GrowthCode Data Protection Terms & Conditions



‍Last Modified: March 6, 2024

‍GROWTHCODE DATA PROCESSING ADDENDUM

Customer and Service Provider have entered into an agreement for the provision by Service Provider to Customer of Services (as may be amended from time to time, the “Agreement”).  This Data Processing Addendum (this “Addendum”) will apply to Service Provider’s Processing of Customer Personal Data in conjunction with such Services.  This Addendum is hereby incorporated into and made a part of the Agreement.  This Addendum will be effective until such time as Service Provider is no longer providing such Services.


  1. Definitions

Customer” means  Customer:

Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” and “Processing” each have the meaning set forth in the EU General Data Protection Regulation 2016/679.


CCPA” means the California Consumer Privacy Act of 2018 and the Regulations promulgated thereunder.


Service Provider” means the party listed in Annex 1.


Data Protection Laws” means all applicable state/regional (including CCPA), national, and international (including the EU) laws, orders, regulations, and regulatory guidance now or in the future relating to information security, privacy and data protection.


 “Model Clauses” means the EU Commission Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022.


Services” means the services to be provided by Service Provider for the benefit of Customer that are specified in the Agreement.


Sub-processor” means a third-party subcontractor engaged by Service Provider which, as part of Service Provider’s role of delivering the Services, will Process Personal Data of Customer.


2. Service Provider’s Obligations.  Service Provider acknowledges that in the course of performing the Services, it may Process Personal Data for Customer or on its behalf.  Service Provider represents and warrants to Customer continuously throughout the term of the Agreement that it will: (a) only Process Personal Data in accordance with the instructions provided by Customer, for the purposes set out in the Agreement and only to the extent necessary to perform the Services and its obligations hereunder, (b) not disclose, distribute, sell (as such term is defined under applicable Data Protection Laws), assign, lease, commercially exploit (or allow to be exploited), or otherwise dispose of or make available any Personal Data to third parties, (c) not copy, modify, or create derivative works of any Personal Data (including, without limitation, aggregated and/or anonymized data) except with Customer’s prior consent or as may be permitted by any applicable law which is incapable of exclusion by contract, (d) implement and maintain organizational, administrative, physical and technical safeguards meeting the highest standards of good industry practice to prevent the unauthorized Processing, destruction or loss of Personal Data in Service Provider’s possession, custody or control, (e) implement and maintain an appropriate network security program that includes encryption of all Personal Data, (f) ensure its compliance with Data Protection Laws, (g) take all reasonable precautions with respect to the employment of and access to Personal Data given to Personnel (defined below) and Sub-Processors, and (h) at Customer’s request at any time during the term, provide Customer with a complete copy of or full access to any and all Personal Data that may be in Service Provider’s possession. Service Provider acknowledges that it is a “Service Provider” of Customer under the CCPA. 


3. Processing Personal Data.  Customer and Service Provider acknowledge and agree that with regard to the Processing of Personal Data in the context of the provision of the Services, Customer and/or its affiliates is/are the Data Controller, Service Provider is a Data Processor and that Service Provider may engage Sub-Processors pursuant to the requirements set forth in Section 5 (Sub-Processors) below. 


All verbal instructions are to be confirmed in writing or by email without undue delay. Service Provider shall inform Customer immediately if it considers that an instruction violates Data Protection Laws or if it is required to Process Personal Data outside the scope of Customer’s instructions.


The nature and purpose of Processing Personal Data by Service Provider is the performance of the Services pursuant to the Agreement. The duration of the Processing shall be for the duration of the Agreement and the rights and obligations under this Addendum shall remain in force after termination of the Agreement until all Personal Data Processed under this Addendum is deleted on the systems of Service Provider and its Sub-Processors. Details about Processing, including the types of Personal Data Processed, the categories of Data Subjects under this Addendum, and the jurisdictions where Processing may occur are set out on Annex 1. 


Service Provider shall (a) ensure that Personal Data initially collected within the European Economic Area (“EEA”), the UK and Switzerland will not be Processed outside of the EEA, UK and Switzerland, respectively, and Personal Data collected in any other country (i.e. not within the EEA) will not be Processed outside of that country unless Customer has given its prior written consent and either: (i) Service Provider and Customer and/or relevant affiliates abide by the International Data Transfer Addendum attached hereto as Exhibit C or an alternative data transfer agreement in a similar form to the Model Clauses as may be approved by Customer from time to time at its discretion or (ii) other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Laws, such as approved Binding Corporate Rules for Processors, (b) provide, at Service Provider’s own cost, reasonable cooperation, assistance, and information to Customer in relation to queries, complaints and other correspondence with any data subject or regulatory body (including data subject access requests) and as may reasonably be required to enable Customer to comply with its obligations under applicable Data Protection Laws, and (c) amend, update, supplement, return or delete any Personal Data as soon as reasonably practicable at Customer’s request.  For the purposes of the Model Clauses, the parties agree that (x) Customer will act as the data exporter on Customer’s own behalf and on behalf of any of its affiliates and (y) Service Provider will act on its own behalf and/or on behalf of the relevant affiliates as the data importers.


