This Data Processing Addendum (“DPA”) is made by and between ZoomInfo Technologies LLC and Provider, pursuant to the Agreement entered into between the Parties (including any amendments and attached or referencing service orders, statements of work, attachments, schedules, or exhibits).
This DPA forms part of the Agreement and sets out the terms which apply (i) to the extent that Provider, Provider’s Service Providers, or Provider’s Sub-Processors process ZoomInfo Personal Data on behalf of ZoomInfo in the course of providing services or deliverables in connection with the Agreement, (ii) to the extent that Provider, Provider’s Service Providers, or Provider’s Sub Processors process ZoomInfo Personal Data on behalf of an end client of ZoomInfo in the course of providing services or deliverables in connection with the Agreement, and (iii) to the extent that Provider processes Personal Data as an independent controller in connection with the Agreement. To the extent that (i) or (ii) applies, this DPA contains, in conjunction with the Agreement, the documented instructions for the Processing of ZoomInfo Personal Data as well as the subject-matter, duration, nature, and purpose of the Processing, which shall govern the rights and obligations of the parties in connection with the Processing of Personal Data.
Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement. 1. Definitions
1.1 For the purpose of this DPA (i) “Personal Data” means any information relating to an identified or identifiable natural person; (ii) “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, address, title, or an online identifier. In the context of the Agreement, (iii)“ZoomInfo Personal Data” means Personal Data that ZoomInfo makes available to Provider or Provider may receive access to in connection with Provider’s provisioning of the Services; (iv) “Provider Personal Data” means Personal Data that Provider makes available to ZoomInfo or that ZoomInfo may receive access to in connection with Provider’s provisioning of the Services; (v) “Services” means the services Provider is providing to ZoomInfo, with the controlling definition thereof being that (if any) included in the Agreement; (vi) “Processing”, “Process”, “Processed” means any operation or set of operations which is performed on ZoomInfo Personal Data, individually or in sets, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (vii) “Affiliate” means a business entity that directly, or through one or more intermediaries, controls or is controlled by or is under common control with a party. One entity is deemed to control the other if it directly or indirectly (a) owns more than fifty percent (50%) of the equity of the other entity or (b) controls more than fifty percent (50%) of the voting rights of the other entity; (viii) “Applicable Law(s)” means all laws applicable to the Processing of ZoomInfo Personal Data, which may include EU Data Protection Laws, other laws of the European Union or any Member State thereof, the United Kingdom Data Protection Act 2018 (as amended from time to time, “UK GDPR”), the CPRA and other Consumer Privacy Laws (as defined in Section 4.1), and the laws of any other country or state to which ZoomInfo or the ZoomInfo Personal Data is subject. For the avoidance of doubt, all terms herein (whether in capital letters or lowercase) not otherwise defined but used in this DPA, shall have the meaning given to them in the Agreement, or if undefined in both documents, shall have the meaning as per the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) (as amended from time to time, “GDPR”).
2. Data Processing
2.1 The parties acknowledge and agree that with regard to the Processing of ZoomInfo Personal Data on behalf of ZoomInfo, ZoomInfo is the Controller and Provider is a Processor, except where ZoomInfo may be a processor of Personal Data on behalf of another controller, which means ZoomInfo is the Processor and Provider is a Sub-Processor.
2.2 The parties acknowledge that in regards to any Personal Data that Provider transfers or causes to be transferred to ZoomInfo that ZoomInfo is an independent Controller and Provider is an independent Controller, not a joint Controller with ZoomInfo. Each party shall comply with its obligations under Applicable Law.
2.3 Any Processing of ZoomInfo Personal Data by Provider under this DPA shall occur only:
2.3.1 on behalf of ZoomInfo;
2.3.2 in accordance with the Agreement; and
2.3.3 for the purpose of fulfillment of ZoomInfo’s written instructions.
