Vendor Data Protection Addendum
Version 2.0, Published January 25, 2025
Last updated
Version 2.0, Published January 25, 2025
Last updated
This Data Protection Addendum (“Addendum”) is entered into between Dispel, LLC & Dispel Global, Inc (“Dispel”) and Vendor (each a “Party” and collectively, the “Parties”). This Addendum supplements and forms part of any existing, current, or future agreement between the Parties (any such agreement being individually or together referred to as the “Agreement”). This Addendum will be in effect as of the effective date of the Agreement (“Effective Date”); provided, however, the relevant obligations apply only to the extent that (i) Personal Data is subject to the Applicable Data Privacy Laws; and (ii) an Applicable Data Privacy Law has taken effect.
In the event of a conflict between this Addendum and the Agreement, the Addendum will control to the extent necessary to resolve the conflict. In the event the Parties use an International Data Transfer Mechanism and there is a conflict between the obligations in that International Data Transfer Mechanism and this Addendum, the International Data Transfer Mechanism will control.
Capitalized terms used but not defined have the meanings given in the Agreement.
“Applicable Data Privacy Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including, but not limited to, the California Consumer Privacy Act (“CCPA”), as amended from time to time and including any regulations promulgated thereunder.
“Consent” means a Data Subject’s freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
“Controller” means the entity that determines the purposes and means of Processing Personal Data. “Controller” includes equivalent terms in other Applicable Data Privacy Laws, such as the CCPA-defined terms “Business” and “Third Party,” as context requires.
“Data Breach” means “breach of the security of the system,” “security breach,” “breach of security,” “breach of system security,” and other analogous terms referenced in Applicable Data Privacy Laws.
“Data Exporter” means the Party that (1) has a corporate presence or other stable arrangement in a jurisdiction that requires an International Data Transfer Mechanism and (2) transfers Personal Data, or makes Personal Data available to, the Data Importer.
“Data Importer” means the Party that (1) is located in a jurisdiction that is not the same as Data Exporter’s jurisdiction and (2) receives Personal Data from the Data Exporter or is able to access Personal Data made available by the Data Exporter.
“Data Subject” means an identified or identifiable natural person.
“Personal Data” means information that is linked or linkable, directly or indirectly, to an identified or identifiable natural person. “Personal Data” includes equivalent terms in Applicable Data Protection Laws, such as the CCPA-defined term “Personal Information,” as context requires.
“Processor” means an entity that Processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in other Applicable Data Privacy Laws, such as the CCPA-defined term “Service Provider,” as context requires.
“Sensitive Data” means the following types and categories of data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status; genetic data; biometric data; neural data; government identification numbers; payment card information; unencrypted identifier or username in combination with a password or other access code that would allow access to an account; precise geolocation information; and information from a known child.
“Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area (“EEA”) to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
“Subprocessor” means a Processor engaged by a Party who is acting as a Processor.
The following terms have the meanings assigned to them in Applicable Data Privacy Laws: “Business,” “Business Purpose,” “Cross-Context Behavioral Advertising,” “Process” (and its cognates), “Sale” (and its cognates), “Service Provider,” “Share” (and its cognates), and “Third Party.”
The Description of Processing Form describes the purposes of Parties’ Processing, the types or categories of Personal Data involved in the Processing, and the categories of Data Subjects affected by the Processing.
The Description of Processing Form lists the Parties’ statuses under Applicable Data Privacy Laws.
Some jurisdictions require that an entity transferring Personal Data to a recipient in another jurisdiction take extra measures to ensure that the Personal Data has special protections if the law of the recipient’s jurisdiction does not protect Personal Data in a manner equivalent to the transferring entity’s jurisdiction (an “International Data Transfer Mechanism”). Parties will comply with an International Data Transfer Mechanism, including the Standard Contractual Clauses, that may be required by Applicable Data Privacy Laws.
If the International Data Transfer Mechanism on which Parties rely is invalidated or superseded, Parties will work together in good faith to find a suitable alternative.
With respect to Personal Data of Data Subjects located in a jurisdiction that requires an International Data Transfer Mechanism (e.g., the EEA, Switzerland, or the United Kingdom) that Data Exporter transfers to Data Importer, or permits Data Importer to access, the Parties agree that by executing this Addendum they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of the Agreement. Parties agree that, with respect to the elements of the Standard Contractual Clauses that require Parties’ input, Schedules 1-2 and the Description of Processing Form contain information relevant to the Standard Contractual Clauses and their Annexes. The Parties agree that, for Personal Data of Data Subjects in the United Kingdom, Switzerland, or another country specified in Schedule 2, they adopt the modifications to the Standard Contractual Clauses listed in Schedule 2 to adapt the Standard Contractual Clauses to local law, as applicable.