4. Service Provider Personnel.  Service Provider shall ensure that access to Personal Data is limited to those Service Provider employees and contractors (“Personnel”) and agents who have a need to know or need to access that Personal Data to enable Service Provider to perform its obligations under the Agreement. Service Provider shall ensure that its Personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality obligations no less restrictive than those contained in this Addendum and such obligations survive the termination of that persons’ engagement with Service Provider. Service Provider has appointed, where required by applicable Data Protection Laws, a data protection officer who meets the requirements under such laws for the performance of his or her duties.  Details about the appointed person shall be included in Annex 2. 

5. Sub-Processors.  Service Provider may only appoint a Sub-Processor with Customer’s prior written consent and such Sub-Processor must be bound by the same obligations as the ones to which Service Provider is bound by this Addendum.  The list of approved Sub-Processors can be found on Annex 3 hereto.

6. Security.  Service Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing; (e) a process and procedures to monitor and log processing systems for unauthorized changes and other evidence the processing environment has been compromised. Service Provider shall document and monitor compliance with these measures. Technical and organizational measures are subject to technical progress and further development and Service Provider may implement alternative adequate measures provided Service Provider shall not decrease the overall security of the Services during the term of the Agreement.  The minimum security measures to be implemented by Service Provider are as follows.

  1. Encryption.  Service Provider shall use strong encryption methodologies to protect Personal Data transferred over public networks, and shall implement whole disk encryption for all Personal Data at rest.  Service Provider will fully document and comply with Service Provider’s key management procedures for crypto keys used for the encryption of Personal Data.
  2. Storage.  Service Provider shall retain all Personal Data in a physically and logically secure environment to protect from unauthorized access, modification, theft, misuse and destruction.  Service Provider shall utilize platforms to host Personal Data that are configured to conform to industry standard security requirements and will only use hardened platforms that are continuously monitored for unauthorized changes.   
  3. Antivirus; Firewall.  Service Provider shall utilize antivirus programs that are capable of detecting, removing, and protecting against all known types of malicious or unauthorized software with antivirus signature updates at least every twelve (12) hours.  Service Provider will implement firewalls designed to ensure that all outbound traffic to Customer systems are restricted to only what is necessary to ensure the proper functioning of the Services.  All other unnecessary ports and services will be blocked by firewall rules at Service Provider network. 
  4. Vulnerability Management.
  5. Updates and Patches.  With regards to the handling of Personal Data, Service Provider shall establish and maintain mechanisms for vulnerability and patch management that are designed to evaluate application, system, and network device vulnerabilities and apply Service Provider -supplied security fixes and patches in a timely manner taking a risk-based approach for prioritizing critical patches. 
  6. Data Loss Prevention.  Service Provider shall maintain a "data loss prevention" (DLP) or "extrusion prevention" solution to protect Personal Data, and shall integrate the results of that activity with its program for audit logging and intrusion detection as described below.
  7.  Audit Logging; Intrusion Detection.  Service Provider shall collect and retain audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events, complying with applicable policies and regulations.  Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools shall be implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents.  Physical and logical user access to audit logs shall be restricted to authorized Personnel.
  8. Information Risk Assessment.  On an annual basis, Service Provider shall cooperate with Customer, at Customer's discretion, to perform formal risk assessments to determine the likelihood and impact of potential privacy and security risks to Personal Data.  Service Provider shall conduct the audit annually in accordance with all applicable local laws, regulations and requirements for credit card and privacy (including without limitation PCI DSS) as well as industry common standards for information security. An audit report shall be provided to Customer within three (3) months upon the completion of every year’s Services by Service Provider to Customer. 
  9. Physical Security.  Where Service Provider is Processing Personal Data, such Personal Data shall be housed in secure areas, physically protected from unauthorized access, with appropriate environmental and perimeter controls.  The facilities shall be physically protected from unauthorized access, damage, theft and interference. 
  10. Disaster Recovery Management.   Service Provider shall provide documentation of its formal and secure disaster recovery plan, meeting a standard of good industry standards and redacted for proprietary and confidential information.  Service Provider shall share evidence with Customer that Service Provider conducts regular testing of that plan on at least an annual basis, which impacts any Customer systems and Personal Data governed by the Agreement.


