Learn about Predictable Revenue’s Data Processing Addendum
This Data Processing Addendum (“Addendum”) is by and between the customer that electronically accepts or otherwise agrees or opts-in to this Addendum (“Customer”), and Predictable Revenue Inc., a Canadian corporation (“Predictable Revenue”) (collectively referred to as the “Parties”), sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Data (as defined below) associated with services to be rendered by Predictable Revenue to Customer.
Whereas, Customer or its employees, agents, consultants or contractors (collectively, “Customer
Personnel”) shall provide Predictable Revenue with access to Personal Data in connection with certain services performed by Predictable Revenue for or on behalf of Customer pursuant to the Master Agreement; and Whereas, Customer requires that Predictable Revenue preserve and maintain the privacy, confidentiality and security of such Personal Data. Now therefore, in consideration of the mutual covenants and agreements in this Addendum and the Master
Agreement and for other good and valuable consideration, the sufficiency of which is hereby
acknowledged, Customer and Predictable Revenue agree as follows:
I. Definitions
(A) “Applicable Law” means all applicable European Union (“EU”) or national laws and regulations
relating to the privacy, confidentiality, security and protection of Personal Data, including, without
limitation: the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”), with effect
from 25 May 2018, and EU Member State laws supplementing the GDPR; the EU Directive
2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and EU Member State laws
implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking
means as well as unsolicited e-mail communications.
(B) “Data Controller” means a person who alone or jointly with others determines the purposes and
means of the Processing of Personal Data.
(C) “Data Processor” means a person who Processes Personal Data on behalf of the Data Controller.
(D) “Data Security Measures” means technical and organizational measures that are aimed at ensuring
a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting
Personal Data against accidental or unlawful loss, misuse, unauthorized access, disclosure, alteration,
destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of
Personal Data.
(E) “Data Subject” means an identified or identifiable natural person to which the Personal Data pertain.
(F) “Instructions” means this Addendum and any further written agreement or documentation through
which the Data Controller instructs the Data Processor to perform specific Processing of Personal Data
(G) “Notification Related Costs” means Customer’s and its affiliates’ internal and external costs
associated with investigating, addressing and responding to a Personal Data Breach, including but not
limited to: (i) preparation and mailing or other transmission of any notifications or other communications to
customers, potential customers, clients, employees, agents or others as Customer deems reasonably
appropriate; (ii) establishment of a call center or other communications procedures in response to such
Personal Data Breach (e.g., customer service FAQs, talking points and training); (iii) public relations and
other similar crisis management services; (iv) legal, accounting, consulting and forensic expert fees and
expenses associated with the Customer’s and its affiliates’ investigation of and response to such
Personal Data Breach; and (v) costs for commercially reasonable credit monitoring, identity protection
services or similar services that Customer determines are advisable under the circumstances.
(H) “Personal Data” means any information relating to an identified or identifiable natural person
Processed by Predictable Revenue in accordance with Customer’s Instructions pursuant to this
Addendum; an identifiable natural person is one who can be identified, directly or indirectly, in particular
by reference to an identifier such as name, an identification number, location data, an online identifier or
to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person.
(I) “Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or
otherwise Processed.
(J) “Process”, “Processed”, or“Processing” means any operation or set of operations performed
upon Personal Data, whether or not by automated means, such as collection, recording, organization,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(K) “Sub-Processor” means the entity engaged by the Data Processor or any further Sub-Processor to
Process Personal Data on behalf and under the authority of the Data Controller.
II. Roles and Responsibilities of the Parties
(A) The Parties acknowledge and agree that Customer is acting as a Data Controller, and has the sole
and exclusive authority to determine the purposes and means of the Processing of Personal Data
Processed under this Addendum, and Predictable Revenue is acting as a Data Processor on behalf and
under the Instructions of Customer.
(B) Any Personal Data will at all times be and remain the sole property of Customer and Predictable
Revenue will not have or obtain any rights therein.
III. Obligation of the Predictable Revenue
Predictable Revenue agrees and warrants to:
(A) Process Personal Data disclosed to it by Customer only on behalf of and in accordance with the
Instructions of the Data Controller and Annex 1 of this Addendum, unless Predictable Revenue is
otherwise required by Applicable Law, in which case Predictable Revenue shall inform Customer of that
legal requirement before Processing the Personal Data, unless informing the Customer is prohibited by
law on important grounds of public interest. Predictable Revenue shall immediately inform Customer if, in
Predictable Revenue’s opinion, an Instruction provided infringes Applicable Law.
(B) Hold in strict confidence (i) the existence and terms of the Master Agreement (including this
Addendum), and any related agreement, and (ii) any and all Personal Data.
