categories of (sensitive) data, storage limits and contact points for data protection enquiries is provided in Annex I to this DPA and the recipients are Customer, its affiliates, parents and service providers. In addition, following changes apply: (i) references to data protection law are replaced with references to applicable UK data protection law, (ii) references to the EU or Member States are replaced with references to the UK, (iii) references to EU data protection authorities are replaced with references to the competent UK authority, and (iv) references to the member state governing law in Clause IV of the UK Standard Contractual Clauses refer to the laws of England and Wales.

5.4. Customer hereby represents and warrant that (a) it is not and will not be in breach of any provision of the (UK) Standard Contractual Clauses; and (b) it is not, and nor are any of its Processors, subject to the U.S. Foreign Intelligence Surveillance Act ("FISA") or Executive Order 12333 ("EO"), and nor has Customer or any Processor received any requests under Section 702 of the FISA or, to the best of Customer’s knowledge, been subject to any action under the EO.

5.5. Customer must inform RocketReach at least thirty (30) days prior to any intended change of International Data Transfers, including the country, and the legal basis of the International Data Transfer pursuant to Section 5.1.

5.6. If either Party’s compliance with Data Protection Law applicable to transfers is affected by circumstances outside of either Party’s control, including if a legal instrument for transfers is invalidated, amended, or replaced, then the Parties will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative (UK) Standard Contractual Clauses are approved by Supervisory Authorities, RocketReach reserves the right to amend the Agreement and this DPA by adding to, changing or replacing, the (UK) Standard Contractual Clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.

LIABILITY

The liability and obligation of each Party hereunder is several, not joint. Regardless of any cap on liability set out in the Agreement, RocketReach is entitled to claim back from the Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the damages or fines, as applicable. Nothing in this Agreement and DPA limits any liability which cannot legally be excluded, including but not limited to liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation or willful misconduct.

INDEMNITY

Customer agrees and undertakes to indemnify on demand, keep indemnified and defend RocketReach at its own expense, and hold RocketReach harmless from and against any and all demands, claims, actions, proceedings, liabilities, costs, expenses (including legal expenses calculated on a full indemnity basis, and all other professional expenses and costs), losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, regulatory penalty, fine or penalties), injury or damages whatsoever incurred or suffered by RocketReach or for which RocketReach may become liable arising out of any (i) breach of the Data Protection Laws by Customer or by any third party to whom Customer has disclosed Rocketreach Personal Data; and (ii) breach of any of its data protection obligations under this DPA.

ANNEX I

A. LIST OF PARTIES: RocketReach is the data exporter; Customer is the data importer.
B. DESCRIPTION OF TRANSFER
  • Categories of Data Subjects whose personal data is transferred: Data Subjects included in the online database operated by RocketReach.
  • Categories of personal data transferred: (a) identification details (such as name), (b) contact details (such as phone number, and email address), professional role and history (education, job title, etc.)
  • Sensitive data transferred: the Services are not intended to Process special categories of data.
  • The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): As and when the Services are accessed.
  • Nature of the processing: the Personal Data will be transferred for the provision of the Services as set out in the Agreement.
  • Purpose(s) of the data transfer and further processing: to provide Services to Customer.
  • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
  • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: for the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY: The competent Supervisory Authority is the Irish Data Protection Commission.

ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Customer shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement certain or all of the following types of security measures:

1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Rocketreach Personal Data are Processed, include: (a) establishing security areas, restriction of access paths; (b) establishing access authorizations for employees and third parties; (c) access control system (ID reader, magnetic card, chip card); (d) key management, card-keys procedures; (e) door locking (electric door openers etc.); (f) security staff, janitors; (g) surveillance facilities, video/CCTV monitor, alarm system; and (h) Securing decentralized data processing equipment and personal computers.

2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include: (a) user identification and authentication procedures; (b) ID/password security procedures (special characters, minimum length, change of password); (c) automatic blocking (e.g. password or timeout); (d) monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; (e) creation of one master record per user, user-master data procedures per data processing environment; and (f) encryption of archived data media.

3. Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Rocketreach Personal Data cannot be read, copied, modified or deleted without authorization, include: (a) internal policies and procedures; (b) control authorization schemes; (c) differentiated access rights (profiles, roles, transactions and objects); (d) monitoring and logging of accesses; (e) disciplinary action against employees who access Rocketreach Personal Data without authorization; (f) reports of access; (g) access procedure; (h) change procedure; (i) deletion procedure; and (j) encryption.

4. Disclosure control
Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: (a) encryption/tunneling; (b) logging; and (c) transport security.

5. Entry control
Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include: (a) logging and reporting systems; and (b) audit trails and documentation.

6. Control of instructions
Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include: (a) unambiguous wording of the contract; (b) formal commissioning (request form); and (c) criteria for selecting the Processor.

7. Availability control
Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: (a) backup procedures; (b) mirroring of hard disks (e.g. RAID technology); (c) uninterruptible power supply (UPS); (d) remote storage; (e) antivirus/firewall systems; and (f) disaster recovery plan.

8. Separation control
Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include: (a) separation of databases; (b) "internal client" concept / limitation of use; (c) segregation of functions (production/testing); and (d) procedures for storage, amendment, deletion, transmission of data for different purposes.

Last updated: October 18, 2021