“Applicable Laws” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under thisDPA, which may include, as applicable, EU Data Protection Law, the California Consumer Privacy Act of 2018, sections 1798.100 through 1798.199 of the CaliforniaCivil Code (“CCPA”), and the Brazilian Federal Law 13,709 (“LGPD”).
“EEA” means the European Economic Area, which constitutes the member states of the European Union (“EU”) and Norway, Iceland and Liechtenstein, as well as for purposes of this DPA, the United Kingdom.
“EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to theProcessing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act2018 (the “UK GDPR”).
“Personal Data” means any information relating to an identified or identifiable individual or any other information defined as 'personal data' or 'personal information' under Applicable Laws.
“Security Documentation” means the security documents located at https://Intrro.com/help/categories/security/ as amended from time to time, or as otherwise made available by Intrro;
“Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of4 June 2021, available here; and (ii) where the UK GDPR applies, the standard data protection clauses for processors adopted pursuant to or permitted under Article 46 of the UK GDPR(“UK SCCs”); in each case as may be amended, superseded or replaced from time to time;
“Subsidiary” means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;
“Sub-Processor” means any person or entity engaged by us (including a Subsidiary)to process Customer Personal Data in the provision of the Services to the Customer.
As used in Sections 2 through Section 11 herein, “Customer Personal Data” shall referto Customer Data comprising Personal Data of Data Subjects located in the EEA andterms such as “Data Subject”, “Processing”, “Controller”, “Processor”, “Personal Data Breach”, and “Supervisory Authority” that are defined in the GDPR.
Other capitalized terms not otherwise defined in this DPA shall have the respective meanings assigned to them in Section 1 above.
An overview of the categories of Data Subjects, types of Customer Personal Databeing Processed and the nature and purpose of the Processing is provided inAppendix 1. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data under EU Data Protection Law and this DPA, Customer isthe Controller and Intrro is the Processor. Each Party will comply with its respectiveobligations under EU Data Protection Law with respect to the Processing of Customer Personal Data.
By entering into this DPA, Customer instructs Intrro to Process Customer Personal Data: (a) to provide the Services in accordance with the features and functionality ofthe Services and related documentation; (b) to enable Customer’s authorizeduser-initiated actions on and through the Services; (c) as set forth in the Agreement and applicable Orders; and (d) as further documented by written instructions given byCustomer. Notwithstanding the foregoing, Intrro will inform Customer promptly if itbecomes aware that Customer’s instructions may violate applicable EU Data Protection Law.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood andseverity for the rights and freedoms of Data Subjects, Intrro shall in relation to Customer Personal Data implement appropriate technical and organizational measuresto ensure a level of security appropriate to that risk (including those outlined in Annex 2of this DPA, (“Security Measures”). In assessing the appropriate level of security, Intrro shall take into account the risks that are presented by Processing Customer Personal Data including, in particular, the risks presented by a Customer Personal DataBreach (as defined in Section 6). Intrro may make such changes to the Security Measures as Intrro deems necessary or appropriate from time to time, including without limitation to comply with applicable law, but no such changes will materially reduce the overall level of protection for Customer Personal Data. Intrro will take appropriate stepsto ensure compliance with the Security Measures by its employees, agents, contract or sand Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreedto appropriate obligations of confidentiality.
If Intrro receives a request from a Data Subject in relation to Customer Personal Data then, to the extent legally permissible, Intrro will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Customer hereby agrees that Intrro may confirm to a Data Subject that his or her requests relates to Customer. To the extent Customer is unable through its use of the Services to address a particular Data Subject request, Intrro will, upon Customer’s request and taking into account the nature of Customer Personal Data Processed, provide reasonable assistance in addressing the Data Subject request (provided Intrro is legally permitted to do so and that the Data Subject request was made in accordance with EU Data Protection Law). To the extent permitted by Applicable Law, Customer shall be responsible for any costs arising from Intrro’s provision of such assistance.