2.4 This DPA and the Agreement are ZoomInfo’s complete instructions at the time of signature of this DPA to Provider for the Processing of ZoomInfo Personal Data. However, such instructions may be amended, supplemented, or replaced by ZoomInfo in
written form at any time. If any new instructions from ZoomInfo exceed the scope of this DPA, they shall be considered as ZoomInfo’s request to amend the DPA.
3. CPRA
3.1 To the extent that Provider Processes any ZoomInfo Personal Data relating to individuals who are California residents, Provider shall comply with the requirements of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100 et seq. (the “CPRA”), including any amendments and implementing regulations that become effective on or after the effective date of this DPA, and shall provide the same level of privacy protection as is required by the CPRA. Capitalized terms used but not defined in this Section 3 shall have the same meaning as in the CPRA. For the purposes of the CPRA, the parties agree that Provider is a “Service Provider” in the performance of its obligations, and that ZoomInfo is a “Business,” and that the transfer of ZoomInfo Personal Data to Provider shall not be considered a “Sale” or “Sharing.” To the extent required by the CPRA, Provider shall (a) grant ZoomInfo the right to take reasonable and appropriate steps to help ensure that Provider uses ZoomInfo Personal Data in a manner consistent with ZoomInfo’s obligations under the CPRA; (b) notify ZoomInfo if Provider determines that it can no longer meet its obligations under the CPRA; and (c) grant ZoomInfo the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of ZoomInfo Personal Data. To the extent required by the CPRA, ZoomInfo shall inform Provider of any consumer requests made pursuant to the CPRA that they must comply with, and shall provide all information necessary for Provider to comply with such request.
3.2 Provider shall Process ZoomInfo Personal Data only for the “Business Purposes” specified in the Agreement and this DPA. The parties agree that ZoomInfo discloses ZoomInfo Personal Data to Provider only for these limited purposes.
3.3 As a Service Provider, Provider shall not:
3.3.1 Sell or Share ZoomInfo Personal Data;
3.3.2 retain, use, or disclose ZoomInfo Personal Data for any purpose other than for the Business Purposes specified in the Agreement and this DPA, including retaining, using, or disclosing ZoomInfo Personal Data for a commercial purpose other than the Business Purposes specified in the Agreement and this DPA, or as otherwise permitted by the CPRA;
3.3.3 retain, use, or disclose ZoomInfo Personal Data outside of the direct business relationship between Provider and ZoomInfo; or
3.3.4 combine ZoomInfo Personal Data that Provider receives from, or on behalf of, ZoomInfo with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that Provider may combine personal information to perform any Business Purpose as defined in the regulations adopted pursuant to paragraph (10) of subdivision (a) of Cal. Civ. Code § 1798.185, except as provided for in paragraph (6) of subdivision (e) of Cal. Civ. Code § 1798.140 and in regulations adopted by the California Privacy Protection Agency.
4. Other U.S. Data Protection Laws
4.1 To the extent that Provider Processes any ZoomInfo Personal Data relating to individuals who are “Consumers” as that term is defined in the Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301 et seq. (“CPA”), the Connecticut Data Privacy Act, Public Act No. 22-15 (“CTDPA”), the Delaware Personal Data Privacy Act, 6 Del. C. § 12D-101 et seq. (“DPDPA”), the Iowa Consumer Data Protection Act, Iowa Code Ann. §§ 715D.1 to 715D.9 (“ICDPA”), the Montana Consumer Data Privacy Act, Mont. Code Ann. §§ 30-14-2801 to 30- 14-2817 (“MCDPA”), the Nebraska Data Privacy Act, L.B. 1074 (“NDPA”), the New Hampshire Consumer Data Privacy Act, N.H. Rev. Statutes Ann. §§ 507-H:1 to 507-H:12 (“NHDPA”), the New Jersey Consumer Data Privacy Act, N.J. Statutes Ann. 56:8-166.4 to 56:8- 166.19 (“NJDPA”), the Oregon Consumer Privacy Act, ORS 646A.570-646A.589 (“OCPA”), the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. §§ 541.001 to 541.205 (“TDPSA”), the Utah Consumer Privacy Act, Utah Code Ann. §§ 13-61-101 et seq. (“UCPA”), and the Virginia Consumer Data Protection Act, Va. Code Ann. §§59.1-575 et seq. (“VCDPA”), and any other U.S. state data privacy laws that are enacted subsequent to the effective date of this DPA (collectively, the “Consumer Privacy Laws” or “CPL”), respectively, and upon the respective effective dates of the CPL, Provider shall comply with the CPL’s requirements, including any amendments and implementing regulations that become effective on or after the effective date of this DPA.
