Last updated: March 19, 2024
This Data Processing Addendum (“DPA”), including its exhibits, is incorporated into the written agreement that Customer has entered into with CaptivateIQ, Inc. (“CaptivateIQ”) governing Customer’s use of the Services. Any terms used in this DPA and not defined will have the meanings given to them in the Agreement.
The parties are entering into this DPA to satisfy applicable Privacy Laws and each party maintains that each will comply with Privacy Laws. CaptivateIQ agrees to comply at all times with the requirements in this DPA with respect to Customer’s Data that Customer and Customer’s employees, customers, agents, or other authorized users provide or make accessible to CaptivateIQ in the course of CaptivateIQ providing the Services for as long as CaptivateIQ has access to or possession of Customer’s Data. This DPA is in addition to, not in lieu of, any other contractual obligations and applicable legal or regulatory obligations the parties have or have agreed to.
Customer represents and warrants that: (i) Customer has lawfully collected and may lawfully transfer Customer Data to CaptivateIQ for the purposes contemplated by the Agreement; and (ii) CaptivateIQ’s use of Customer Data as contemplated by the Agreement will not violate any applicable laws. CaptivateIQ will access, collect, store, retain, transfer, use, or otherwise process Customer Data solely in accordance with the instructions that are in the Agreement, including as incorporated by reference in the Agreement, this DPA, or are otherwise agreed to by the parties in writing including as to the subject-matter and duration of the processing, the nature and purpose of the processing, the type and categories of Customer Data.
CaptivateIQ will ensure that any person that it authorizes to process Customer Data will be subject to a duty of confidentiality (whether contractual or statutory).
CaptivateIQ will implement and maintain appropriate technical and organizational measures designed to secure Customer Data as listed in the attached Exhibit A.
If CaptivateIQ becomes aware of a Security Breach, CaptivateIQ will notify Customer without undue delay. Where possible, such notice will include all available details required under Privacy Laws for Customer to comply with Customer’s notification obligations to regulatory authorities or individuals affected by the Security Breach.
To the extent necessary to fulfill CaptivateIQ’s contractual obligations under the Agreement, Customer agrees that CaptivateIQ may subcontract the processing of Customer Data to its affiliates, temporary staff, and Subprocessors. CaptivateIQ agrees to: (i) enter into a written agreement with its Subprocessors that imposes on such Subprocessors data protection requirements for Customer Data that are consistent with this DPA; and (ii) remain responsible to Customer for its Subprocessors’ failure to perform their obligations with respect to the processing of Customer Data. CaptivateIQ will inform Customer of any intended changes concerning the addition or replacement of other Subprocessors by updating its Subprocessor list available at https://www.captivateiq.com/data-subprocessors, and will allow Customer 10 days to object to such change. If Customer has legitimate objections to the appointment of any new Subprocessor related to data protection, CaptivateIQ will work with Customer in good faith to resolve the grounds for the objection.
7.1. Authorization to Transfer Customer Data Across International Borders. Customer agrees that CaptivateIQ may transfer Customer Data across international borders, including from the European Economic Area, Switzerland, or the United Kingdom to the United States.
7.2. EEA, Swiss, and UK SCCs. If Customer Data which originates in the European Economic Area, Switzerland, or the United Kingdom is transferred by Customer to CaptivateIQ in a country that has not been found to provide an adequate level of protection under applicable Privacy Laws, the parties agree that the transfer will be governed by Module Two’s obligations in the SCCs as supplemented by Exhibit B, the terms of which are incorporated herein by reference. Each party’s agreement to the DPA shall be considered a signature to the SCCs to the extent that the SCCs apply hereunder.
8.1. Scope. Without limiting CaptivateIQ’s rights under the Agreement, this DPA or the CCPA, to the extent that CaptivateIQ’s processing of Customer Data is subject to the CCPA, this Section 8 will apply. Customer may disclose or otherwise make available Customer Data to CaptivateIQ for the limited and specific purpose of CaptivateIQ providing the contracted services to Customer in accordance with the Agreement and this DPA.
8.2. CaptivateIQ Responsibilities. CaptivateIQ will: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection with respect to Customer Data as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Data; (v) not retain, use, or disclose Customer Data for any purpose (including any commercial purpose) other than to provide the contracted services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Data outside of the direct business relationship between Customer and CaptivateIQ; and (vii) unless otherwise permitted by the CCPA, not combine Customer Data with Personal Data that CaptivateIQ (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction.
8.3. Customer Responsibilities. Customer may: (i) take reasonable and appropriate steps agreed upon by the parties to help ensure that CaptivateIQ processes Customer Data in a manner consistent with Customer’s CCPA obligations; and (ii) upon notice to CaptivateIQ, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized processing of Customer Data by CaptivateIQ. Customer agrees that Subprocessors may further engage service providers to assist in processing Customer Data.