The Controller acknowledges and agrees that:(a) subsidiaries of the Processor may be used as Sub-Processors; and(b) the Processor and its Subsidiaries respectively may engage Sub Processors in connection with the provision of the Services. As a condition to permitting a Sub-Processor to Process Customer Personal Data, Intrro or will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Customer Personal Data. Subject to this Section 7, Intrro reserves the right to engage and substitute Sub-Processors as it deems appropriate, but shall:(a) remain responsible to Customer for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with Intrro’s performance of this DPA to the same extent Intrro would be liable if performing the Services directly. Intrro’s current list of Sub-Processors is available at https://Intrro.com/help/data-subprocessors/.During the term of this DPA, the Intrro shall provide the Customer with at least 14 days notification, via email (or in-application notice), of any changes new Sub- Processor(s)who may process Customer Personal Data before authorizing any new or replacementSub-Processor(s) to process Customer Personal Data in connection with the provision of the Services. If the Customer objects to a new or replacement Sub-Processor within14 days of such notice, and Intrro is unable to take corrective steps to exclude suchSub-Processor, then the either party may terminate the Agreement with respect to those Services which cannot be provided by the Intrro without the use of the new or replacement Sub- Processor. Intrro will refund the Customer any prepaid fees covering the remainder of the Term of the Agreement following the effective date of termination with respect to such terminated Services. If the Customer does not provide a timely objection notice with respect to a new Sub-Processor, Customer will be deemed tohave authorized Intrro to use of the Sub-Processor and to have waived its right to object. Intrro may use a new or replacement Sub- Processor while the objection procedures under this Section 7 are in process.
The Controller acknowledges and agrees that:
(a) subsidiaries of the Processor may be used as Sub-Processors; and
(b) the Processor and its Subsidiaries respectively may engage Sub Processors in connection with the provision of the Services.
As a condition to permitting a Sub-Processor to Process Customer Personal Data, Intrro or will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Customer Personal Data. Subject to this Section 7, Intrro reserves the right to engage and substitute Sub-Processors as it deems appropriate, but shall:(a) remain responsible to Customer for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with Intrro’s performance of this DPA to the same extent Intrro would be liable if performing the Services directly.
Intrro’s current list of Sub-Processors is available here.
During the term of this DPA, the Intrro shall provide the Customer with at least 14 days notification, via email (or in-application notice), of any changes new Sub- Processor(s)who may process Customer Personal Data before authorizing any new or replacementSub-Processor(s) to process Customer Personal Data in connection with the provision of the Services. If the Customer objects to a new or replacement Sub-Processor within14 days of such notice, and Intrro is unable to take corrective steps to exclude suchSub-Processor, then the either party may terminate the Agreement with respect to those Services which cannot be provided by the Intrro without the use of the new or replacement Sub- Processor. Intrro will refund the Customer any prepaid fees cover ingthe remainder of the Term of the Agreement following the effective date of termination with respect to such terminated Services. If the Customer does not provide a timely objection notice with respect to a new Sub-Processor, Customer will be deemed to have authorized Intrro to use of the Sub-Processor and to have waived its right to object. Intrro may use a new or replacement Sub- Processor while the objection procedures under this Section 7 are in process.
Where required by EU Data Protection Law, Intrro will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to conductan audit of Intrro’s procedures relevant to the protection of Customer Personal Data to verify Intrro’s compliance with its obligations under this DPA. In such case, any audit conducted under this DPA shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not sufficient under EU Data Protection Law, the Customer may at its own expense conduct a more extensive audit which will be:
(a) limited in scope to matters specific to the Customer and agreed in advance with the Intrro;
(b) carried out during EU business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and
(c) conducted in a way which does not interfere with the Intrro’s day-to-daybusiness;
(d) undertaken no more than once in any 12-month period, except where required by a competent Supervisory Authority or where an audit is required due to a Customer Personal Data Breach.
To that end and before the commencement of any such audit, Customer and Intrro shall mutually agree upon the audit’s participants, schedule and scope, which shall in no event permit Customer or its third-party auditor to access the Services’ hosting sites, underlying systems or infrastructure. Representatives of Customer performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the Agreement, may be required to execute an enhanced mutually agree able nondisclosure agreement and shall abide by Intrro’s security policies while on Intrro’s premises. Upon completion of an audit, Customer agrees to promptly furnish to Intrro any written audit report or, if no written report is prepared, to promptly notify Intrro of any non-compliance discovered during the course of the audit. Customer shall reimburse Intrro for its time expended in connection with an audit at Intrro’sthen-current professional service rates, which shall be made available to Customer upon request and shall be reasonable taking into account the time and effort required by Intrro.