5. Personnel
5.1 The parties shall:
5.1.1 ensure all employees involved in Processing or transferring of ZoomInfo Personal Data have (1) either committed themselves to confidentiality in writing or have statutory or fiduciary obligations requiring a similar commitment to confidentiality and (2) are authorized and appropriately trained to Process ZoomInfo Personal Data;
5.1.2 ensure the access to ZoomInfo Personal Data is limited to the personnel necessary to execute the party’s obligations
under the Agreement (“Authorized Personnel”); and
5.1.3 appoint a data protection officer, if required by the Applicable Law, and provide his / her contact details on written request to the other party.
6. Technical and Organizational Measures
6.1 Provider shall implement and maintain appropriate technical and organizational measures to provide a level of security appropriate to the particular risks of accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access of Personal Data presented by the Processing of ZoomInfo Personal Data. Such measures shall include, at a minimum, (i) limiting access to ZoomInfo Personal Data to Authorized Personnel only; (ii) ensuring that all Authorized Personnel are made aware of the confidential nature of ZoomInfo Personal Data before they may access such data; (iii) securing its physical, technical, and administrative
infrastructure, including all relevant business facilities, data centers, paper files, servers, networks, platforms, databases, cloud computing resources, back-up systems, passwords and credentials, hardware, and mobile devices; (iv) implementing authentication and access controls within all relevant media, applications, networks, operating systems and equipment; (v) encrypting ZoomInfo Personal Data when transmitted over public or wireless networks or where otherwise appropriate; (vi) strictly segregating ZoomInfo Personal Data from information of Provider or its employees or other customers; (vii) maintaining appropriate security and integrity procedures and practices; (viii) maintaining written plans and policies for responding to a Security Breach in compliance with section 9 below; (ix) maintaining and regularly testing processes for restoring the availability and access to ZoomInfo Personal Data in a timely manner in the event of an incident or a suspected incident; (x) regularly testing, assessing, and evaluating the effectiveness of all technical and organizational security measures; and (xi) any other measures necessary to ensure the ongoing confidentiality, integrity, and availability of ZoomInfo Personal Data and the ongoing security and resilience of systems and services used for Processing.
7. Sub-Processors and Data Transfers
7.1 To the extent that such entities process ZoomInfo Personal Data on Provider’s behalf, ZoomInfo hereby consents to the usage as sub-processors of Provider’s respective Affiliates and third-party service providers (“Sub-Processors”) identified in a list found in Annex III. Following the effective date of this DPA, Provider shall not sub-contract any of its Processing activities performed on behalf of ZoomInfo to a Sub-Processor without the prior specific written authorization of ZoomInfo. Provider shall submit the request for specific authorization at least thirty (30) days prior to the engagement of the Sub-Processor, together with the information necessary to enable ZoomInfo to decide on the authorization. In the event that ZoomInfo objects, Provider and ZoomInfo shall negotiate in good faith with a view to achieving a commercially reasonable resolution. If no such resolution is reached within thirty (30) days of the issuance of the objection, ZoomInfo shall be permitted to suspend or terminate the Agreement in accordance with the termination provisions of the Agreement. The Parties shall keep Annex III up to date.
7.2 To the extent that Provider acts as a Processor, Provider shall impose substantially similar data protection obligations on any Sub-Processors (including its Affiliates) as set out in this DPA (in particular providing sufficient guarantees to implement appropriate technical and organizational measures). Provider shall be liable for the acts and omissions of its Sub-Processors to the same extent Provider would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.
