Schedule my demo

Give us a call: (800) 961 8205

U.K. Office: +44 (0) 118 403 2020

 Validity Community

Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Agreement (as defined in the applicable Order Form, Master Services Agreement, or other applicable agreement) entered into by Validity and Customer

 

  1. DEFINITIONS

  1. Capitalized terms used but not defined below or in Attachment 1 to this DPA will have the meanings set forth in the Agreement.

  1. ROLES OF THE PARTIES

  1. The parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, Customer is the “Controller” or “Business” and Validity is the “Processor” or “Service Provider” (in each instance, to the extent applicable in and as defined by Data Protection Law(s)).

  1. DATA PROCESSING AND PROTECTION
  1. Limitations on Validity will Process Personal Data only: (i) in a manner consistent with documented instructions from Customer (including with regard to transfers of Personal Data to a third country), which will include Processing as authorized or permitted under the Agreement(including as specified in Attachment 2 to this DPA); and (ii) as required by applicable Data Protection Law(s), provided that Validity will inform Customer (unless prohibited by such Data Protection Law) of the applicable legal requirement before Processing pursuant to such Data Protection Law.
  2. No Sale or Share of Personal Data. Customer and Validity hereby acknowledge and agree that in no event shall the transfer of Personal Data from Customer to Validity pursuant to the Agreement constitute a sale of Personal Data or transfer of Personal Data for valuable consideration to Validity, and that nothing in the Agreement shall be construed as providing for the sale or transfer of Personal Data for valuable consideration to Validity. Validity will not (and shall ensure its Subprocessors do not) retain, sell, share, use, combine with personal data from another person, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services for which Customer has engaged Validity or as otherwise permitted under applicable Data Protection Law. “Sell”, “sale”, and “share” shall have the meanings given to them in applicable Data Protection Law(s).
  3. Validity will ensure that persons authorized by Validity to Process any Personal Data are subject to appropriate confidentiality obligations.
  4. Validity will implement measures designed to protect Personal Data that meet or exceed applicable requirements under applicable Data Protection Law. These measures include technical and organizational measures, such as the use of firewalls, access control protocols, business continuity measures, penetration tests, and patch management protocols as described here: https://www.validity.com/resources/Information-Security-Controls.pdf.
  5. Disposal of Personal Data. As required by Data Protection Law(s), Validity will delete all Personal Data after the end of the provision of Services (to the extent Personal Data is still in Validity’s possession) unless applicable Data Protection Law requires the storage of such Personal Data by Validity, in which case Validity will only further retain and process such Personal Data for the limited duration and purposes required by such Data Protection Law.
  6. Customer Obligations. Customer is responsible for ensuring its compliance with all necessary transparency and lawfulness requirements under Data Protection Law(s) for the Processing of the Personal Data, including obtaining any necessary consents and authorizations, prior to the earlier of (i) Processing Personal Data in Validity’s Services or (ii) transfer of any Personal Data to Validity. Customer will not cause Validity to Process any Personal Data via the Services that includes any special categories of Personal Data, as defined in Data Protection Law, or any other Personal Data that may be subject to heightened data security obligations, such as data subject to U.S. breach notification obligations or any protected health information.
  1. ASSISTANCE
  1. As required by applicable Data Protection Laws, (i) Validity will notify Customer if (in Validity’s opinion) an instruction given by Customer to Validity violates applicable Data Protection Law; and (ii) Validity will notify Customer if Validity can no longer comply with its obligations under this DPA and, upon said notification and to the extent unauthorized use of Personal Data has occurred, Customer may take reasonable and appropriate steps to stop and remediate said unauthorized use of Customer’s Personal Data.
  2. Data Subject’s Rights Assistance. Taking into account the nature of the Processing and the information available to Validity, Validity will reasonably assist Customer by appropriate technical and organizational measures for the fulfilment of Customer’s obligation to respond to requests for exercising any individual’s privacy or data protection rights provided under applicable Data Protection Law.
  3. Security and Assistance. Taking into account the nature of Processing and the information available to Validity, Validity will reasonably assist Customer in ensuring compliance with its security obligations under applicable Data Protection Law(s).
  4. Personal Data Breach Notice and Assistance. Validity will notify Customer of any Personal Data Breach without undue delay after becoming aware of such Personal Data Breach. Taking into account the nature of Processing and the information available to Validity, Validity will assist Customer in ensuring compliance with Customer’s notification obligations under applicable Data Protection Law in connection with any Personal Data Breach.
  5. Data Protection Impact Assessment Assistance. Taking into account the nature of Processing and the information available to Validity, Validity will assist Customer in ensuring compliance with data protection impact assessment obligations under applicable Data Protection Laws(s).
  1. AUDITS