Intrro will provide Customer with reasonable cooperation, information and assistance as needed to fulfill Customer’s obligation under EU Data Protection Law, including as needed to carry out a data protection impact assessment related to Customer’s use of the Services (in each case to the extent Customer does not otherwise have access to the relevant information, and such information is in Intrro’s control). Without limiting the foregoing, Intrro shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section to the extent required by EU Data Protection Law.
Customer may delete Customer Personal Data using the functionality provided by the Services. For certain deletions, a recovery feature is offered by Intrro to enable recovery from accidental deletions for up to 30 days. This recovery period may be overridden by Intrro upon request by Customer. After any recovery period, Intrro will permanently delete the Customer Personal Data from the live systems. On termination of any applicable Order, the Customer has the option to request the return or deletion of Customer Personal Data. This request must be made within 30 days of termination. Intrro will make the data available for download by the Customer using functionality provided by the Services in a machine-readable format. Thereafter the Intrro will permanently delete the Customer Personal Data from the live systems in any event. Following permanent deletion of Customer Personal Data from the live systems, partial data resides on the Intrro’s archival and backup systems for a period of up to 14 days.
Subject to the terms and conditions of the Agreement and EU Data Protection Law,Intrro currently makes available the Standard Contractual Clauses as a transfer mechanism. The Standard Contractual Clauses apply to any transfer of CustomerPersonal Data under this DPA from the EEA to a country which is not deemed tohave Adequacy (to the extent such transfers are subject to EU Data Protection Law).The Standard Contractual Clauses and the terms of this Section 11 apply to the legalentity that executed the Standard Contractual Clauses as “data exporter” and its Participating Affiliates, all of which shall be deemed “data exporters.” For the purposes of the EU SCCs:
(i) the module two (controller to processor) terms shall apply to the extent Customer is a Controller of Customer Personal Data and the module three (processor to processor) terms shall apply to the extent Customer is a Processor of the Customer Personal Data;
(ii) Clause 9, Option 2 of the applicable module of the EU SCCs shall apply and Intrro may engage Sub-Processors as described in Section 7 of this DPA;
(iii) in Clause 11, the optional language shall be deleted;
(iv) the audits described in Clauses 8.3 and 8.9 of the applicable module of the EU SCCs shall be carried out as set out in and subject to the requirements of Section 8 of this DPA;
(v) pursuant to Clauses8.5 and 16(d), upon termination of this DPA, Customer Personal Data will be returned and/or destroyed in accordance with Section 11 of this DPA;
(vi) in Clause17, Option 1 shall apply and the EU SCCs shall be governed by Irish law;
(vii) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(viii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum. For the purposes of the UK SCCs:
(ix) the Appendices or Annexes of the UK SCCs shall be populated with the relevant information set out in the Annexes to this Addendum; and
(x) the UK SCCs shall be governed by the laws of and disputes shall be resolved before the courts of England and Wales. If and to the extent the Standard Contractual Clauses conflict with any provision of this Add end um regarding the transfer of Customer Personal Data from Customer to Intrro, the Standard Contractual Clauses shall prevail to the extent of such conflict.
As used in this Section 12, “Commercial Purpose”, “Consumer”, “Persona lInformation”, “Sell”, and “Service Provider” have the meanings assigned to them in the CCPA.
If Customer Data comprises Personal Data subject to the CCPA (“CCPA Covered Data”), Intrro is the Service Provider and, consistent with the requirements of the CCPA, shall not (a) Sell the CCPA Covered Data or (b) retain, use or disclose the CCPA Covered Data: (i) for any purpose, including any Commercial Purpose, other than for the specific purpose of providing and supporting the Services or (ii) outside of the Parties’ direct business relationship. Intrro certifies that it understands these restrictions and will comply with them. Customer acknowledges nothing in this Paragraph removes or lessens Customer’s obligations with respect to Personal Data under the Agreement or this DPA.
Customer will be responsible for responding to Consumer requests in relation to CCPA Covered Data (each, a “Consumer Request”). If Intrro receives a Consumer Request then, to the extent legally permissible, Intrro will advise the Consumer to submit the Consumer Request to Customer, and Customer agrees that Intrro may confirm to a Consumer that the Consumer Request relates to Customer. To the extent Customer is unable through its use of the Services to address a particular Consumer Request, Intrro will, upon Customer’s request and taking into account the nature of the CCPA Covered Data, provide reasonable assistance in addressing the Consumer Request(provided Intrro is legally permitted to do so and that Customer has verified the request in accordance with the CCPA).
If Customer Data comprises Personal Data subject to the LGPD (“LGPD Covered Data”), then Customer Personal Data, as the term is used in Sections 2 through 10 ofthis DPA above, shall be deemed to include LGPD Covered Data.
Without limiting its responsibilities under the Agreement, Customer is solely responsible for: (a) Account Data, Customer Credentials (including activities conducted with login credentials), and Customer Data, subject to Intrro’s Processing obligations under the Agreement and this DPA; (b) providing any notices required by Applicable Laws to, and receiving any required consents and authorizations required by Applicable Laws from, persons whose Personal Data may be included in Account Data, Customer Credentials, and Customer Data; and(c) ensuring no Personal Data relating to criminal convictions and offenses (GDPRArticle 10) are submitted for Processing by the Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly, enable any person or entity other than its authorized users to access and use the Services or use(or permit others to use) the Services other than as described in the applicable Order, the Agreement and this DPA, or for any unlawful purpose.
Each Party’s (and each of its Affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the StandardContractual Clauses, whether in contract, tort, or under any other theory of liability, issubject to the limitation of liability provisions of the Agreement, except to the extentsuch liability cannot be limited under Applicable Law.
Unless earlier terminated as provided herein, this DPA shall terminate automatically together with termination or expiry of the Agreement
This DPA may be executed in counterparts, each of which shall be deemed anoriginal, but all of which together shall be deemed to be one and the sameagreement. Delivery of an executed counterpart of a signature page to this DPA byfax or by email of a scanned copy, or execution and delivery through an electronic signature service (such as Panda Doc), shall be effective as delivery of an original executed counterpart of this DPA.
Individuals about whom data is uploaded to the Services by (or at the direction of) the data exporter or by its authorized users, Subsidiaries, and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement.
The Personal Data transferred may include but is not limited to the following categories of data:
Any data uploaded to the Services by (or at the direction of)the data exporter or by its authorized users, Subsidiaries and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement.
Special categories of data, if any, may be uploaded to the Services, by (or at the direction of) the data exporter or by its authorized users, Subsidiaries and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement, in compliance with Applicable Law, and may include:
At data exporter’s discretion in using the Services, during
Customer Personal Data transferred will be processed in accordance with the Agreement and any Order, and may be subject to the following basic processing activities:
(a) Customer Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data exporter’s instructions. The data importer processes Personal Data only on behalf of the data exporter. Processing operations include, but are not limited to the provision of the Services– this operation relates to all aspects of Personal Data processed.
(b) Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the system sand to identify, analyze and resolve technical issues both generally in the provision of the Services and specifically in answer to a data exporter query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible.
(c) URL scanning for the purposes of the provision of targeted threat protection and similar service which maybe provided under the Agreement. This operation relates to attachments and links in emails and will relate to any Personal Data within those attachments or links which could include all categories of Personal Data.
(d) Disclosures in accordance with the Agreement, as compelled by Applicable Law.
Personal Data is processed for the purposes of providing the Services in accordance with the Agreement and any applicable Order.
Personal Data will be retained until termination or expiry of the Agreement, in accordance with Section 10 of this DPA.
Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2)without however having to appoint a representative pursuant to Article 27(2) of Regulation(EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located shall act as competent supervisory authority.
Data importer has implemented and will maintain the technical and organizational security measures identified in the Security Documentation, which is posted to: https://Intrro.com/help/categories/security/.
These security measures are applicable to Customer Personal Data processed in the Services.
The data exporter has authorized the use of the Sub-Processors identified in Section 7 of the DPA.
Can my organization request to modify the DPA?
We are unable to accept modifications to our DPA.
Have you adopted the new Standard Contractual Clauses?
Yes. In light of the new Standard Contractual Clauses adopted and approved by the European Commission, we have updated out DPA to incorporate the SCCs. You can learn more at New SCCs & the GDPR.
Contact our support team with any specific requests on questions, and you can expect us to reach back to you within 24 hours!