CaptivateIQ will provide all assistance reasonably requested by Customer to enable Customer to respond to, comply with, or otherwise resolve any data protection requests, questions or complaints received from any individuals, data protection authority, law enforcement or other regulatory body. In the event that any communication relating to Customer Data is received directly by CaptivateIQ, CaptivateIQ will promptly inform Customer and will not respond to such communication unless required by law or expressly authorized by Customer. CaptivateIQ will provide reasonable and timely information and assistance as Customer may require in order to conduct a data protection assessment or data protection impact assessment and, if necessary, consult with any relevant data protection authority, as required under applicable Privacy Laws. Customer will be responsible for any non-negligible costs incurred by CaptivateIQ under this section.
CaptivateIQ will provide Customer with all such information as may be reasonably requested by Customer from time to time with regard to CaptivateIQ’s compliance with this DPA, and will allow for audits or assessments conducted by Customer, or another auditor mandated by Customer, by completing a data protection questionnaire of reasonable length not more than once annually. To the extent Customer is able to demonstrate that CaptivateIQ’s questionnaire responses do not provide sufficient information to demonstrate compliance with this DPA, Customer may conduct follow up interviews with CaptivateIQ’s personnel as needed.
Upon any termination or expiration of the Agreement and Customer’s instruction, or at any time upon Customer’s request, CaptivateIQ will immediately cease to process Customer Data and will promptly return or destroy Customer Data (excluding any back-up or archival copies which will be deleted in accordance with CaptivateIQ’s data retention schedule) in CaptivateIQ’s possession or control in accordance with the Agreement. Upon request, CaptivateIQ will confirm to Customer in writing that all Customer Data has been destroyed. The requirements in this paragraph do not apply to the extent that CaptivateIQ is required by applicable laws, including Privacy Laws, to retain some or all of Customer Data, in which event CaptivateIQ will isolate and protect Customer Data from any further processing except to the extent required by such laws.
12.1. Nature and Purpose of the Processing. The purpose of the processing of Customer Data is the performance of the contracted services in accordance with the Agreement.
12.2. Types of Customer Data Processed. Customer Data that is processed pursuant to the Agreement.
12.3. Duration. The processing will continue until the expiration or termination of the Agreement.
13.1. Ordering of Agreements. Where there is a conflict between this DPA and the Agreement, the provisions of this DPA will govern with respect to the subject matters herein.
14.1. CCPA means the California Consumer Privacy Act of 2018 (as amended by the CPRA).
14.2. CPRA means the California Privacy Rights Act.
14.3. Customer Content means any content, materials, software, data, formulas (meaning configurations or business logic), or other information that Customer or its Authorized Users provide to CaptivateIQ through the Services.
14.4. Customer Data means any Personal Data included in Customer Content processed by CaptivateIQ on Customer’s behalf under the Agreement.
14.5. Personal Data has the meaning assigned to the terms “personal information” or “personal data” under applicable Privacy Laws.
14.6. Privacy Laws means applicable state, federal, and international data protection and privacy laws and regulations to which Customer Data or the Services is subject, which may include but are not limited to, the EU General Data Protection Regulation 2016/679, the CCPA, the CPRA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act.
14.7. SCCs or Standard Contractual Clauses means the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
14.8. Security Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access of Customer Data.
14.9. Subprocessors means the third party entities that CaptivateIQ may subcontract the processing of Customer Data. A current list of CaptivateIQ’s Subprocessors can be found at: https://www.captivateiq.com/data-subprocessors.
This Exhibit A forms part of the DPA. Capitalized terms not defined herein will have the meaning set forth in the DPA.
CaptivateIQ provides a software solution for commission management and is committed to achieving and maintaining the trust of its customers. CaptivateIQ takes trust very seriously and has systems and procedures in place which are designed to protect access to customer accounts and Customer Data (as defined in this DPA). These technical and organizational measures provide an overview of CaptivateIQ’s data security practices and procedures regarding the Services. Some of the security controls for the Services that are described in this Exhibit A are implemented in connection with reputable security service providers and the security controls of other trusted service providers. CaptivateIQ has built programs and mechanisms to align with industry standards on security and privacy. A detailed list of the security and privacy controls are described in our SOC2 Type II audit report with mappings to ISO 27001, NIST 800-53 (Moderate level), HITRUST CSF, HIPAA, and GDPR security requirements; this report is available upon request to valid customers.
The Services are built on Amazon Web Services (“AWS”). CaptivateIQ has implemented industry standard security practices for AWS and continues to advance practices to help ensure the confidentiality, integrity and availability of data that CaptivateIQ’s customers provide to CaptivateIQ through the Services (the “Customer Data”). Information about security and privacy-related audits and certifications received by AWS, including information on its ISO 27001 certification and Service Organization Control (SOC) reports, is available on the AWS Compliance Programs Website. More information about AWS’ compliance program can be found on the AWS Compliance Website and in this section of the Amazon Web Services: Risk and Compliance Whitepaper. Details on AWS’ security program can be found on the AWS Cloud Security Website and in this Introduction to AWS Security Whitepaper.
The Services are hosted on AWS and delivered via a trusted Content Delivery Network (CDN). CaptivateIQ leverages the security controls provided by these platforms, including Web Application Firewall, DDOS mitigation, and security assessments at the web and DNS (Domain Name Service) layer, to help protect against various kinds of application attacks. Services, protocols, and ports of CaptivateIQ’s systems are restricted to only those required to run the Services.
CaptivateIQ performs frequent vulnerability scans of its systems. The discovery of any security issue is logged in a vulnerability management process and remediated as deemed appropriate based on a risk assessment of the vulnerability.
Logs from all systems which provide services to CaptivateIQ’s Services platform are sent to a centralized logging service to enable security reviews and analysis for security events, such as intrusions and threats. Alerts are correlated and enhanced with threat intelligence from the industry.
CaptivateIQ reviews logs for security and performance-related events. CaptivateIQ continuously monitors the Services for unauthorized intrusions and other malicious activities leveraging industry-standard tools. All events and incidents are closed out upon completed review.
Procedures and processes are in place to perform forensic analysis of a Security Breach if it were to occur. Breach notification to impacted customers is within 72 hours of CaptivateIQ becoming aware of a Security Breach (or sooner if feasible for CaptivateIQ).
Access management controls are enforced to prevent unauthorized access to Customer Data. Two-factor authentication (2FA) is enabled for all accounts with access to CaptivateIQ's internal systems (collectively, “CaptivateIQ Internal Systems”). Below are additional controls in place:
Access to CaptivateIQ Internal Systems is automatically revoked based on inactivity after a defined timeframe to reduce risk exposure and enforce the policy of least privilege access. In addition, frequent reviews are completed to help ensure that access is aligned with CaptivateIQ’s least privilege access policy.
The Services are hosted in production data centers that have physical, operational, and environmental security controls in place. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, and are also supported by on-site back-up generators in the event of a power failure. Physical access to the production data centers is limited to authorized personnel subject to multi-factor authentication measures and to approved third parties escorted by authorized personnel. The facilities are also monitored by on-premises security guards and protected by additional physical security measures such as surveillance and intrusion detection systems.
All Customer Data entered into the Services, up to the last committed transaction, are automatically replicated on a near real-time basis at the database layer and are backed up regularly on secure, encrypted, and redundant storage.
The CaptivateIQ Services platform currently has business continuity and disaster recovery plans with the following target recovery objectives:
CaptivateIQ maintains reserved instances in different regions as a backup for the failure of the primary region.
In addition, CaptivateIQ’s hosting provider (i) utilizes disaster recovery facilities that are geographically diverse from its primary data centers, along with required hardware, software, and Internet connectivity, in the event production facilities at the primary data centers were to be rendered unavailable, and (ii) has disaster recovery plans in place that are tested at least annually to validate the ability to failover a production instance from the primary data center to a secondary data center utilizing developed operational and disaster recovery procedures and documentation. CaptivateIQ also performs regular tests of its own business continuity and disaster recovery plans.
CaptivateIQ uses software and other industry-standard measures to limit the risk of exposure to software viruses, malware and other known indicators of compromise.
Customer Data in transit is encrypted using TLS 1.2 or higher. Customer Data is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by AWS Key Management Service, and individual volume keys are stable for the lifetime of the volume. All backup files are stored in an encrypted S3 bucket in the US region.
Customer Data of a CaptivateIQ customer will be deleted within 60 days following (i) termination of the Agreement with such customer for any reason, and (ii) CaptivateIQ’s receipt of such customer’s written request that their Customer Data be deleted. This process is subject to applicable legal requirements and CaptivateIQ’s right to retain certain Customer Data as permitted under applicable laws. When CaptivateIQ deletes Customer Data, such Customer Data is securely deleted in AWS; AWS decommissions media using techniques detailed in NIST 800-88 (Guidelines for Media Sanitization).
CaptivateIQ has policies and mechanisms to enable developers to identify security issues (security bugs, third party vulnerabilities, misconfigurations, etc.) in the development process. The tools utilized complete automated scans on each change and provide CaptivateIQ with information and guidance on how to remediate the issues before deployment. In addition, all changes are peer reviewed for alignment with defined secure software development practices.