7.3 For any transfer of ZoomInfo Personal Data from a country inside the European Economic Area, the United Kingdom, or Switzerland to a country outside the European Economic Area, the United Kingdom, or Switzerland, applicable requirements of GDPR must be fulfilled. To the extent that ZoomInfo acts as a Controller and Provider acts as a Processor, ZoomInfo (i) authorizes Provider to store or Process ZoomInfo Personal Data in the United States or any other country in which Provider or its Sub-Processors maintain facilities and (ii) appoints Provider to perform any such transfer of ZoomInfo Personal Data to any such country and to store and Process ZoomInfo Personal Data in order to provide the Services or by documented instructions of ZoomInfo. The parties will conduct all such activity in compliance with the Agreement, this DPA, and Applicable Law.
7.4 If ZoomInfo, acting as Controller, transfers ZoomInfo Personal Data originating from the EEA to Provider, acting as Processor, when the Provider is located in countries outside the EEA that have not received a binding adequacy decision by the European Commission, such transfers shall be made in compliance with applicable data transfer legal requirements and only by documented instructions from ZoomInfo. The parties acknowledge and agree to abide by the obligations set out in the Standard Contractual
Clauses (European Commission Decision 2021/914 of 4 June 2021) (“SCCs“), incorporated herein by reference and as may be amended or replaced from time to time, for any transfers of ZoomInfo Personal Data from within the EEA to outside of the EEA. For the purpose of processing ZoomInfo Personal Data under this DPA and the incorporation of the SCCs where Provider, Provider’s Service Providers, or Provider’s Sub-Processors process ZoomInfo Personal Data on behalf of ZoomInfo in the course of providing services or deliverables in connection with the Agreement:
7.4.1 Module 2 of the SCCs shall be applicable;
7.4.2 Clause 7 of the SCCs will apply;
7.4.3 Clause 9(a) of the SCCs shall be applicable such that Provider shall not sub-contract any of its Processing activities performed on behalf of ZoomInfo to a Sub-Processor without the prior specific written authorization of ZoomInfo. Provider shall submit the request for specific authorization at least thirty (30) days prior to the engagement of the Sub-Processor, together with the information necessary to enable ZoomInfo to decide on the authorization. The list of Sub-Processors already authorized by ZoomInfo can be found in Annex III. The Parties shall keep Annex III up to date;
7.4.4 Under Clause 17 of the SCCs, the Clauses shall be governed by the law of Ireland;
7.4.5 Under Clause 18 of the SCCs, any dispute arising from the Clauses shall be resolved by the courts of Ireland; and 7.4.6 Additional information required to be included as part of the SCCs is provided in Annexes I and II to this DPA.
7.5 If ZoomInfo, acting as Controller, transfers ZoomInfo Personal Data originating from the UK to Provider, acting as Processor, when Provider is located in countries outside the UK that have not received an adequacy regulation by the UK Secretary of State for the Department for Digital, Culture, Media and Sport, then the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”), incorporated herein by reference and as may be amended or replaced from time to time, shall apply in addition to the Standard Contractual Clauses. For the purpose of processing ZoomInfo Personal Data under this DPA and the incorporation of the UK Addendum where Provider, Provider’s Service Providers, or Provider’s Sub-Processors process ZoomInfo Personal Data on behalf of ZoomInfo in the course of providing services or deliverables in connection with the Agreement:
7.5.1 Module 2 of the UK Addendum shall be applicable;
7.5.2 Clause 7 of the UK Addendum will apply;
7.5.3 Clause 9(a) of the SCCs shall be applicable such that Provider shall not sub-contract any of its Processing activities performed on behalf of ZoomInfo to a Sub-Processor without the prior specific written authorization of ZoomInfo. Provider shall submit the request for specific authorization at least thirty (30) days prior to the engagement of the Sub-Processor, together with the information necessary to enable ZoomInfo to decide on the authorization. The list of Sub-Processors already authorized by ZoomInfo can be found in Annex III. The Parties shall keep Annex III up to date; and