7. Personal Data Breach Notification.  Service Provider shall:  (i) provide Customer with the name and contact information for an employee of Service Provider who shall serve as Customer’s primary security contact and shall be available to assist Customer twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Personal Data Breach; and (ii) notify Customer of a Personal Data Breach as soon as practicable, but no later than twenty-four (24) hours after Service Provider becomes aware of it; and

  1. Immediately following Service Provider’s notification to Customer of a Personal Data Breach, the parties shall coordinate with each other to investigate the Personal Data Breach.  Service Provider agrees to fully cooperate with Customer in Customer’s handling of the matter, including, without limitation:  (i) assisting with any investigation; and (ii) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise required by Customer.
  2. Service Provider shall promptly use best efforts to remedy any Personal Data Breach and prevent any further Personal Data Breach at Service Provider’s expense in accordance with applicable privacy rights, laws, regulations and standards.  Service Provider shall reimburse Customer for actual reasonable costs incurred by Customer in responding to, and mitigating damages caused by, any Personal Data Breach, including all costs of notice and remediation pursuant to Section 7(d).
  3. Service Provider agrees that it shall not inform any third party of any Personal Data Breach without first notifying Customer, other than to inform a complainant that the matter has been forwarded to Customer’s legal counsel.  Further, Service Provider agrees that it shall reasonably cooperate with Customer to jointly determine:  (i) whether notice of the Personal Data Breach is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise; and (ii) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.
  4. Service Provider agrees to fully cooperate at its own expense with Customer in any litigation or other formal action deemed necessary by Customer to protect its rights relating to the use, disclosure, protection, and maintenance of Personal Information.
  5. In the event of any Personal Data Breach, Service Provider shall promptly use best efforts to prevent a recurrence of any such Personal Data Breach.

8. Data Subjects’ Rights.  Service Provider shall promptly notify Customer if it receives a request from a Data Subject for information, access to, correction, amendment, deletion, erasure, portability, restriction of Processing of that person’s Personal Data. Service Provider shall not respond to any such Data Subject request without first notifying and obtaining Customer’s prior written consent, except to confirm that the request relates to Customer. Upon request by Customer, Service Provider shall assist Customer to fulfill the rights of the Data Subjects and respond to such Data Subjects requests.


9. Assistance and Cooperation with Compliance.  Service Provider shall: (a) maintain a record in writing of all categories of Processing carried out on behalf of Customer and make such records available to Customer upon request from Customer or a relevant data protection authority (“Data Protection Authority”); (b) provide any information required by Customer to document compliance with Data Protection Laws and compliance with Service Provider’s obligations as set out in this Addendum and its Annexes; (c) inform Customer without undue delay of (i) any Processing of Personal Data outside the scope of this Addendum and its Annexes and of any violations of Data Protection Laws, in particular disruptions, suspected breaches of data protection or other impairments or changes to the collection, processing or use of Personal Data by Service Provider or any Sub-Processor or individuals employed by Service Provider or any Sub-Processors and (ii) any control actions or measures taken by a Data Protection Authority or any other authority with respect to the Processing of Personal Data and make every effort to support Customer insofar as Customer is subject to an inspection by a Data Protection Authority, an administrative or criminal procedure or claim by a Data Subject or by a third party or any other claim in connection with the Processing by Service Provider; and (d) assist Customer with the execution of any data protection impact assessment and with consultation of the relevant Data Protection Authority where legally required. 


10. Audit Rights.  To the extent the Services under this Addendum or the Agreement entail Service Provider’s Processing of Personal Data on Customer’s behalf, Customer has the right to inspect Service Provider’s respective systems and facilities at any time to ensure compliance with this Addendum and its Annexes, and applicable Data Protection Laws. Before the commencement of any such audit, Customer and Service Provider shall mutually agree in good faith upon the scope, timing, and duration of the audit. Customer is entitled to conduct the audit either by an authorized representative, including its data protection officer, where relevant, or through third parties that it instructs. Customer shall notify Service Provider with information regarding any non-compliance discovered during the course of an audit.  Service Provider shall also grant the above audit rights to any competent Data Protection Authority.

  1. Equitable Relief.  Service Provider acknowledges that any breach of its covenants or obligations set forth in this Addendum may cause Customer irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, Customer is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, without the necessity of posting a bond, in addition to any other remedy to which Customer may be entitled at law or in equity.  Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available at law or in equity, subject to any express exclusions or limitations in the Agreement to the contrary.
  2. Material Breach.  Service Provider’s failure to comply with any of the provisions of this Addendum is a material breach of the Agreement.  In such event, Customer may terminate the Agreement effective immediately upon written notice to the Service Provider without further liability or obligation to Customer and Service Provider shall refund to Customer the pro rata portion of any unused fees paid by Customer under the Agreement.
  3. Indemnification.  Service Provider hereby agrees to indemnify, defend and hold harmless Customer and its affiliates, and any of their respective officers, directors, employees, representatives, and agents (“Customer Indemnitees”) from and against any and all claims, causes of action, liabilities, damages, losses, costs and expenses (including reasonable attorneys' fees and legal costs, which shall be reimbursed as incurred) arising from, relating to or based on any actual or alleged breach of Service Provider’s representations, warranties or covenants contained in this Addendum or any actual or alleged negligence or willful misconduct.  The indemnification obligations set forth in this Section 13 of this Addendum is not subject to any limitation of liability or similar provisions in the Agreement.
  4. Conflict.  Notwithstanding anything to the contrary in the Agreement, in the event and to the extent that the terms of this Addendum conflict with any of the terms of the Agreement, this Addendum supersedes the Agreement. In the event of any conflict or inconsistency between the body of this Addendum and the Model Clauses in Annex 4, the Model Clauses shall prevail.


