Data Processing Addendum
Last updated: July 26, 2024
This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Agreement between Tremendous and Client (each a “Party”; collectively the “Parties”). This DPA sets forth Client’s instructions for the processing of Personal Data in connection with the services provided pursuant to the Agreement (the “Services”) and the rights and obligations of both Parties. All capitalized terms used in this DPA but not defined will have the meaning set forth in the Agreement or under Data Protection Laws. Any prior data protection agreement that may already exist between the Parties is superseded and replaced by this DPA on the date this DPA has been fully executed by the Parties. In the event of any conflicts between this DPA and the Agreement, this DPA will govern.
Definitions. For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement. All other terms in this DPA not otherwise defined in the Agreement shall have the corresponding meanings given to them in applicable Privacy Laws.
“Data Protection Laws” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection (“FADP”); the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and including its regulations (“CCPA”), and other similar and applicable U.S. state and federal laws.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and is deemed to also include a “consumer” as defined under Data Protection Laws.
“EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.
“Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and analogous terms, as defined by applicable Data Protection Laws, that Tremendous Processes to provide the Services under the Agreement.
“Process”, “Processing,” “Processed,” etc., mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Security Incident” means any breach of security that results in the accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“Subprocessor” means any third party that Tremendous engages to Process Personal Data to assist in providing the Services.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and completed as set forth herein.
The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.”
Roles of the Parties; Scope and Purposes of Processing.
Roles of the Parties. To the extent that Client is the Controller of Personal Data, Tremendous is its Processor. To the extent that Client is a Processor of Personal Data, Tremendous is its Subprocessor.
Scope and Purposes of Processing. This DPA applies to all Personal Data that Tremendous Processes to provide the Services to Client. Tremendous will Process Personal Data (i) in compliance with Data Protection Laws; (ii) on Client’s behalf and in accordance with Client’s instructions as set forth in this DPA and the Agreement, and as otherwise provided by the Client in writing; and (iii) to provide the Services to Client under the Agreement for the business purposes set forth in the Agreement and as set forth in this DPA, unless other Processing activities are required otherwise to comply with Data Protection Laws (in which case, Tremendous shall provide prior notice to Client of such legal requirement, unless such law prohibits this disclosure).
Client Rights. Client retains the right to take reasonable and appropriate steps to (i) ensure that Tremendous Processes Personal Data in a manner consistent with Data Protection Laws, and (ii) upon notice, stop and remediate unauthorized Processing of Personal Data, including any use of Personal Data not expressly authorized in this DPA.
Client Obligations. Client shall comply with all applicable Data Protection Laws in providing Personal Data to Tremendous in connection with the Services. Client represents and warrants that: (a) the Data Protection Laws applicable to Client do not prevent Tremendous from fulfilling the instructions received from Client and performing Tremendous’ obligations under this DPA; (b) all Personal Data was collected and at all times processed and maintained by or on behalf of Client in compliance with all applicable Data Protection Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Client has a lawful basis for disclosing the Personal Data to Tremendous and enabling Tremendous to process the Personal Data as set out in this DPA. Client shall notify Tremendous without undue delay if Client makes a determination that the processing of Personal Data under the Agreement does not or will not comply with applicable Data Protection Laws, in which case, Tremendous shall not be required to continue processing such Personal Data.
Personal Data Processing Requirements.
Restrictions on Processing. Tremendous will:
not retain, use, or disclose Personal Data outside of the direct business relationship between Client and Tremendous, or for any purpose (including any commercial purpose) not set forth in this DPA or the Agreement;
not “sell” or “share” any Personal Data, or use Personal Data for purposes of “targeted advertising,” as such terms are defined in Data Protection Laws; and
comply with any applicable restrictions under the CCPA on combining Personal Data with personal data that Tremendous receives from, or on behalf of, another person or persons, or that Tremendous collects from any interaction between it and any individual.
Confidentiality. Tremendous will ensure that the persons Processing Personal Data are bound by obligations of confidentiality no less protective than those set forth in the Agreement or are under an appropriate statutory obligation of confidentiality.
Assistance. Tremendous will provide Client with reasonable assistance:
by implementing appropriate technical and organizational measures for the fulfillment of Client’s obligation to respond to requests for exercising Data Subjects’ rights as set forth in Data Protection Laws, taking into account the nature of the Processing; and
in performing any required data protection impact assessment of Processing or proposed Processing of Personal Data, and in consulting with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including any applicable obligation upon Tremendous to consult with a regulatory authority in relation to Tremendous’s Processing or proposed Processing of Personal Data.