7.5.4 Additional information required to be included as part of the SCCs is provided in Annexes I and II to this DPA.
7.6 If ZoomInfo, acting as Processor, transfers ZoomInfo Personal Data originating from the EEA to Provider, acting as Sub Processor, when the Provider is located in countries outside the EEA that have not received a binding adequacy decision by the European Commission, such transfers shall be made in compliance with applicable data transfer legal requirements and only by documented instructions from the Controller as communicated by ZoomInfo. The parties acknowledge and agree to abide by the obligations set out in the SCCs for any transfers of ZoomInfo Personal Data from within the EEA to outside of the EEA. For the purpose of processing ZoomInfo Personal Data under this DPA and the incorporation of the SCCs to the extent that Provider, Provider’s Service Providers, or Provider’s Sub-Processors process ZoomInfo Personal Data on behalf of an end client of ZoomInfo in the course of providing services or deliverables in connection with the Agreement:
7.6.1 Module 3 of the SCCs shall be applicable;
7.6.2 Clause 7 of the SCCs will apply;
7.6.3 Except to the extent the agreement between the applicable Controller and ZoomInfo states or requires otherwise, Clause 9(a) of the SCCs shall be applicable such that Provider has the Controller’s and ZoomInfo’s general authorization for the engagement of Sub-Processor(s) from an agreed list as set forth in Section 7.1;
7.6.4 Under Clause 17 of the SCCs, the Clauses shall be governed by the law of Ireland;
7.6.5 Under Clause 18 of the SCCs, any dispute arising from the Clauses shall be resolved by the courts of Ireland; and 7.6.6 Additional information required to be included as part of the SCCs is provided in Annexes I and II to this DPA.
7.7 If ZoomInfo, acting as Processor, transfers ZoomInfo Personal Data originating from the UK to Provider, acting as Sub Processor, when Provider is located in countries outside the UK that have not received an adequacy regulation by the UK Secretary of State for the Department for Digital, Culture, Media and Sport, then the UK Addendum shall apply in addition to the Standard Contractual Clauses. For the purpose of processing ZoomInfo Personal Data under this DPA and the incorporation of the UK Addendum to the extent that Provider, Provider’s Service Providers, or Provider’s Sub-Processors
process ZoomInfo Personal Data on behalf of an end client of ZoomInfo in the course of providing services or deliverables in connection with the Agreement:
7.7.1 Module 3 of the UK Addendum shall be applicable;
7.7.2 Clause 7 of the UK Addendum will apply;
7.7.3 Except to the extent the agreement between the applicable Controller and ZoomInfo states or requires otherwise, Clause 9(a) of the UK Addendum shall be applicable such that Provider has the Controller’s and ZoomInfo’s general authorization for the engagement of Sub-Processor(s) from an agreed list as set forth in Section 7.1; and
7.7.4 Additional information required to be included as part of the SCCs is provided in Annexes I and II to this DPA.
7.8 If Provider transfers Personal Data originating from the EEA to ZoomInfo when ZoomInfo is located in countries outside the EEA that have not received a binding adequacy decision by the European Commission, where Provider and ZoomInfo are acting as independent controllers, such transfers shall be made in compliance with applicable data transfer legal requirements. The parties acknowledge and agree to abide by the obligations set out in the SCCs for any transfers of Personal Data from within the EEA to outside of the EEA. For the purpose of processing Personal Data under this DPA and the incorporation of the SCCs where Provider and ZoomInfo process Personal Data as independent controllers pursuant to the Agreement:
7.8.1 Module 1 of the SCCs shall be applicable;
7.8.2 Clause 7 of the SCCs will apply;
7.8.3 Under Clause 17 of the SCCs, the Clauses shall be governed by the law of Ireland;
7.8.4 Under Clause 18 of the SCCs, any dispute arising from the Clauses shall be resolved by the courts of Ireland; and 7.8.5 Additional information required to be included as part of the SCCs is provided in Annexes I and II to this DPA.