CaptivateIQ infrastructure is built using infrastructure as code frameworks to automate the build and scale of the production workload. All code is scanned and reviewed for security and performance impacts before deployment.
CaptivateIQ user endpoints are managed to follow industry standards on security. In addition, policies and technical mechanisms are in place to restrict access to Customer Data from only CaptivateIQ managed endpoints.
CaptivateIQ has enabled continuous monitoring tools to assess the security of its systems and services on a real-time basis and identify possible issues. Any identified issue is reviewed and remediated as deemed appropriate based on the severity of the issue.
CaptivateIQ completes annual audits against SOC1 and SOC2 security requirements; audit reports are available upon request to valid customers. The SOC2 Trust criteria covers the following areas:
CaptivateIQ maintains a bug bounty program to allow for security reviews of its application and infrastructure by top security researchers, with the objective to identify security bugs or misconfiguration leading to material impact on CaptivateIQ’s security controls.
This Exhibit B forms part of the DPA and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit B have the meanings given to them in the DPA.
The parties agree that the following terms will supplement the Standard Contractual Clauses:
The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which will read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities will be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which will read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 6 of the DPA; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
Annex I to the Standard Contractual Clauses will read as follows:
A. List of Parties
Data Exporter: Customer.
Data Importer: CaptivateIQ.
B. Description of the Transfer:
Categories of data subjects whose personal data is transferred: Customer’s employees, agents, advisors, and contractors who are natural persons, and users authorized by Customer to use the Services.
Categories of personal data transferred: Customer may submit Customer Data to the Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include, but is not limited to the following categories of Customer Data: Names and contact details, e-mail, job title, unit/department, location, supervisor(s) and subordinate(s), employee identification number, employment status and type, compensation information, including bonus and sales commission eligibility, quotas, commission rates and on target earnings, objectives, coaching and job performance information.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To CaptivateIQ’s knowledge, no sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Customer Data is transferred on account of Customer uploading or providing such data to the Services.
Nature of the processing: The Services.
Purpose(s) of the data transfer and further processing: The Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: CaptivateIQ will retain Customer Data in accordance with the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature, and duration as identified above.
C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
D. Additional Data Transfer Impact Assessment Questions:
Will data importer process any personal data under the Clauses about a non-United States person that is “foreign intelligence information” as defined by 50 U.S.C. § 1801(e)?
Not to CaptivateIQ’s knowledge.
Is data importer subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where personal data is stored or accessed from that would interfere with data importer fulfilling its obligations under the Clauses? For example, FISA Section 702. If yes, please list these laws:
As of the effective date of the DPA, no court has found CaptivateIQ to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending.
Has data importer ever received a request from public authorities for information pursuant to the laws contemplated by the question above? If yes, please explain:
No.
Has data importer ever received a request from public authorities for personal data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain:
No.
E. Data Transfer Impact Assessment Outcome: Taking into account the information and obligations set forth in the DPA and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, Customer Data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.
F. Clarifying Terms: The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon Customer’s written request; (ii) the measures CaptivateIQ is required to take under Clause 8.6(C) of the Clauses will only cover CaptivateIQ’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses will be carried out in accordance with Section 10 of the DPA; (iv) the termination right contemplated by Clause 14(f) and Clause 16(C) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by CaptivateIQ, Customer will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; and (vi) the information required under Clause 15.1(C) of the Clauses will be provided upon Customer’s written request.
Annex II of the Standard Contractual Clauses will read as follows:
CaptivateIQ will implement and maintain technical and organizational measures designed to protect Customer Data in accordance with the DPA.
Pursuant to Clause 10(b), CaptivateIQ will provide Customer assistance with data subject requests in accordance with the DPA.
A new Annex III will be added to the Standard Contractual Clauses and will read as follows:
The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.
Table 1: The start date in Table 1 is the effective date of the DPA. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.
Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the DPA.
Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.
Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.
General Guidance
Defined as General questions about functional use of the CaptivateIQ Services.
Basic Support
Premier Support - if Purchased
Systems Impaired
Defined as the CaptivateIQ Services are not functioning and are causing mission-critical business operations to be non-operational
Basic Support
Premier Support - if Purchased
Commission Plan Configuration
Defined as Commission Plan implementation questions related to the CaptivateIQ Services
Basic Support
Premier Support - if Purchased
Issue Type: Severity 1
Critical Business Impact
Action Plan
Criteria
Issue Type: Severity 2
Significant Business Impact
Action Plan
Criteria
Issue Type: Severity 3
Moderate Business Impact
Action Plan
Criteria
Issue Type: Severity 4
Minimal Impact
Action Plan
Criteria
.svg)