Optimized Sales Optimized Marketing Target Accounts For CROs For CFOs For CMOs Blog Glossary Compare Tools About Schedule a Demo

Data Protection Addendum

Last Updated: February 1, 2022

THIS DATA PROCESSING ADDENDUM (the "DPA") is by and between ORM TECHNOLOGIES, LLC, a Delaware limited liability company ("ORM") and CUSTOMER ("Customer"). ORM and Customer are referred to in this Agreement individually as a "Party", and collectively as the "Parties". Customer and ORM are parties to one or more commercial agreements (collectively, the "Agreement") and this DPA hereby modifies and amends the Agreement and is effective as of last date of signature below.

This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) is Processed (defined below) by ORM under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with applicable laws, including EU Data Protection Legislation (defined below), and with due respect for the rights and freedoms of individuals whose Personal Data are Processed.

1. Background.

In the course of providing certain Subscription Services ("Services") pursuant to the Agreement, ORM may process Customer Data as a Processor on behalf of Customer. This DPA is designed to ensure that ORM processes Customer Data in accordance with applicable data protection and privacy laws. This DPA will not be valid and legally binding if the signing Customer is not a party to the Agreement.

2. Data Processing Terms.

In providing the Services to Customer pursuant to the Agreement, ORM may Process Personal Data on behalf of Customer. ORM will comply with the provisions in this DPA with respect to its Processing of any Personal Data.

Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.

For the purposes of this DPA:

(a) "Affiliate(s)" has the same meaning ascribed to it in the Agreement and, if not defined in the Agreement, the term means any legal entity directly or indirectly controlling, controlled by or under common control with a party, where control means the ownership of a majority share of the stock, equity or voting interests of such entity.

(b) "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

(c) "Customer" means the non-ORM party to both the Agreement and this DPA that has access to ORM Services.

(d) "Customer Data" means any data, information or material originated by Customer that Customer submits to ORM through its use of Services or provides to ORM in the course of using the Services.

(e) "Data Subject" means the individual to whom Personal Data relates.

(f) "EEA" means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.

(g) "EU Data Protection Legislation" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, including any applicable national implementations thereof, (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR"), as amended, replaced or superseded, and (iii) the applicable data protection laws of Switzerland and the United Kingdom.

(h) "ORM" means the ORM entity that is a party to both the Agreement and this DPA, which may be ORM TECHNOLOGIES, LLC. and/or any of its affiliates or subsidiaries.

(i) "Personal Data" means any Customer Data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(j) "Privacy Shield" means the EU-US and Swiss-US Privacy Shield self-certification programs operated by the U.S. Department of Commerce.

(k) "Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced).

(l) "Processor" means an entity which Processes Personal Data on behalf of the Controller.

(m) "Process(ing)" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(n) "Supervisory Authority" means an independent public authority which is established by a country or jurisdiction and is charged with supervising the protection of Personal Data.

3. Applicability of DPA.

This DPA shall apply only to the extent Customer is established within the EEA and/or to the extent ORM Processes Personal Data of Data Subjects on behalf of Customer.

4. Roles and Responsibilities.

(a) Parties' Roles. Customer, as Controller, appoints ORM as a Processor to process the Personal Data on Customer's behalf. In some circumstances Customer may be a Processor, in which case Customer appoints ORM as Customer's sub-processor, which shall not change the obligations of either Customer or ORM under this DPA.

(b) Purpose Limitation. ORM shall Process Personal Data for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Customer, except where otherwise required by applicable law.

(c) Training. ORM shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the Processing, protection and confidentiality of Personal Data.

(d) Compliance. ORM, as Processor, has complied and will continue to comply with all applicable privacy and data protection laws including EU Data Protection Legislation. Customer, as Controller, shall be responsible for ensuring that it has complied with all applicable laws and has the right to transfer Personal Data to ORM for Processing.

5. Security.

(a) Security. ORM shall implement appropriate technical and organizational measures taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk for the rights and freedoms of Data Subjects, designed to ensure a level of security appropriate to the risk.

(b) Confidentiality of Processing. ORM shall ensure that any person authorized to Process Personal Data shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.

(c) Security Incidents. Upon becoming aware of a Security Incident, ORM shall notify Customer without undue delay, within no more than seventy-two (72) hours, and shall provide timely information to enable Customer to fulfil any data breach reporting obligations. ORM will take steps to immediately identify and remediate the cause of such Security Incident.

6. Sub-processing.

(a) Sub-processors. Customer agrees that ORM may engage ORM Affiliates and third party sub-processors (collectively, "Sub-processors") to Process Personal Data on ORM's behalf. ORM will provide a Sub-processor List upon written request and shall impose data protection terms that protect Personal Data to the same standard as this DPA.

(b) Changes to Sub-processors. ORM may, by giving no less than thirty (30) days' notice, add or make changes to Sub-processors. Customer may object within fourteen (14) calendar days on reasonable grounds. If the objection cannot be resolved within 30 days, either party may terminate the Agreement.

(c) Emergency Replacement. ORM may replace a Sub-processor if the need is urgent and beyond ORM's reasonable control, with notification as soon as reasonably practicable.

7. Cooperation.

(a) Data Subjects' Rights. ORM shall provide commercially reasonable assistance to enable Customer to respond to Data Subject requests for access, correction, restriction, objection, erasure or data portability under EU Data Protection Legislation.

(b) Supervisory Authorities. ORM shall notify Customer without undue delay if a Supervisory Authority or law enforcement authority makes any inquiry or request for disclosure regarding Personal Data.

(c) Data Protection Impact Assessments. ORM shall, to the extent required by EU Data Protection Legislation, provide Customer with reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities.

8. Security Reports and Audits.

Any provision of security attestation or audit reports (such as SOC 2, Type II, or equivalent) shall take place in accordance with Customer's rights under the Agreement. ORM shall provide a copy of its most current security report upon written request. ORM shall allow Customer to conduct an on-site audit of procedures relevant to the protection of Personal Data, subject to confidentiality provisions, with ORM reserving the right to charge a reasonable fee.

9. Deletion or Return of Customer Data.

Upon termination or expiration of the Agreement, ORM shall delete or make available to Customer for retrieval all relevant Personal Data (including copies) in ORM's possession, save to the extent ORM is required by applicable law to retain some or all of the Personal Data.

10. Privacy Shield.

(a) During the term, ORM shall either certify under the Privacy Shield or comply with the protection requirements and principles of the Privacy Shield.

(b) ORM shall promptly notify Customer if it ceases to be certified under or compliant with the Privacy Shield.

(c) ORM shall impose on Sub-processors data protection terms that protect Personal Data to the same standard as the Privacy Shield Principles.

(d) ORM will facilitate reasonable steps to ensure Personal Data is Processed consistently with Privacy Shield obligations.

11. Standard Contractual Clauses.

(a) The Standard Contractual Clauses are set forth in Exhibit 1.

(b) The term "data importer" means ORM.

(c) The term "data exporter" means Customer and its Affiliates.

(d) Clause 5(f) will be satisfied by compliance with Section 8 of this DPA.

(e) Clause 5(h) will be satisfied by compliance with Section 6 of this DPA.

12. Miscellaneous.

(a) Except as amended by this DPA, the Agreement will remain in full force and effect.

(b) If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.

(c) Any claims brought forth under this DPA shall be subject to the terms and conditions of the Agreement.

(d) Customer may terminate this DPA and the Standard Contractual Clauses at Customer's discretion upon ORM's receipt of written notice of termination.

ACCEPTED AND AGREED TO:

CUSTOMER
By:___________________________
Name:________________________
Title:_________________________
Date:_________________________

ORM TECHNOLOGIES, LLC
By:___________________________
Name:________________________
Title:_________________________
Date:_________________________