  1. Upon Customer’s request, Validity will make available to Customer information necessary to demonstrate Validity’s compliance with this DPA, in the form of an ISO 27001/27701certificate, SOC 2 attestation report, or compliance summary report. These materials will be deemed the Confidential Information of Validity under the Agreement. If Customer reasonably believes Validity is in material breach of this DPA or if required by an authority with applicable jurisdiction, then, as a reasonable and appropriate step to ensure that Personal Data use is consistent with the DPA and subject to the terms of this Section 5, Customer may conduct an on-site audit (at its expense) of Validity’s systems and procedures as may be necessary to verify Validity’s compliance with this DPA. Customer will provide no less than thirty days’ advance notice of its request for any such on-site audit and will cooperate in good faith with Validity to schedule any such audit at a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party). Any such on-site audit must occur during Validity’s normal business hours and be conducted by a nationally recognized independent auditor. The auditor conducting such audit will (and Customer will be responsible for ensuring that the auditor will): (a) comply with reasonable and applicable on-site policies and procedures provided by Validity, (b) sign a standard confidentiality agreement with Validity, and (c) not unreasonably interfere with Validity’s business activities. Customer will provide written communication of any audit findings to Validity, and the results of the audit will be the Confidential Information of Validity. Customer shall reimburse Validity for any time expended to support or facilitate any such on-site audit at Validity’s then-current professional services rates, which Validity will provide to Customer upon request.

  1. SUBPROCESSORS

  1. Customer authorizes Validity to use Subprocessors to Process Personal Data in connection with the provision of Services to Customer. Validity provides information on its Subprocessors at https://www.validity.com/legal/subprocessors/ and Validity will provide Customer with a current list of Subprocessors promptly upon written request to [email protected]. Validity will notify Customer of any intended changes concerning the addition or replacement of its Subprocessors to provide Customer with the opportunity to object to such changes. Customer will not object to any such change unless it has a reasonable belief that such change poses a materially new data protection risk to the Personal Data. Customer will notify Validity in writing of any such objection within ten days of receipt of Validity’s written notice of the change or will waive its right to object. If Customer provides written notice of its objection within such period and Validity determines it cannot accommodate such objection, Validity may terminate the Agreement upon notice to Customer without liability. Validity will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Validity will remain liable for any acts or omissions of its Subprocessors.

  1. DATA TRANSFERS

  1. Validity may Process the Personal Data in the United States and other jurisdictions where (i) Validity’s offices and (ii) its Subprocessors are located. With regard to transfers of Personal Data from the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom (UK) to a country which does not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws, to the extent such transfers are subject to such Data Protection Laws, such transfer will be made pursuant to the relevant approved transfer mechanism, in the following order of precedence and in accordance with the below terms:

  1. pursuant to the Data Privacy Framework, provided that Validity remains certified under such and the Data Privacy Framework remains a lawful transfer mechanism; then
  2. if the mechanism in 7(a) is not available, to the extent that any transfer of Personal Data is subject to the GDPR (“Data Transfer”), the parties will conduct such Data Transfer in accordance with this Section 7(b). Any Data Transfer will be conducted pursuant to the EU SCCs (which will be deemed executed by the parties as of the Effective Date of this DPA), and the following terms will apply:
    1. Terms of Module 2 (Controller to Processor) of the EU SCCs apply to the extent Customer is a Controller and
      Validity is a Processor of the Personal Data;
    2. Terms of Module 3 (Processor to Processor) of the EU SCCs apply to the extent Customer is a Processor and Validity
      is a Subprocessor of the Personal Data;
    3. Any audits authorized under the EU SCCs will be conducted pursuant to Section 5 (Audits) of this DPA;
    4. The Docking Clause at Clause 7 of the EU SCCs shall apply;
    5. In relation to Clause 9 of the EU SCCs, Option 2: General Written Authorisation is selected; the process and time
      period for the addition or replacement of Subprocessors is described in Section 6 (Subprocessors) of this DPA;
    6. The optional clause at Clause 11 of the EU SCCs shall not apply;
    7. In relation to Clause 13 and Annex I. C of the EU SCCs, Customer shall maintain accurate records of the applicable
      Member State(s) and competent supervisory authority/ies;
    8. In relation to Clause 17 (Option 1 is selected) and Clause 18 of the EU SCCs, the Member State for purposes of
      governing law and jurisdiction shall be Ireland;
    9. Customer will be referred to as the “Data Exporter” and Validity will be referred to as the “Data Importer” in
      Annex I. A of the EU SCCs with relevant Customer name and address details from this DPA and Customer’s Agreement;
    10. Details in Attachment 2 (Scope of Processing) of this DPA will be used to complete Annex I. B of the EU SCCs;
    11. Section 3(d) (Security) of this DPA will be used to complete Annex II of the EU SCCs.
  3. if the mechanism in 7(a) is not available, to the extent that any transfer of Personal Data is subject to applicable UK Data Protection Laws, the relevant Module(s) of the EU SCCs (as set out in Section 7(b) above) as amended by the UK SCC Addendum will govern such transfers.  For purposes of the UK SCC Addendum (which will be deemed executed by the parties as of the Effective Date of this DPA), the following terms will apply:
    1. For the purposes of Table 1 of the UK SCC Addendum:
      1. Customer will be referred to as the “Data Exporter” and Validity will be referred to as the “Data Importer” in such clauses including relevant Customer name and address details from this DPA and the Agreement; and
      2. The key contacts for the parties are specified in the Agreement.
    2. For the purposes of Table 2 of the UK SCC Addendum, Modules 2 and 3 of the EU SCCs shall apply, including the Appendix information and clauses or optional clauses of the EU SCCs brought into effect for the purposes of this Addendum, as outlined in relevant sections under 7(b) above.
    3. For the purposes of Table 3 of the UK SCC Addendum:
      1. The details about the parties as identified in the Agreement will be used to populate Annex 1.A of the UK SCC Addendum;
      2. Details in Attachment 2 (Scope of Processing) of this DPA will be used to complete the transfer details in Annex I.B of the UK SCC Addendum;
      3. Section 3(d) (Security) of this DPA will be used to complete Annex II of the UK SCC Addendum; and
      4. The general list of Subprocessors is available in Section 6 (Subprocessors) and will be used to complete Annex III of the UK SCC Addendum.
    4. For the purposes of Table 4 of the UK SCC Addendum either party (Data Exporter, Data Importer) will be permitted to end the UK SCC Addendum as set out in section 19 of the UK SCC Addendum.
  4. if the mechanism in 7(a) is not available, to the extent that any transfer of Personal Data is subject to the FADP, the parties agree that the EU SCCs will extend and apply in accordance with the following adaptations:
    1. The FDPIC will be the competent supervisory authority in Annex I.C under Clause 13 of the EU SCCs, insofar as the
      data transfer is governed by the FADP;
    2. The applicable law for contractual claims and place of jurisdiction for actions between the parties under Clauses 17 and 18 of the EU SCCs shall be as set forth in the EU SCCs, provided that that the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 c.
  1. MISCELLANEOUS
  1. The terms of this DPA will control to the extent there is any conflict between this DPA and the Agreement. Except as amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect.
  2. BY CLICKING I ACCEPT AND THEREBY ACCEPTING THESE TERMS (ONLY IF APPLICABLE), YOU WARRANT THAT YOU HAVE AUTHORITY TO SIGN AND EXECUTE THIS AGREEMENT ON BEHALF OF THE CUSTOMER WITH RESPECT TO THE MATTERS CONTAINED HEREIN.

  1. Attachment 1: Definitions

    For purposes of this DPA, the following terms will have the meanings ascribed below:

    “Business” and “Service Provider” shall have the meaning as defined under applicable Data Protection Law, including CPRA.

    “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

    “Data Protection Law” means any data protection law to the extent it applies to Validity in connection with its Processing of Personal Data and includes the GDPR, Member State laws implementing the GDPR, UK Data Protection Laws, the FADP, and U.S. Data Protection Laws.

    “Data Privacy Framework” (“DPF”) means the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. Data Privacy Framework (“UK Extension to the EU-U.S. DPF”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) (each as applicable) self-certification program(s) operated by the US Department of Commerce.

    “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, found at ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

    “FADP” the Swiss Federal Act on Data Protection of 25 September 2020 and its ordinances, i.e., the Ordinance on Data Protection (ODP) and the Ordinance on Data Protection Certification, all of which came into force on September 1st, 2023 , as amended.

    “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

    “GDPR” means (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

    “Personal Data” means the Customer Data Processed by Validity on behalf of Customer in connection with the Services that consists of “personal data” or “personal information” (or analogous variations of such terms) under applicable Data Protection Law, as further described under Attachment 2.

    “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

    “Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    “Processor” means the entity which processes personal data on behalf of the Controller.

    “Subprocessor” means (i) Validity, when Validity is processing Personal Data on behalf of the Customer and where Customer is itself a Processor of such Personal Data, or (ii) any third-party Processor engaged by Validity to process Personal Data in order to provide the Services to Customer.

    “UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK including the UK GDPR and the Data Protection Act 2018.

    “UK GDPR” means as defined in section 3 of the Data Protection Act 2018.

    “UK SCC Addendum” means the template addendum B.1.0 issued by the UK Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 thereof, found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

    “U.S. Data Protection laws” means all applicable and as enacted data protection laws in the United States including the California Consumer Privacy Act as amended (“CCPA”), the California Privacy Rights Act (“CPRA”).

Attachment 2: Scope of Processing

Subject-Matter of Processing

Validity Processes Personal Data in connection with the subject matter specified under the Agreement (including the Order Form).

Nature and Purpose of Processing (i.e., Processing operations)

Validity’s Processing operations depend on the Services and settings that Customer utilizes, as further detailed on the Order Form and within Customer’s Service settings. For example, some Services involve data cleansing (create, read, update, and delete operations), while others help Customer improve the effectiveness of email campaigns (validate or test).

Types of Personal Data

Depending on the Services that the Customer has purchased, the following types of Personal Data may be relevant:

  • Contact information such as email addresses, phone numbers (U.S./Canada only), and postal addresses (U.S. only), as determined by the Customer.
  • Activity information associated with email campaigns (collected via pixels or similar tracking technology), including IP address, event, mail provider, and email address, as determined and configured by the Customer.
  • Service end-user’s first and last name, business email address, IP address, and company name.

Categories of Data Subjects

Depending on the Services that the Customer has contracted, the following types of Categories of Data Subjects may be relevant:

  • Individuals that Customer wishes to communicate with, as determined by Customer.
  • Service end-users who will log in to Validity’s web-based SaaS to interact with the service, as determined by the Customer.
  • Individuals who sign up for any services via the Validity websites.

Special Categories of Data

None (as outlined under Section 3(f) of this Agreement).

Data exporter (if applicable)

Customer, as defined in the Agreement.

Data importer (if applicable)

Validity, as defined in the Agreement.

The Frequency of the Transfer(s)

The transfer of Personal Data takes place on a continuous and/or on-off basis in accordance with the Agreement and the selected Services by the Customer.

Duration

Validity will Process Personal Data for the duration of the Agreement and pursuant to Section 3 of this DPA, unless otherwise agreed upon in writing.

Last Updated: March 2024