DATA PROCESSING ADDENDUM

This Controller to Controller Data Processing Addendum (the “Controller to Controller DPA”) forms part of the applicable agreement or Terms of Service between 6Sense Insights, Inc. or an Affiliate of 6Sense Insights, Inc. (collectively, “6sense”) and the other party to the Terms of Service (“You”), where 6sense is providing EU Contact Data (as defined in the Terms of Service and restated below for ease of reference).

1. Independent Controllers. Each Party is a Controller of the EU Contact Data it provides to the other Party under the Agreement and solely responsible for its own processing of the EU Contact Data.

2. International Transfers. To the extent that EU Contact Data is transferred under this Agreement from the European Economic Area, Switzerland, or the United Kingdom to a country that has not received an adequacy decision from the European Commission, and to the extent such transfers are subject to applicable data protection law, the parties agree that the following transfer mechanism will apply to any transfers of EU Contact Data under this Agreement:

(1) In relation to transfers of Personal Data protected by the EU GDPR and transferred in accordance with this Agreement the EU SCCs shall apply, completed as follows:

i. Module One will apply;
ii. in Clause 7, the optional docking clause will apply;
iv. in Clause 11, the optional language will not apply;
v. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
vi. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
vii. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Agreement, as applicable; and
viii. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Agreement.

(2)  In relation to transfers of EU Contact Data protected by the UK GDPR, the EU SCCs will also apply in accordance with paragraph (1) above, with the following modifications:

(i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR; references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK GDPR;
(ii) references to “EU”, “Union” and “Member State law” are all replaced with “UK”; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Information Commissioner and the courts of England and Wales; and
(iii) Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of England and Wales” and Clause 18 of the EU SCCs is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts in England. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts,” unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR in which case the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Annexes I and II of this DPA (as applicable); and if neither the EU SCCs nor the UK SCCs applies, then the parties shall cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required to permitted by the UK Data Protection Laws without undue delay;

(3) In relation to transfers of EU Contact Data protected by the Swiss DPA, the EU SCCs will also apply in accordance with paragraph (1) above, with the following modifications:

(i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;
(ii) references to “EU,” “Union,” “Member State,” and “Member State law,” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
(iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland,  unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such  Personal Data in compliance with the Swiss DPA in which case the Swiss SCCS shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs shall be populated using the information contained in Annexes I and II to this Agreement (as applicable);

(4) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement, the Standard Contractual Clauses shall prevail to the extent of such conflict;

(5) If Company adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses or other applicable standard adopted pursuant to Applicable Data Protection Laws) for the transfer of Personal Data not described in this Agreement (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this Agreement (but only to the extent such Alternative Transfer Mechanism complies with applicable data protection law and extends to the territories to which Personal Data is transferred).

1. “EU Contact Data” means business contact information that contains Personal Data (defined below) of individuals that are subject to the European Data Protection Law (defined below).

2. “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3 “European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) in respect of the United Kingdom the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); and (iii) the Swiss Federal Data Protection Act (“Swiss GDPR”); and collectively the above are referred to hereunder as the “GDPR.” 

ANNEX I 

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

1. Name: 6Sense Insights, Inc. or its applicable Affiliate – Exporter of EU Contact

   
   Data within Results Data

   Address: 450 Mission Street, Suite 201, San Francisco, CA 94105

Contact details: [email protected]

Activities relevant to the data transferred under these Clauses: As described in the Agreement.

Role (controller/processor): Controller

2. Name: You – Exporter of EU Contact Data within Input Data

Contact details: Email address as provided when registering for the Services.

Activities relevant to the data transferred under these Clauses: As described in the Agreement.

Role (controller/processor): Controller

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1. Name: You – Importer of EU Contact Data within Results Data

Contact details: Email address as provided when registering for the Services.

Activities relevant to the data transferred under these Clauses: As described in the Agreement.

Role (controller/processor): Controller

2. Name: 6sense – Importer of EU Contact Data within Input Data

Address: 450 Mission Street, Suite 201, San Francisco, CA 94105

Contact details:[email protected]

Activities relevant to the data transferred under these Clauses: As described in the Agreement.

Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Business contacts

Categories of personal data transferred

Categories of personal data transferred may include:

• Name
• Email
• Company Name
• Company Business Address(es)
• Business Phone Numbers (corporate, direct dial, mobile)
• Job Title/Job Role
• Education
• Employment-Related Information
• Social Media Profile(s)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions(including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

 Nature of the processing

As set out in the Agreement.

Purpose(s) of the data transfer and further processing

As set out in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

During the term of the Agreement and as specified in the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

N/A

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority in accordance with the Clause 13 of the 2021 Standard Contractual Clauses is the Republic of Ireland unless Customer is established in the European Union or has appointed a representative pursuant to Article 27(1) of the GDPR; with respect to the processing of Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”). 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Each party will implement and maintain a comprehensive written information security program designed to protect Personal Data from unauthorized access, use, modification, disclosure or destruction.  Without limiting the generality of the foregoing, 6sense, as part of its information security program, will:

• limit access to Personal Data to the minimum number of persons who require such access in order to perform its obligations under the Agreement

• provide appropriate training to any persons who process Personal Data

• use multi-factor authentication for access to any systems storing Personal Data
• use reputable services and/or tools to continuously monitor for malicious or unauthorized behavio