EXHIBIT C: INTERNATIONAL DATA TRANSFER ADDENDUM


This International Data Transfer Addendum (the “Addendum”) to the Data Processing Agreement (the “Engagement”) is entered into by and between Customer and Service Provider.

  1. For purposes of the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as implemented under UK law by virtue of Section 3 of the UK’s European Union (Withdrawal) and the UK Data Protection Act of 2018 (“UK GDPR”), and Switzerland’s Federal Act on Data Protection of 19 June 1992 (“FADP”), each party is a “controller” of any “personal data” (as those terms are defined by the GDPR, UK GDPR, and FADP) in question hereunder.  Each party is responsible for its own compliance with GDPR, UK GDPR, and FADP where it applies to the “processing” of “personal data” (as those terms are defined by the GDPR, UK GDPR, and FADP) hereunder.
  2. UK Data Transfers. For transfers of personal data from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 is agreed to and incorporated by reference, but, as permitted by clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the addendum such that: 
  3. For the purposes of Table 1, Customer shall be the “importer” and Service Provider shall be the “exporter,” with the applicable details the same as identified in the Engagement.
  4. For the purposes of Table 2, (A) the EU SCCs shall apply, (B) Module 1 will apply to the personal data transferred to a third country; (C) in Clause 7, the optional docking clause will not apply; (D) in Clause 11, the optional language will not apply; (E) in Clause 17, Option 1 will apply, and, the EU SCCs will be governed by the laws of the UK for personal data transferred out of the UK; (F) in Clause 18(b), disputes will be resolved before the courts of the UK for personal data transferred out of the UK.
  5. For purposes of Table 3, Annex IA and Annex IB will be deemed completed with the information set forth in Schedule 1 of this Exhibit and Annex II will be deemed completed with the information set forth in Schedule 2 of this Exhibit. 
  6. For purposes of Table 4, neither party may terminate this Addendum when the Approved Addendum changes.
  7. EEA and Switzerland Data Transfers. In relation to personal data that is protected by the GDPR, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (“EU SCCs”) will apply as follows: (A) Customer will be the "data importer" and Service Provider will be the "data exporter"; (B) Module One will apply to the personal data of both parties; (C) in Clause 7, the optional docking clause will not apply; (D) in Clause 11, the optional language will not apply; (E) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law for personal data transferred out of the European Economic Area or Swiss law for personal data transferred out of Switzerland; (F) in Clause 18(b), disputes will be resolved before the courts of Ireland for personal data transferred out of the European Economic Area or Switzerland for personal data transferred out of Switzerland; (H) Annex I will be deemed completed with the information set out in Schedule 1 of this Addendum; and (I) Annex II will be deemed completed with the information set out in Schedule 2 of this Addendum. For purposes of any transfers of personal data also subject to FADP, (i) the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of bringing legal proceedings to enforce their rights in their place of habitual residence in accordance with Clause 18(c) and (ii) the clauses also protect the data of legal entities until the entry into force of the revised FADP.



SCHEDULE I


A. LIST OF PARTIES

The Parties as identified in the Engagement.


B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: end users who come onto Customer’s website

Categories of personal data transferred: Common

Sensitive data transferred: no

The frequency of the transfer: continuous and daily basis

Nature of the processing: Allowing marketing activities

Purpose(s) of the data transfer and further processing

The period for which the personal data will be retained:no data retention

For transfers to (sub-) processors


C. COMPETENT SUPERVISORY AUTHORITY

Identified competent supervisory authority in accordance with Clause 13: Irish supervisory authority for personal data transferred out of the European Economic Area, Swiss supervisory authority for personal data transferred out of Switzerland, and UK supervisory authority for personal data transferred out of the UK.



SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA


Customer takes technical and organizational security measures appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, presented by the processing. These measures include asset management processes, access controls, physical security controls, security training, and incident response processes. Any person acting under the authority of Customer, including a processor, must not process the data except on instructions from Customer.



‍Your Comments and Concerns
This website is operated by GrowthCode, LLC., 47 East 88th Street, 8B New York, NY 10128. All other feedback, comments, requests for technical support and other communications relating to the Website should be directed to: privacy@GrowthCode.io.

Share by: