Data Processing

Needls. was built to help you grow your business. Our ongoing evolution is a function of listening closely to what you have to say and adapting. We view you as a partner rather than a client, providing you with the tools needed to increase sales. Your success is our success!

This Data Processing Addendum (“Addendum”) is by
and between the customer that electronically accepts or otherwise agrees or
opts-in to this DPA (“Customer”), and Needls Inc., a
Canadian corporation (“Needls”)
(collectively referred to as the “Parties”), sets
forth the terms and conditions relating to the privacy, confidentiality and
security of Personal Data (as defined below) associated with services to be
rendered by Needls to Customer.

Whereas, Customer or its employees, agents, consultants or contractors
(collectively, “Customer Personnel”) shall
provide Needls with access to Personal Data in connection with certain
services performed by Needls for or on behalf of Customer pursuant to the
Master Agreement; and

Whereas, Customer requires that Needls preserve and maintain the privacy,
confidentiality and security of such Personal Data.

Now therefor, in consideration of the mutual covenants and agreements in
this Addendum and the Master Agreement and for other good and valuable
consideration, the sufficiency of which is hereby acknowledged, Customer
and Needls agree as follows:

I. Definitions

(A) “Applicable Law” means all applicable
European Union (“EU”) or national laws and regulations relating to the
privacy, confidentiality, security and protection of Personal Data,
including, without limitation: the European Union (“EU”) General Data
Protection Regulation 2016/679 (“GDPR”), with effect from 25 May 2018, and
EU Member State laws supplementing the GDPR; the EU Directive 2002/58/EC
(“e-Privacy Directive”), as replaced from time to time, and EU Member State
laws implementing the e-Privacy Directive, including laws regulating the
use of cookies and other tracking means as well as unsolicited e-mail
communications.

(B) “Data Controller” means a person who alone
or jointly with others determines the purposes and means of the Processing
of Personal Data.

(C) “Data Processor” means a person who
Processes Personal Data on behalf of the Data Controller.

(D) “Data Security Measures” means technical and
organizational measures that are aimed at ensuring a level of security of
Personal Data that is appropriate to the risk of the Processing, including
protecting Personal Data against accidental or unlawful loss, misuse,
unauthorized access, disclosure, alteration, destruction, and all other
forms of unlawful Processing, including measures to ensure the
confidentiality of Personal Data.

(E) “Data Subject” means an identified or
identifiable natural person to which the Personal Data pertain.

(F) “Instructions” means this Addendum and any
further written agreement or documentation through which the Data
Controller instructs the Data Processor to perform specific Processing of
Personal Data

(G) “Notification Related Costs” means
Customer’s and its affiliates’ internal and external costs associated with
investigating, addressing and responding to a Personal Data Breach,
including but not limited to: (i) preparation and mailing or other
transmission of any notifications or other communications to customers,
potential customers, clients, employees, agents or others as Customer deems
reasonably appropriate; (ii) establishment of a call center or other
communications procedures in response to such Personal Data Breach (e.g.,
customer service FAQs, talking points and training); (iii) public relations
and other similar crisis management services; (iv) legal, accounting,
consulting and forensic expert fees and expenses associated with the
Customer’s and its affiliates’ investigation of and response to such
Personal Data Breach; and (v) costs for commercially reasonable credit
monitoring, identity protection services or similar services that Customer
determines are advisable under the circumstances.

(H) “Personal Data” means any information
relating to an identified or identifiable natural person Processed by
Needls in accordance with Customer’s Instructions pursuant to this
Addendum; an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as
name, an identification number, location data, an online identifier or to
one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person.

(I) “Personal Data Breach” a breach of security
leading to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, Personal Data transmitted, stored
or otherwise Processed.

(J) “Process”, “Processed”, or
“Processing” means any operation or set of
operations performed upon Personal Data, whether or not by automated means,
such as collection, recording, organization, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.

(K) “Sub-Processor” means the entity engaged by
the Data Processor or any further Sub-Processor to Process Personal Data on
behalf and under the authority of the Data Controller.

II. Roles and Responsibilities of the Parties

(A) The Parties acknowledge and agree that Customer is acting as a Data
Controller, and has the sole and exclusive authority to determine the
purposes and means of the Processing of Personal Data Processed under this
Addendum, and Needls is acting as a Data Processor on behalf and under the
Instructions of Customer.

(B) Any Personal Data will at all times be and remain the sole property of
Customer and Needls will not have or obtain any rights therein.

III. Obligation of Needls

Needls agrees and warrants to:

(A) Process Personal Data disclosed to it by Customer only on behalf of and
in accordance with the Instructions of the Data Controller and Annex 1 of
this Addendum, unless Needls is otherwise required by Applicable Law, in
which case Needls shall inform Customer of that legal requirement before
Processing the Personal Data, unless informing the Customer is prohibited
by law on important grounds of public interest. Needls shall immediately
inform Customer if, in Needls’s opinion, an Instruction provided infringes
Applicable Law.

(B) Hold in strict confidence (i) the existence and terms of the Master
Agreement (including this Addendum), and any related agreement, and (ii)
any and all Personal Data.

(C) Ensure that any person authorized by Needls to Process Personal Data in
the context of the Services is only granted access to Personal Data on a
need-to-know basis, is subject to a duly enforceable contractual or
statutory confidentiality obligation, and only processes Personal Data in
accordance with the Instructions of the Data Controller.

(D) Not transfer Personal Data outside the country from which Customer or
its Personnel originally delivered to Needls, or from which Needls
otherwise accessed or obtained such Personal Data or, if it was originally
delivered to a location inside the European Economic Area (“EEA”) or
Switzerland, outside the EEA or Switzerland), for Processing without the
explicit written consent of Customer (where such consent is deemed to have
been granted in respect of the jurisdictions listed in Annex 1). Needls
shall enter into any written agreements as are necessary (in Customer’s
reasonable determination) to comply with Applicable Law concerning any
cross-border transfer of Personal Data, whether to or from Needls.

(E) Inform Customer promptly and without undue delay of any formal requests
from Data Subjects exercising their rights of access, correction or erasure
of their Personal Data, their right to restrict or to object to the
Processing as well as their right to data portability, and not respond to
such requests, unless instructed by the Customer in writing to do so.
Taking into account the nature of the Processing of Personal Data, Needls
shall assist Customer, by appropriate technical and organizational
measures, insofar as possible, in fulfilling Customer’s obligations to
respond to a Data Subject’s request to exercise their rights with respect
to their Personal Data.

(F) Notify Customer immediately in writing of any subpoena or other
judicial or administrative order by a government authority or proceeding
seeking access to or disclosure of Personal Data. Customer shall have the
right to defend such action in lieu of and on behalf of Needls. Customer
may, if it so chooses, seek a protective order. Needls shall reasonably
cooperate with Customer in such defence.

(G) Provide reasonable assistance to Customer, at Customer’s cost, in
complying with Customer’s obligations under Applicable Law.

(H) Maintain internal record(s) of Processing activities, copies of which
shall be provided to Customer by Needls or to supervisory authorities upon
request. Such records must contain at least: (i) the name and contact
details of Needls; (ii) the categories of Processing activities carried out
under this Addendum; (iii) information on data transfers to a third country
or a third party, where applicable; and (iv) a general description of the
Data Security Measures implemented to protect Personal Data Processed under
this Addendum.

IV. Sub-Processing

(A) Needls shall not share, transfer, disclose, make available or otherwise
provide access to any Personal Data to any third party, or contract any of
its rights or obligations concerning Personal Data, unless Needls has
entered into a written agreement with each such third party that imposes
obligations on the third party that are the same as those imposed on Needls
under this Addendum. Needls shall only retain third parties that are
capable of appropriately protecting the privacy, confidentiality and
security of the Personal Data. Needls current list of Sub-Processors is set
out in Annex 1, and shall update Customer in the event of any changes to
its Sub-Processors.

V. Compliance with Applicable Laws

(A) Each party shall comply with all Applicable Laws.

(B) Needls represents and warrants that no Applicable Law, or legal
requirement, or privacy or information security enforcement action,
investigation, litigation or claim prohibits Needls from fulfilling its
obligations under this Addendum.

VI. Data Security

(A) Needls shall develop, maintain and implement a comprehensive written
information security program that complies with Applicable Law. Needls’s
information security program shall include appropriate administrative,
technical, physical, organizational and operational safeguards and other
security measures designed to (i) ensure the security and confidentiality
of Personal Data; (ii) protect against any anticipated threats or hazards
to the security and integrity of Personal Data; and (iii) protect against
any Personal Data Breach, including, as appropriate:

  1. The pseudonymisation and encryption of the Personal Data;
  2. The ability to ensure the ongoing confidentiality, integrity,
    availability and resilience of Processing systems and services;
  3. The ability to restore the availability and access to the Personal Data
    in a timely manner in the event of a physical or technical incident;
    and
  4. A process for regularly testing, assessing and evaluating the
    effectiveness of technical and organizational measures adopted pursuant
    to this provision for ensuring the security of the Processing.