7.9 If Provider transfers Personal Data originating from the UK to ZoomInfo when ZoomInfo is located in countries outside the UK that have not received an adequacy regulation by the UK Secretary of State for the Department for Digital, Culture, Media and Sport, where Provider and ZoomInfo are acting as independent controllers, then the UK Addendum shall apply in addition to the Standard Contractual Clauses. For the purpose of processing Personal Data under this DPA and the incorporation of the UK Addendum where Provider and ZoomInfo process Personal Data as independent controllers pursuant to the Agreement:
7.9.1 Module 1 of the UK Addendum shall be applicable;
7.9.2 Clause 7 of the UK Addendum will apply; and
7.9.3 Additional information required to be included as part of the SCCs is provided in Annexes I and II to this DPA.
7.10 In relation to transfers of Personal Data protected by the Swiss Federal Act on Data Protection (“FADP”), the Standard Contractual Clauses in Schedule 1 shall apply with the following modifications: (i) references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the FADP and the equivalent articles or sections therein; (ii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” and “Swiss law”; (iii) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection and Information Commissioner” and “competent Swiss courts”; and (iv) the Standard Contractual Clauses shall be governed by the laws of Switzerland. The term “Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland).
8. Requests from Data Subjects
8.1 Provider shall, in accordance with Applicable Laws, promptly notify ZoomInfo if Provider receives a request from a Data Subject to which the ZoomInfo Personal Data relates to exercise his/her rights connected to the Processing under the Agreement and this DPA. Provider shall use appropriate technical and organizational measures to cooperate and assist ZoomInfo in responding to such requests.
9. Security Breach
9.1 Provider shall:
9.1.1 Notify ZoomInfo without undue delay, but no later than five (5) business days, after discovery and confirmation of any actual incident of unauthorized, unlawful, or accidental disclosure, alteration, or loss of or access to any ZoomInfo Personal Data or other breach of this DPA by Provider or any of its staff, Sub-Processors, or any other identified or unidentified third party (a “Security Breach“);
9.1.2 Provide ZoomInfo with reasonable cooperation and legally required assistance in respect of any Security Breach and all relevant information in Provider’s possession concerning the Security Breach, including, but not limited to, the following: (i) the nature of the breach; (ii) the categories and quantities of ZoomInfo Personal Data involved; (iii) the name and contact details for the relevant contact person; (iv) the steps Provider has taken and will take to mitigate and remediate the Security Breach; and (v) any other information that ZoomInfo may request;
9.1.3 Take any necessary and legally required corrective or mitigating actions, pursuant to Applicable Laws and regulations, to remedy or mitigate any Security Breach; and
9.1.4 Not make any announcement or publish or otherwise authorize any broadcast of any notice or information about a Security Breach without notifying ZoomInfo and receiving ZoomInfo’s written consent, unless legally required to do so, in which case Provider shall reasonably endeavor to notify ZoomInfo prior to such announcement, publication, or broadcast.
10. Cooperation
10.1 In case of reporting and notification obligations to competent data protection supervisory authorities and/or affected Data Subjects resulting from Security Breaches, the parties shall, upon request, provide reasonable support and information to the other party to comply with the investigation of any Security Breach and to fulfill any legally required obligations.
10.2 The parties will cooperate to the extent reasonably necessary in connection with their obligations to conduct data protection impact assessments and engage in consultation with supervisory authorities. If a supervisory authority corresponds with one party regarding either party’s Processing of ZoomInfo Personal Data under the Agreement or this DPA, the party receiving the correspondence will promptly notify the other party. The parties will cooperate to the extent reasonably necessary to fulfill their obligations to respond to the supervisory authority’s request. The parties will each bear the respective costs they incur when fulfilling such obligations.
11. Return and Deletion of Personal Data.
11.1 ZoomInfo Personal Data (including any copy of it) shall not be kept longer than is required for the Processing purposes or for providing Services under the Agreement, unless (i) a longer retention period is required for audit, legal, or regulatory purposes or (ii) ZoomInfo instructs Provider in writing to (a) keep certain ZoomInfo Personal Data longer or (b) return certain ZoomInfo Personal Data earlier.