Compliance. The parties will comply with their respective obligations under Applicable Data Protection Laws, including by providing the same level of privacy protection that is required of Businesses under the CCPA.
Upon request, Vendor will provide reasonably relevant information to Dispel to enable Dispel to fulfill its obligations (if any) to conduct data protection assessments or prior consultations with data protection authorities.
Notification. Vendor will notify Dispel if it determines that it can no longer meet its obligations under Applicable Data Privacy Laws.
If Vendor is a Third Party with regard to Personal Data that is collected, exchanged, or otherwise Processed in connection with the Vendor’s performance of the agreement (see Description of Processing Form), then:
Vendor acknowledges that Dispel is making Personal Data available to Vendor for the limited and specific purposes described in Description of Processing Form and Vendor agrees to use such Personal Data only for such purposes and for no other purpose.
Vendor will not Sell or Share Personal Data made available to it by Dispel unless Vendor provides data subjects with notice and the opportunity to opt out of such Sharing or Selling.
Vendor will allow Dispel to take reasonable and appropriate steps to ensure that Vendor is using the Personal Data provided or made available to Vendor by or on behalf of Dispel, or obtained or collected by Vendor in connection with the purposes described in Description of Processing Form, in a manner consistent with Dispel’s obligations under Applicable Data Privacy Laws.
Vendor will assist Dispel in complying with Data Subjects’ request to opt out of Processing, in no event later than 15 business days after receiving the request, if Dispel notifies Vendor that it is required to do so under Applicable Data Privacy Laws. Vendor will forward the opt-out request to any other person to whom it has made the Personal Data available.
If Dispel discovers unauthorized use of Personal Data by Vendor, Dispel may, upon notice, take reasonable and appropriate steps to stop and remediate such unauthorized use.
If Vendor is a Controller of Personal Data that is collected, exchanged, or otherwise Processed in connection with the Vendor’s performance of the Agreement (see Description of Processing Form), then:
Vendor acknowledges and agrees that Vendor is independently responsible for compliance and will comply with Applicable Data Privacy Laws (e.g., obligations of Controllers).
Vendor agrees to be responsible for providing notice to Data Subjects as may be required by Applicable Data Privacy Laws and responding to Data Subjects’ requests to exercise their rights under Applicable Data Privacy Laws.
If Vendor receives any type of request or inquiry from a governmental, legislative, judicial, law enforcement, or regulatory authority, or faces an actual or potential claim, inquiry, or complaint in connection with Parties’ Processing of Personal Data provided to Vendor by or on behalf of Dispel, its affiliates, or their respective end users, or obtained or collected by Vendor in connection with the purposes described in Description of Processing Form (collectively, an “Inquiry”), then Vendor will notify Dispel without undue delay, but in no event later than ten (10) business days, unless such notification is prohibited by applicable law. Vendor will promptly provide Dispel with information relevant to the Inquiry, including any information relevant to the defense of a claim, to enable Dispel to respond to the Inquiry.
Vendor will have the obligations set forth in this SECTION 9 if it Processes the Personal Data of Data Subjects in its capacity as Dispel’s Processor or Service Provider; for clarity, these obligations do not apply to Vendor in its capacity as an Independent Controller or Third Party.
Scope of Processing
Vendor will Process Personal Data solely for the Business Purposes specified in the Description of Processing Form, to carry out its obligations under the Agreement, and to carry out Dispel’s documented instructions.
Processing any Personal Data outside the scope of the Agreement and this Addendum will require prior written agreement between Vendor and Dispel.
Vendor is prohibited from retaining, using, or disclosing the Personal Data (1) for any purpose other than the Business Purposes specified in the Description of Processing Form, including retaining, using, or disclosing the Personal Data for a commercial purpose other than carrying out Dispel’s instructions, (2) outside of the Parties’ direct business relationship, unless permitted by Applicable Data Privacy Laws, or (3) by combining Personal Data that Vendor receives from, or on behalf of, Dispel with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, provided that Vendor may combine Personal Data to perform any Business Purposes permitted by Applicable Data Privacy Law.
Vendor will not Sell or Share the Personal Data that it collects or obtains pursuant to the Agreement.
Confidentiality. Vendor will ensure that each person who Processes Personal Data is subject to a duty of confidentiality with respect to such Personal Data.
Compliance.