Needls shall adopt all reasonable recommendations Customer may make
concerning Data Security Measures, programs and procedures to ensure
ongoing compliance with this Addendum provided, however, that any material
changes to Customer’s requirements shall be Processed through the Change
Control Procedures.

(B) Needls shall supervise Needls personnel to the extent required to
maintain appropriate privacy, confidentiality and security of Personal
Data. Needls shall provide training, as appropriate, regarding the privacy,
confidentiality and information security requirements set forth in this
Addendum to all Needls personnel who have access to Personal Data.

(C) Promptly upon the expiration or earlier termination of the Master
Agreement, or such earlier time as Customer requests, Needls shall return
to Customer or its designee, or at Customer’s request, securely destroy or
render unreadable or undecipherable if return is not reasonably feasible or
desirable to Customer (which decision shall be based solely on Customer’s
written statement), each and every original and copy in every media of all
Personal Data in Needls’s, its affiliates’ or their respective
subcontractors’ possession, custody or control. Promptly following any
return or alternate action taken to comply with this Clause VI(C), Needls
shall provide to Customer a completed certificate certifying that such
return or alternate action occurred. In the event applicable law does not
permit Needls to comply with the delivery or destruction of the Personal
Data, Needls warrants that it shall ensure the confidentiality of the
Personal Data and that it shall not use or disclose any Personal Data after
termination of this Addendum.

VII. Data Breach Notification

(A) Needls shall promptly inform Customer in writing of any Personal Data
Breach of which Needls becomes aware. The notification to Customer shall
include pertinent available information regarding such Personal Data
Breach, including information on:

  1. The nature of the Personal Data Breach including where possible, the
    categories and approximate number of affected Data Subjects and the
    categories and approximate number of affected Personal Data records;
    and
  2. The measures taken or proposed to be taken to address the Personal Data
    Breach, including, where appropriate, measures to mitigate its possible
    adverse effects.

Needls shall promptly take all necessary and advisable corrective actions,
and shall cooperate fully with Customer in all reasonable and lawful
efforts to prevent, mitigate or rectify such Breach. Needls shall provide
such assistance as required to enable Customer to satisfy Customer’s
obligation to notify the relevant supervisory authority and Data Subjects
of a personal data breach under Articles 33 and 34 of the GDPR. The content
of any filings, communications, notices, press releases or reports related
to any Personal Data Breach must be approved by Customer prior to any
publication or communication thereof.

VIII. Audit

Needls shall on written request (but not more than once per year, other
than in the event of a breach) make available to Customer all information
necessary to demonstrate compliance with the obligations set forth in this
Addendum and, at the Customer’s expense, allow for and contribute to
audits, including inspections, conducted by Customer or another auditor
mandated by Customer. Upon prior written request by Customer (provided that
it shall be not more than once per year other than in the event of a
breach), Needls agrees to cooperate and, within reasonable time, provide
Customer with: (a) audit reports and all information necessary to
demonstrate Needls’s compliance with the obligations laid down in this
Addendum; and (b) confirmation that the audit has not revealed any material
vulnerability in Needls’s systems, or to the extent that any such
vulnerability was detected, that Needls has fully remedied such
vulnerability. Needls’s failure to comply with this obligation shall
entitle Customer to suspend the Processing of Personal Data Processed by
Needls, and to terminate any further Processing of Personal Data, this
Addendum and/or the Master Agreement, if doing so is required to comply
with Applicable Law.

IX. Governing Law

To the extent required by Applicable Law, this Addendum shall be governed
by the law of Ontario, Canada. In all other cases, this
Addendum shall be governed by the laws of the jurisdiction specified in the
Agreement.

ANNEX 1: SCOPE OF THE DATA PROCESSING

SCOPE OF THE DATA PROCESSING

This Annex forms part of the Data Processing Addendum between Customer and
Needls.


The Processing of Personal Data concerns the following categories of
Data Subjects:

  1. Customer users


The Processing concerns the following categories of Personal Data:

  1. Customer users login information and usage within the Needls platform


The Processing concerns the following categories of Sensitive Data:


Sensitive Data means Personal Data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade-union
membership, genetic data, biometric data, data concerning health, sex
life or sexual orientation.

None


The Processing concerns the following categories of data Processing
activities (i.e., purposes of Processing):

  1. Purpose of processing Customer user login and Needls platform solely to
    provide the Needls services.

Needls uses the following Sub-Processors:

AWS

Recurly

BaseCRM

Stripe

SendGrid

ActiveCampaign

Intercom


Needls may transfer and process personal information to and in the
following jurisdictions outside of the EU:

Canada, United States, Australia