Notice Regarding Compliance and Instructions. Tremendous will promptly notify Client if Tremendous determines that it can no longer meet its obligations under Data Protection Laws or if it believes that Client’s instructions violate Data Protection Laws, and Tremendous is not deemed to be in breach of this DPA if it declines to Process Personal Data in a way that Tremendous reasonably and in good faith believes would cause Tremendous to violate Data Protection Laws.
Data Security. Tremendous will use appropriate administrative, technical, physical, and organizational measures to protect Personal Data as set forth in Exhibit B. Tremendous will provide the level of protection for Personal Data that is required under Data Protection Laws. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risk.
Security Incident.
Notice. Tremendous will notify Client of any Security Incident without undue delay or within the time period required under Data Protections Law. To the extent available, this notification will include Tremendous’s then-current assessment of the following: (i) the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) the likely consequences of the Security Incident; and (iii) measures taken or proposed to be taken by Tremendous to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects. Tremendous will provide timely and periodic updates to Client as additional information regarding the Security Incident becomes available. Client acknowledges that any updates may be based on incomplete information.
Responsibilities of the Parties. Tremendous will comply with the Security Incident-related obligations applicable to it under Data Protection Laws and will assist Client in Client’s compliance with its Security Incident-related obligations.
Subprocessors.
Authorization to Engage Subprocessors. Client agrees that Tremendous may engage Subprocessors to Process the Personal Data to assist in providing the Services. A list of Tremendous’s Subprocessors is available at https://tremendous.notion.site/Tremendous-Subprocessors-c89976bda1724a948e0701101efba05d. Tremendous will impose contractual obligations on any Subprocessor it appoints requiring it to protect Personal Data to standards that are no less protective than those set forth under this DPA. Tremendous shall remain liable to Client for the performance of the Subprocessor’s data protection obligations.
Subprocessor Notice and Objections. Tremendous will provide reasonable advance notice of new Subprocessors that it appoints during the term of the Agreement. Client has fourteen (14) calendar days from receiving such notice to make an objection on reasonable grounds relating to the protection of the Personal Data by notifying Tremendous. In the event Client objects to a new Subprocessor, Tremendous will use commercially reasonable efforts to make available to Client a change in the Services or Client’s configuration or use of the Services to avoid processing of Client Personal Data by the objected-to new Subprocessor. If Tremendous is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, either Party may upon written notice terminate without penalty the applicable Order Form(s) or the Agreement.
Data Transfers.
Authorization to Transfer Personal Data. Client authorizes Tremendous and its Subprocessors to make international transfers of Personal Data in accordance with this DPA and Data Protection Laws.
EU SCCs. To the extent legally required, by entering into this DPA, Client and Tremendous are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 7(e) and (f) below) are deemed completed as follows:
Module 2 of the EU SCCs applies to transfers of Personal Data from Client (as a Controller) to Tremendous (as a Processor), and Module 3 of the EU SCCs applies to transfers of Personal Data from Client (as a Processor) to Tremendous (as a Subprocessor);
Clause 7 (the optional docking clause) is not included;
Clause 9 (Use of sub-processors): Option 2 (General written authorization) will apply and the time period for prior notice of Subprocessor changes is set forth in Section 6 of this DPA.;
Clause 11 (Redress): The optional language will not apply;
Clause 17 (Governing law): The Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights) and select the law of Ireland;
Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Ireland;
Annexes I (List of Parties) and II (Technical and organizational measures) are completed as set forth in Exhibits A and B of this DPA, respectively; and
Annex III (List of subprocessors) is not applicable because the Parties have chosen General Authorization under Clause 9.
UK Addendum. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK Addendum, which forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK Addendum. The Tables within the UK Addendum are deemed completed as follows:
Table 1: The Parties’ details shall be the Parties to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in the Agreement.
Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 7(d) of this DPA.
Table 3: Annexes I and II are set forth in Exhibits A and B below, respectively. Annex III is inapplicable.
Table 4: Either Party may end this DPA as set out in Section 19 of the UK Addendum.
Transfers of Swiss Personal Data. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(d) of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iii) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
Audits.
Standard Audit Process. Tremendous will make available to Client documentation, data, certifications, reports, and records (“Records”) relating to its Processing of Personal Data to demonstrate compliance with this DPA (an “Audit”) provided the Agreement remains in effect and such audit is at Client’s sole expense. Client may request an Audit upon fourteen (14) days’ prior written notice to Tremendous, no more than once annually, except, in the event of a Security Incident occurring on Tremendous systems, in which case Client may request an Audit within a reasonable period of time following such Security Incident.