Vendor will assist Dispel in complying with Data Subjects’ requests to delete and correct Personal Data under Applicable Data Protection Law when Dispel forwards such requests that it receives to Vendor and will make available to Dispel any Personal Data in its possession that Dispel needs to respond to Data Subjects’ requests to access their Personal Data.
Vendor will make available to Dispel, upon the Dispel’s reasonable request, all information in its possession necessary to demonstrate Vendor’s compliance with its obligations under Applicable Data Privacy Laws.
Permitted Activities. Notwithstanding the foregoing prohibitions, Parties agree that Vendor may, and Dispel instructs Vendor to, Process Personal Data for the following activities when necessary to support the Business Purposes specified in the Description of Processing Form; detect data security incidents; protect against fraudulent or illegal activity; effectuate repairs; and maintain and improve the quality of the services provided for the Business Purposes specified in the Description of Processing Form.
Subprocessors. If Vendor discloses Personal Data to a Subprocessor for a Business Purpose, Vendor and Subprocessor will enter into a written contract that prohibits the Subprocessor from (i) Selling or Sharing Personal Data; or (ii) retaining, using, or disclosing Personal Data for any purpose other than for the specific Business Purpose for which the Personal Data was disclosed. Vendor will require any Subprocessor to comply with applicable obligations under Applicable Data Privacy Laws, including to provide the same level of privacy protection required of Businesses by the CCPA. Vendor must notify Dispel before engaging a new Subprocessor and give Dispel an opportunity to object to the engagement.
Duration of Processing, Deletion and Return of Personal Data. Vendor shall retain Personal Data for a period coterminous with the term of the Agreement. At the expiration or termination of the Agreement, or upon request by Dispel, Vendor will, without undue delay: (1) return all Personal Data to Dispel; or (2) upon request by Dispel, destroy all Personal Data, in each case unless applicable laws expressly require otherwise or the Parties agree otherwise expressly in writing. For any Personal Data that Vendor retains after expiration or termination of the Agreement, Vendor will continue to comply with this Addendum.
Assessment and Remediation.
Dispel may take reasonable and appropriate steps, as provided in Applicable Data Privacy Laws, to ensure Vendor Processes the Personal Data in a manner consistent with Dispel’s obligations under Applicable Data Privacy Laws, including by conducting reasonable assessments or audits, as provided by Applicable Data Privacy Laws. If Dispel and Vendor agree to an assessment by a qualified and independent third party, Vendor agrees to provide a report of such assessment to Dispel upon request.
If Dispel discovers unauthorized use of Personal Data by Vendor or Vendor’s Subprocessors, Dispel may, upon notice, take reasonable and appropriate steps to remediate such unauthorized use.
Vendor will implement appropriate technical and organizational measures to protect Personal Data from a Data Breach and to preserve the security and confidentiality of Personal Data, as set out in Schedule 1.
Upon becoming aware of a Data Breach, Vendor will:
Notify Dispel without delay of the Data Breach, but in any case, no later than 48 hours after becoming aware of or reasonably suspecting the Data Breach;
Promptly investigate or perform required assistance in the investigation of the Data Breach and provide Dispel with detailed information about the Data Breach, including a description of the Data Breach, the approximate number of Data Subjects affected, the Data Breach’s current and foreseeable impact, and the measures Vendor is taking to address the Data Breach and mitigate its effects; and
Promptly take all commercially reasonable steps to mitigate the effects of the Data Breach or assist Dispel in doing so.
Vendor will comply with this SECTION 10 at Vendor’s cost, unless the Data Breach arose from Dispel’s negligent or willful acts.
Vendor must obtain Dispel’s written approval before notifying any governmental entity, individual, the press, or other third party of a Data Breach that affected or reasonably could affect Personal Data that Vendor obtained from, or Processed on behalf of, Dispel. Notwithstanding anything to the contrary in this Addendum, Vendor may notify a third party about a Data Breach affecting Personal Data if it is under a legal obligation to do so, provided that Vendor must: (1) make every effort to give Dispel prior notification, as soon as possible, if it intends to disclose the Data Breach to a third party; and (2) if it is not possible to give Dispel such prior notification, notify Dispel immediately once it becomes possible to give notification. For any disclosure of a Data Breach to a third party, Vendor will, as part of its notification to Dispel, disclose the identity of the third party and a copy of the notification (if the notification to the third party has not been sent, Vendor will provide the draft to Dispel and permit Dispel to offer edits or updates).
Entire agreement. This Addendum is the Parties’ entire agreement on this subject and merges and supersedes all related prior and contemporaneous oral understandings, representations, prior discussions, letters of intent, or preliminary agreements.