11.2 The return or destruction of any data storage medium provided by ZoomInfo to Provider shall be conducted without undue delay (i) after Processing is complete or termination / expiration of the Agreement or (ii) earlier, by written request of ZoomInfo. Upon ZoomInfo’s request, Provider shall provide written confirmation of the destruction of ZoomInfo Personal Data.
12. Audits
12.1 Upon request, Provider will make available to ZoomInfo all relevant information necessary, and allow for and contribute to audits, including inspections, conducted by ZoomInfo, or another auditor who is not a competitor, to demonstrate compliance hereunder. If ZoomInfo requires Provider to submit to audits or inspections that are necessary to demonstrate compliance, ZoomInfo will provide Provider with written notice at least ten (10) days in advance of such audit or inspection. Such written notice will specify the things, people, places, or documents to be made available. ZoomInfo will make reasonable efforts to cooperate with Provider to schedule audits or inspections at times that are convenient to Provider during usual business hours and without disturbance to Provider’s operations and personnel. Each party shall be responsible for its respective costs incurred in relation to audits or inspections.
13. Miscellaneous.
13.1 Without prejudice to any other obligations under this DPA or the Agreement, the parties will secure ZoomInfo Personal Data (i) with at least reasonable care and skill; and (ii) in accordance with good industry practice and Applicable Laws and regulations.
13.2 The term of this DPA corresponds to the term of the Agreement and any subsequent agreements referencing it between the parties. Provisions which by their nature are intended to survive termination or expiration of this DPA, will continue and survive any termination or expiration of this DPA.
13.3 Notwithstanding anything to the contrary in the Agreement, in the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail with respect to data privacy and security matters.
13.4 The effective date of this DPA is the date of ZoomInfo’s countersignature to the Agreement or upon one party’s transfer of Personal Data to the other, whichever occurs first. The DPA will continue in effect until the Agreement and any subsequent agreements referencing it between the parties have terminated or been expired.
ANNEX I
A. LIST OF PARTIES
To the extent that ZoomInfo is a Controller and Provider is a Processor:
Data exporter(s):
Name: ZoomInfo Technologies LLC
Address: 805 Broadway, Suite 800, Vancouver WA 98660 USA
Contact person’s name, position and contact details: James Henry, Associate General Counsel, legal@zoominfo.com Activities relevant to the data transferred under these Clauses: The provision of the Services contemplated in the Agreement. Role (controller/processor): Controller
Data importer(s):
Name: Entity identified as Provider in the Agreement
Address: As set forth in the Agreement, or as otherwise provided to ZoomInfo in writing.
Contact person’s name, position and contact details: As set forth in the Agreement for Notices, or as otherwise provided to ZoomInfo in writing.
Activities relevant to the data transferred under these Clauses: The provision of the Services contemplated in the Agreement. Role (controller/processor): Processor
To the extent that ZoomInfo is a Processor and Provider is a Sub-Processor:
Data exporter(s):
Name: ZoomInfo Technologies LLC
Address: 805 Broadway, Suite 800, Vancouver WA 98660 USA
Contact person’s name, position and contact details: James Henry, Associate General Counsel, legal@zoominfo.com Activities relevant to the data transferred under these Clauses: The provision of the Services contemplated in the Agreement. Role (controller/processor): Processor
Data importer(s):
Name: Entity identified as Provider in the Agreement
Address: As set forth in the Agreement, or as otherwise provided to ZoomInfo in writing.
Contact person’s name, position and contact details: As set forth in the Agreement for Notices, or as otherwise provided to ZoomInfo in writing.
Activities relevant to the data transferred under these Clauses: The provision of the Services contemplated in the Agreement. Role (controller/processor): Processor
To the extent that the parties are Independent Controllers:
Data exporter(s):
Name: ZoomInfo Technologies LLC
Address: 805 Broadway, Suite 800, Vancouver WA 98660 USA
Contact person’s name, position and contact details: James Henry, Associate General Counsel, legal@zoominfo.com
Activities relevant to the data transferred under these Clauses: The provision of the Services or deliverables contemplated in the Agreement.