(C) Ensure that any person authorized by Predictable Revenue to Process Personal Data in the context
of the Services is only granted access to Personal Data on a need-to-know basis, is subject to a duly
enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in
accordance with the Instructions of the Data Controller.
(D) Not transfer Personal Data outside the country from which Customer or its Personnel originally
delivered to Predictable Revenue, or from which Predictable Revenue otherwise accessed or obtained
such Personal Data or, if it was originally delivered to a location inside the European Economic Area
(“EEA”) or Switzerland, outside the EEA or Switzerland), for Processing without the explicit written
consent of Customer (where such consent is deemed to have been granted in respect of the jurisdictions
listed in Annex 1). Predictable Revenue shall enter into any written agreements as are necessary (in
Customer’s reasonable determination) to comply with Applicable Law concerning any cross-border
transfer of Personal Data, whether to or from Predictable Revenue.
(E) Inform Customer promptly and without undue delay of any formal requests from Data Subjects
exercising their rights of access, correction or erasure of their Personal Data, their right to restrict or to
object to the Processing as well as their right to data portability, and not respond to such requests, unless
instructed by the Customer in writing to do so. Taking into account the nature of the Processing of
Personal Data, Predictable Revenue shall assist Customer, by appropriate technical and organizational
measures, insofar as possible, in fulfilling Customer’s obligations to respond to a Data Subject’s request
to exercise their rights with respect to their Personal Data.
(F) Notify Customer immediately in writing of any subpoena or other judicial or administrative order by a
government authority or proceeding seeking access to or disclosure of Personal Data. Customer shall
have the right to defend such action in lieu of and on behalf of Predictable Revenue. Customer may, if it
so chooses, seek a protective order. Predictable Revenue shall reasonably cooperate with Customer in
such defense.
(G) Provide reasonable assistance to Customer, at Customer’s cost, in complying with Customer’s
obligations under Applicable Law.
(H) Maintain internal record(s) of Processing activities, copies of which shall be provided to Customer by
Predictable Revenue or to supervisory authorities upon request. Such records must contain at least: (i)
the name and contact details of Predictable Revenue; (ii) the categories of Processing activities carried
out under this Addendum; (iii) information on data transfers to a third country or a third party, where
applicable; and (iv) a general description of the Data Security Measures implemented to protect Personal
Data Processed under this Addendum.
IV. Sub-Processing
(A) Predictable Revenue shall not share, transfer, disclose, make available or otherwise provide access
to any Personal Data to any third party, or contract any of its rights or obligations concerning Personal
Data, unless Customer has authorized Predictable Revenue to do so in writing. Where Predictable
Revenue, with the consent of Customer, provides access to Personal Data to a third party, Predictable
Revenue shall enter into a written agreement with each such third party that imposes obligations on the
third party that provide equivalent protection to those imposed on Predictable Revenue under this
Addendum. Predictable Revenue shall only retain third parties that are capable of appropriately protecting
the privacy, confidentiality and security of the Personal Data.
V. Compliance with Applicable Laws
(A) Each party shall comply with all Applicable Laws.
(B) Each Party shall in good faith negotiate any further data Processing agreement reasonably requested
by Customer for purposes of compliance with the Applicable Law. In case of any conflict between this
Addendum and the Master Agreement, this Addendum shall prevail with regard to the Processing of
Personal Data covered by it.
VI. Data Security
(A) Predictable Revenue shall develop, maintain and implement a comprehensive written information
security program that complies with Applicable Law. Predictable Revenue’s information security program
shall include appropriate administrative, technical, physical, organizational and operational safeguards
and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii)
protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii)
protect against any Personal Data Breach, including, as appropriate:
a. The pseudonymization and encryption of the Personal Data;
b. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing
systems and services;
c. The ability to restore the availability and access to the Personal Data in a timely manner in the event
of a physical or technical incident; and
d. A process for regularly testing, assessing and evaluating the effectiveness of technical and
organizational measures adopted pursuant to this provision for ensuring the security of the
Processing.
Predictable Revenue shall adopt all reasonable recommendations Customer may make concerning Data
Security Measures, programs and procedures to ensure ongoing compliance with this Addendum
provided, however, that any material changes to Customer’s requirements shall be Processed through
the Change Control Procedures.
(B) Predictable Revenue shall supervise Predictable Revenue personnel to the extent required to
maintain appropriate privacy, confidentiality and security of Personal Data. Predictable Revenue shall
provide training, as appropriate, regarding the privacy, confidentiality and information security
requirements set forth in this Addendum to all Predictable Revenue personnel who have access to
Personal Data.