No further amendment. Except as modified by this Addendum, the Agreement remains unmodified and in full force and effect.
Vendor shall adhere to Dispel’s Cybersecurity Requirements for Suppliers, found here: https://legal.dispel.com/supplier-policies/supplying-dispel/cyber-security-requirements
Jurisdiction-specific Obligations and Information for International Transfers
Generally. The parties agree that, for any jurisdiction not listed below that requires an International Data Transfer Mechanism, they hereby enter into and agree to be bound by the EEA Standard Contractual Clauses for transfers of personal data from that jurisdiction unless (1) the parties otherwise agree in writing or (2) a jurisdiction promulgates its own International Data Transfer Mechanism, in which case the parties hereby agree to negotiate an update to this DPA to incorporate such International Data Transfer Mechanism.
European Economic Area.
“EEA Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
For transfers from the EEA that are not subject to an adequacy decision or exception, the parties hereby incorporate the EEA Standard Contractual Clauses by reference and, by signing this DPA, also enter into and agree to be bound by the EEA Standard Contractual Clauses. The parties agree to select the following options made available by the EEA Standard Contractual Clauses.
Clause 9, Module 2(a): The parties select Option 2. The time period is 30 days.
Clause 9, Module 3(a): The parties select Option 2. The time period is 30 days.
Clause 11(a): The parties do not select the independent dispute resolution option.
Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is the Republic of Ireland.
Clause 18: The parties agree that the forum is the Republic of Ireland.
Annex I(A): The statuses of the parties as Controllers or Processors and Data Exporters or Data Importers is described in Schedule 1.
Annex I(B): The parties agree that Schedule 1 describes the transfer.
Annex I(C): The competent supervisory authority is the Data Protection Commission.
Annex II: The parties agree that Schedule 1 describes the technical and organizational measures applicable to the transfer.
Annex III: The parties agree that the Description of Processing Form describes the relevant subprocessors and their roles in processing personal data.
Switzerland. The parties agree to the following modifications to the EEA Standard Contractual Clauses to make them applicable to transfers of personal data from Switzerland.
The parties adopt the GDPR standard for all data transfers from Switzerland.
Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.
Clause 17: The parties agree that the governing jurisdiction is the Republic of Ireland.
Clause 18: The parties agree that the forum is the Republic of Ireland. The parties agree to interpret the EEA Standard Contractual Clauses so that data subjects in Switzerland are able to sue for their rights in Switzerland in accordance with Clause 18(c).
United Kingdom.
“IDTA” means the International Data Transfer Agreement issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as modified by the UK Information Commissioner’s Office from time to time.
For transfers from the United Kingdom that are not subject to an adequacy decision or exception, the parties hereby incorporate the IDTA by reference and, by signing this DPA, also enter into and agree to be bound by the Mandatory Clauses of the IDTA.
Pursuant to Sections 5.2 and 5.3 of the IDTA, the parties agree that the following information is relevant to Tables 1 – 4 of the IDTA and that by changing the format and content of the Tables neither party intends to reduce the Appropriate Safeguards (as defined in the IDTA).
Table 1: The parties’ details, key contacts, data subject contacts, and signatures are in the signature block of the DPA.
Table 2:
The UK country’s law that governs the IDTA is: England and Wales
The primary place for legal claims to be made by the parties is: England and Wales
The statuses of the Data Exporter and Data Importer are described in Schedule 1.
The Data Importer represents and warrants that the UK GDPR does apply to its processing of personal data under the Agreement.
The relationship among the agreements setting forth data protection terms among the parties, including this Section, the DPA, and the Agreement, is described in Section 1 of the DPA.
The duration that the parties may process personal data is set forth in the DPA.
The IDTA is coterminous with the DPA. Neither party may terminate the IDTA before the DPA ends unless one of the parties breaches the IDTA or the parties agree in writing.
The Data Importer may transfer personal data to another organization or person (who is a different legal entity) if such transfer complies with the IDTA’s applicable Mandatory Clauses.
The parties will review the Security Requirements listed in Table 4, and the supplementary measures described in Schedule 1, to this DPA annually.
Table 3:
The categories of personal data, Sensitive Data, data subjects, and purposes of processing are described in Schedule 1. Such description may only be updated by written agreement of the parties.
Table 4:
The security measures adopted by the parties are described in Schedule 1 of this DPA. Such security measures may only be updated by written agreement of the parties.
The parties agree to adopt the additional technical, organizational, and/or contractual protections that may be required by their transfer impact assessment described in Schedule 1 of this DPA.