Role (controller/processor): Controller
Data importer(s):
Name: Entity identified as Provider in the Agreement
Address: As set forth in the Agreement, or as otherwise provided to ZoomInfo in writing.
Contact person’s name, position and contact details: As set forth in the Agreement for Notices, or as otherwise provided to ZoomInfo in writing.
Activities relevant to the data transferred under these Clauses: The provision of the Services or deliverables contemplated in the Agreement.
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
To the extent that ZoomInfo is a Controller and Provider is a Processor: Individuals, including employees, agents, contractors, and collaborators of ZoomInfo or its customers; end users of ZoomInfo’s or its customers’ services; and other individuals associated or potentially associated with business organizations, whose personal data ZoomInfo makes available to Provider for processing in connection with the provision of services as set forth in the Agreement.
To the extent that ZoomInfo is a Processor and Provider is a Sub-Processor: Individuals whose personal data ZoomInfo, on behalf of an end client, makes available to Provider for processing in connection with the provision of services as set forth in the Agreement.
To the extent that ZoomInfo and Provider are Independent Controllers: Individuals located in the EEA, UK, or other locations subject to Applicable Laws and associated or potentially associated with business organizations, whose personal data Provider transfers to ZoomInfo pursuant to the Agreement.
Categories of personal data transferred:
To the extent that ZoomInfo is a Controller and Provider is a Processor: Any ZoomInfo Personal Data that is Processed by Provider as directed by ZoomInfo pursuant to the Agreement and this DPA, which may include business contact information, device information, and other types of Personal Data.
To the extent that ZoomInfo is a Processor and Provider is a Sub-Processor: Any ZoomInfo Personal Data that is Processed by Provider pursuant to the Agreement and this DPA and as ultimately directed by an end client of ZoomInfo, which may include business contact information, device information, and other types of Personal Data.
To the extent that ZoomInfo and Provider are Independent Controllers: Any Personal Data that Provider transfers to ZoomInfo pursuant to the Agreement and this DPA, which may include business contact information, device information, and other types of Personal Data.
Sensitive data transferred:
No sensitive data transferred. Safeguards outlined in DPA and Annex II.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
On a continuous basis as needed to provide the Services to ZoomInfo for the term of the Agreement. Nature and Purpose of the processing:
Personal Data transferred in accordance with the Agreement and this DPA for the sole and limited purpose of processing such Personal Data to provide the Service during the term of the Agreement and as compelled by applicable laws.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Subject to Section 12 of the DPA, Provider will retain ZoomInfo Personal Data for as long as required for the provision of the Services and Deliverables contemplated by the Agreement, unless (i) a longer retention period is required for audit, legal, or regulatory purposes or (ii) ZoomInfo instructs Provider in writing to (a) keep certain ZoomInfo Personal Data longer or (b) return certain ZoomInfo Personal Data earlier.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
For the duration of the Agreement or as indicated in documented instructions from ZoomInfo, unless otherwise agreed upon in writing or required by applicable law.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
Ireland’s Data Protection Commission
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Without prejudice to the requirements of section 7 of this DPA, to the extent that Provider is acting as a Processor or Sub-Processor, Provider shall establish and maintain industry standard security measures that meet or exceed the security standards and certifications ZoomInfo employs as further described here: https://www.zoominfo.com/about-zoominfo/security-overview. Provider shall be able to adequately demonstrate its compliance with these obligations to ZoomInfo upon request.
To the extent that ZoomInfo is acting as the data controller, ZoomInfo will abide by the security standards and certifications listed here: https://www.zoominfo.com/about-zoominfo/security-overview.
ANNEX III
LIST OF SUB-PROCESSORS
Provider will provide ZoomInfo with a list of subprocessors within 5 days of signing the Agreement. In the event Provider does not provide such a list to ZoomInfo, no subprocessors will be permitted.