(C) Promptly upon the expiration or earlier termination of the Master Agreement, or such earlier time as
Customer requests, Predictable Revenue shall return to Customer or its designee, or at Customer’s
request, securely destroy or render unreadable or undecipherable if return is not reasonably feasible or
desirable to Customer (which decision shall be based solely on Customer’s written statement), each and
every original and copy in every media of all Personal Data in Predictable Revenue’s, its affiliates’ or their
respective subcontractors’ possession, custody or control. Promptly following any return or alternate
action taken to comply with this Clause VI(C), Predictable Revenue shall provide to Customer a
completed certificate certifying that such return or alternate action occurred. In the event applicable law
does not permit Predictable Revenue to comply with the delivery or destruction of the Personal Data,
Predictable Revenue warrants that it shall ensure the confidentiality of the Personal Data and that it shall
not use or disclose any Personal Data after termination of this Addendum.
VII. Data Breach Notification
(A) Predictable Revenue shall immediately inform Customer in writing of any Personal Data Breach of
which Predictable Revenue becomes aware, but in no case longer than twenty four (24) hours after it
becomes aware of the Personal Data Breach. The notification to Customer shall include all available
information regarding such Personal Data Breach, including information on:
a. The nature of the Personal Data Breach including where possible, the categories and approximate
number of affected Data Subjects and the categories and approximate number of affected Personal
Data records;
b. The likely consequences of the Personal Data Breach; and
c. The measures taken or proposed to be taken to address the Personal Data Breach, including, where
appropriate, measures to mitigate its possible adverse effects.
Predictable Revenue shall promptly take all necessary and advisable corrective actions, and shall
cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate or rectify such
Breach. Predictable Revenue shall provide such assistance as required to enable Customer to satisfy
Customer’s obligation to notify the relevant supervisory authority and Data Subjects of a personal data
breach under Articles 33 and 34 of the GDPR. The content of any filings, communications, notices, press
releases or reports related to any Personal Data Breach must be approved by Customer prior to any
publication or communication thereof. Predictable Revenue shall be responsible for the costs and
expenses associated with the performance of its obligations described in this paragraph, unless the
Personal Data Breach is caused by the acts or omissions of Customer or its affiliates.
(B) In the event of a Personal Data Breach involving Personal Data in Predictable Revenue’s
possession, custody or control or for which Predictable Revenue is otherwise responsible, Predictable
Revenue shall reimburse Customer on demand for all commercially reasonable Notification Related Costs
incurred by Customer arising out of or in connection with any such Personal Data Breach.
VIII. Audit
Predictable Revenue shall on written request (but not more than once per year, other than in the event of
a breach) make available to Customer all information necessary to demonstrate compliance with the
obligations set forth in this Addendum and, at the Customer’s expense, allow for and contribute to audits,
including inspections, conducted by Customer or another auditor mandated by Customer. Upon prior
written request by Customer (provided that it shall be not more than once per year other than in the event
of a breach), Predictable Revenue agrees to cooperate and, within reasonable time, provide Customer
with: (a) audit reports and all information necessary to demonstrate Predictable Revenue’s compliance
with the obligations laid down in this Addendum; and (b) confirmation that the audit has not revealed any
material vulnerability in Predictable Revenue’s systems, or to the extent that any such vulnerability was
detected, that Predictable Revenue has fully remedied such vulnerability. Predictable Revenue’s failure to
comply with this obligation shall entitle Customer to suspend the Processing of Personal Data Processed
by Predictable Revenue, and to terminate any further Processing of Personal Data, this Addendum and/or
the Master Agreement, if doing so is required to comply with Applicable Law.
IX. Governing Law
To the extent required by Applicable Law, this Addendum shall be governed by the law ofBritish
Columbia, Canada. In all other cases, this Addendum shall be governed by the laws of the jurisdiction
specified in the Agreement.
ANNEX 1: SCOPE OF THE DATA PROCESSING
SCOPE OF THE DATA PROCESSING
This Annex forms part of the Data Processing Addendum between Customer and Predictable Revenue.
The Processing of Personal Data concerns the following categories of Data Subjects:
1. Customer’s users
2. Customer’s potential sales targets
3. Customer’s validated or rejected sales targets
The Processing concerns the following categories of Personal Data:
1. Customer users login information and usage within the Predictable Revenue platform
2. Customer’s sales targets contact information, email address, contact history and progress along sales
cycle
The Processing concerns the following categories of Sensitive Data:
Sensitive Data means Personal Data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex
life or sexual orientation.
None
The Processing concerns the following categories of data Processing activities (i.e., purposes
of Processing):
1. Purpose of processing Customer user login to the Predictable Revenue platform is solely to provide
the Predictable Revenue services.
2. Processing of sales targets personal information is to use the Services to target those individuals for
sales on behalf of Customer
Predictable Revenue uses the following Sub-Processors:
AWS
NylasPredictable Revenue may transfer and process personal information to and in the following
jurisdictions outside of the EU:
Canada, United States