This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Use (“Terms”) by and between Krembo LLC. dba Growth-X (collectively “Growth-X” or “Company” or “we” or “us” or “our “) and the Customer (as defined under the Terms), and applies to the extent that the Company Processes Personal Data, or has access to Personal Data, in the course of its performance under the Terms.
This DPA forms an integral part of the Terms, and is incorporated therein by reference. Definitions used herein shall have the meaning assigned to them under the Terms.
The parties acknowledge that in relation to Personal Data Processed under the Terms, as between the parties, Customer is the Controller, and Company, in providing the Services is acting as a Processor on behalf of the Customer. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and Company is the Service Provider. Without derogating from the above, it is hereby clarified that in addition to the Company's capacity as a Processor of the Personal Data, Company is also a Controller of certain Personal Data related to the Customer, such as Customer's personnel contact details, etc., and such Personal Data shall be used in accordance with Company's privacy policy available at: https://growth-x.com/.
The Customer acknowledges and agrees that the Company is solely a service provider, and has no contractual relationship or interaction with end users. Hence, in the event required under applicable laws, the Customer shall be responsible to obtain the end users’ consent to the collection and processing of Personal Data through the Services. The Customer will enable end users to opt-out of data collection, as required under applicable laws.
It is hereby agreed that any share of Personal Data between the Customer and Company is made solely for fulfilling a Business Purpose and the Company does not receive or process any Personal Data as consideration for the Services. Thus, such collection, processing and share of Personal Data shall not be considered as a Sale.
It is agreed that where Company receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by the Company on behalf of Customer, where relevant, the Company will direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
The Customer acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors for the purpose of providing the Services (“Sub-Processor”). The list of the Company's current Sub-Processors is available in Schedule B attached hereto. The Customer hereby, authorizes the Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Company shall, where it engages any Sub-Processor impose, through a legally binding contract between the Company and Sub-Processor, data protection obligations as required under Data Protection Law.
The Company shall use appropriate security measures to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed, used, or transmitted in connection with this DPA and the Terms and to protect such Personal Data from Security Incidents taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Company will notify the Customer upon becoming aware that an actual Security Incident involving the Personal Data Processed under the Terms in Company's possession or control has occurred. Company's notification of or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident. The Company will, in connection with any Security Incident affecting the Personal Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
The Company shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of Personal Data on behalf of Customer (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Customer in the event the Company reasonably believes, the auditor is not suitably qualified or independent, a competitor of the Company or otherwise manifestly unsuitable. In such event, the Customer will appoint a different auditor. The Customer shall bear all expenses related to the Audit and shall avoid causing any damage, injury or disruption to Company's premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately.
The Personal Data Processed by the Company might be transfer and stored in different territories, including the US. Processor shall take such measures as are necessary to ensure the transfer is in compliance with Data Protection Law.
Any claims brought under this DPA will be subject to the terms and conditions of the Terms. In the event of a conflict between the Terms (and any document referred to therein) and this DPA, the provisions of this DPA shall prevail. This DPA supersedes any prior agreements or contracts (whether implied or explicit and whether written or not) between the parties in connection with Processing of Personal Data.
SCHEDULE A
DETAILS OF PROCESSING OF PERSONAL DATA
This Schedule A includes certain details of the Processing Personal Data as required by Data Protection Law.
Subject matter and duration of the Processing of Personal Data:
Processing shall be carried out in connection with the provision of the Services set forth under the Terms, and until otherwise instructed by the Controller.
The nature and purpose of the Processing of Personal Data:
To provide the Services pursuant to the Terms.
The types/categories of Personal Data Processed:
The types of Personal Data will vary depending on the type of Services and may include: email address, names, place of work and position.
Special categories of data (if appropriate)
NA
The categories of Data Subjects to whom the Personal Data relates:
Business leads on behalf of the Customer.
SCHEDULE B
Sub-Processors
Sub-Processor | Address |
Google LLC | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA |
Intercom Inc. | 55 2nd Street, 4th Floor, San Francisco, CA 94105, USA |
Amazon Web Services, Inc. | 410 Terry Ave North Seattle, WA 98109-5210, USA |
Zapier Inc. | 243 Buena Vista Ave #508, Sunnyvale, CA 94086 |