Written Requests and Inspections. If Client has a reasonable objection that the Records provided are not sufficient to demonstrate Tremendous’s compliance with this DPA, Client may, as reasonably necessary: (i) request additional information from Tremendous in writing, and Tremendous will respond to such written requests in within a reasonable period of time (“Written Requests”); and (ii) only where Tremendous's responses to such Written Requests do not provide the necessary level of information required by Client, request access to Tremendous premises, systems and staff, upon twenty one (21) days prior written notice to Tremendous (an “Inspection”) subject to the parties having mutually agreed upon (a) the scope, timing, and duration of the Inspection, (b) the use of an auditor to conduct the Inspection, (c) the Inspection being carried out only during regular business hours, with minimal disruption to Tremendous business operations, and (d) all costs associated with the Inspection being borne by Client. Inspections will be permitted no more than once annually, except in the event of a Security Incident.
De-Identified Data. Tremendous may aggregate, anonymize, or de-identify Personal Data and process such data (“De-Identified Data”) for its own purposes and in compliance with applicable law. To the extent Tremendous receives De-Identified Data from Client under the Agreement, Tremendous shall: (i) take commercially reasonable measures to ensure that the De-Identified Data cannot be associated with an identified or identifiable individual; (ii) maintain and use the De-Identified Data only in a de-identified fashion; and (iii) not attempt to re-identify the De-Identified Data.
Return or Destruction of Personal Data. Except to the extent required otherwise by Data Protection Laws, Tremendous will, at the choice of Client and upon Client’s written request return to Client and/or securely destroy all Personal Data, unless Data Protection Laws or financial regulations require Tremendous to retain Personal Data.
Survival; Amendments. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Tremendous or its Subprocessors Process Personal Data. Tremendous may amend this DPA in order to comply with Data Protection Laws and will notify Client of such changes. By continuing to use the Services after the DPA has been updated, Client is deemed to have agreed to the updated DPA.
Exhibit A
ANNEX I TO THE EU SCCS
A. LIST OF PARTIES
Data exporter(s):
Name: Client, as identified in the Agreement.
Address: As provided in the Agreement.
Contact person’s name, position, and contact details: As provided in the Agreement.
Activities relevant to the data transferred under these Clauses: The data exporter receives the data importer’s Services pursuant to their underlying Agreement.
Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.
Role: Controller or Processor, as relevant.
Data importer(s):
Name: Tremendous, as identified in the Agreement.
Address: As provided in the Agreement.
Contact person’s name, position, and contact details: As provided in the Agreement.
Activities relevant to the data transferred under these Clauses: The data importer provides the Service to the data exporter pursuant to their underlying Agreement.
Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.
Role: Processor or Subprocessor, as applicable.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred are determined solely by the data exporter. In the normal course of the data importer's Service, the categories of data subjects might include (but are not limited to): the data exporter’s personnel, customers, service providers, business partners, affiliates and other end users.
Categories of personal data transferred: The categories of personal data transferred are determined solely by the data exporter. In the normal course of the data importer's Service, the categories of personal data transferred include physical address, telephone number, and name of recipient.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous for the duration of the Agreement.
Nature of the processing: The data importer’s Processing activities shall be limited to those discussed in the Agreement and the DPA.
Purpose(s) of the data transfer and further processing: The purpose of the transfer to and further Processing of Personal Data by the data importer is for the data importer to provide the Services to the data exporter as set forth in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for the period of time necessary for the data importer to provide the Services to the data exporter under the Agreement and/or in accordance with applicable legal requirements.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent that Personal Data is provided to Subprocessors for purposes of providing the Services.
C. COMPETENT SUPERVISORY AUTHORITY
To the extent legally permitted, the competent supervisory authority is the Irish Data Protection Commission.
Exhibit B
TREMENDOUS DATA SECURITY MEASURES
Tremendous maintains an information security program that includes specific security requirements for its personnel and all Subprocessors or agents who have access to Personal Data (“Data Personnel”) that cover the following areas:
Information Security Policies and Standards. Tremendous will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date.
Physical Security. Tremendous will maintain commercially reasonable security systems at all Tremendous sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
Organizational Security. Tremendous will maintain information security policies and procedures addressing acceptable data use standards and incident response protocols.
Network Security. Tremendous maintains commercially reasonable information security policies and procedures addressing network security.
Access Control. Tremendous agrees that: (1) only authorized Tremendous staff can grant, modify, or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
Virus and Malware Controls. Tremendous protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
Personnel. Tremendous has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
Business Continuity. Tremendous implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis.