LeadsNavi Data Processing Addendum

This data processing addendum ("DPA") supplements and forms part of the LeadsNavi Terms of Service as updated from time to time between the Subscriber and LeadsNavi Pte. Ltd. (the "Terms of Service"). This DPA is between the Subscriber as defined in the Terms of Service ("Subscriber") and LeadsNavi Pte. Ltd (referred to as "LeadsNavi" as set out in the Terms of Service). The Subscriber and LeadsNavi shall each be a "Party" and together the "Parties". In the event of conflict between the terms of the Terms of Service and this DPA, this DPA shall take priority in respect of Personal Data Processing.

  1. DEFINITIONS AND INTERPRETATION

    1.1. Unless otherwise defined herein, the following definitions apply:

    "Applicable Data Protection Laws" means EU GDPR, UK GDPR and, to the extent applicable, the data protection or privacy laws of any other country (including all law and regulations implementing or made under them, any amendment or re-enactment of them and any judicial or administrative interpretation of any of them);

    "EU GDPR" means EU General Data Protection Regulation 2016/679, as may be amended from time to time;

    "EU SCCs" has the meaning given to it in section 2.1 of Schedule 1 of this DPA;

    "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); and an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

    "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction ("Process" and "Processed" shall be construed accordingly);

    "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject to an adequacy regulation made by the UK government pursuant to Section 17A of the United Kingdom Data Protection Act 2018;

    "Security Incident" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed by LeadsNavi under this DPA;

    "Services" has the meaning given to it in the Terms of Service;

    "Subscriber Personal Data" means any Personal Data Processed by LeadsNavi on behalf of the Subscriber pursuant to, or in connection with, the Terms of Service as supplemented by this DPA, save that Subscriber Personal Data does not include information relating to the Subscriber's LeadsNavi account information such as information relating to its personnel or representatives, account related communications and/or billing related information;

    "UK GDPR" has the meaning given to it in Section 3(10) (as supplemented by Section 205(4)) of the United Kingdom Data Protection Act 2018, as may be amended or superseded from time to time.

    1.2. References to "controller" and "processor" shall have the meaning given to them under the UK GDPR and/or EU GDPR (as applicable).

  2. DETAILS OF PROCESSING

    2.1. Scope & Role. The Parties agree that in the context of the Services provided by LeadsNavi to the Subscriber, LeadsNavi acts as processor to the Subscriber and, that the Subscriber may either be a controller or processor in the context of its activities. This DPA applies to LeadsNavi's Processing of Subscriber Personal Data.

    2.2. Purpose and nature of processing. The purpose of the Processing under this DPA is to maintain and provide the Services subscribed for or otherwise initiated by the Subscriber pursuant to the Terms of Service.

    2.3. Categories of data subjects. Categories of data subjects could include Subscriber's existing or prospective customers, suppliers and users.

    2.4. Categories of personal data. Categories of Personal Data processed pursuant to this DPA include email addresses and phone numbers.

    2.5. Duration. The duration of the Processing under this DPA is determined by the Subscriber in accordance with the Terms of Service.

  3. DATA PROCESSING OBLIGATIONS

    3.1. Compliance with Laws. Each Party agrees that it shall comply with all laws and regulations applicable to it and binding on it in the performance of this DPA including all Applicable Data Protection Laws. In particular, the Subscriber shall ensure that any customer (or similar) lists containing Personal Data, are up to date, comply with relevant legal requirements and reflect any opt-out or other rights exercised by data subjects.

    3.2. Subscriber Instructions. The Parties agree that the Terms of Service as supplemented by this DPA (including instructions via configuration tools and APIs available through the Services) constitute the Subscriber's instructions regarding Processing of Subscriber Personal Data. LeadsNavi will Process Subscriber Personal Data only in accordance with the Subscriber's instructions and any additional instructions not contemplated by this section 3.2 will require prior written agreement between the Parties including agreement on any additional fees payable. Where required by Applicable Data Protection Laws, LeadsNavi will notify the Subscriber if, in its opinion, it reasonably believes that an instruction could infringe Applicable Data Protection Laws, however, taking into account the nature of the Services, the Subscriber agrees that LeadsNavi is unlikely to be able to reasonably determine whether the Subscriber's instructions infringe Applicable Data Protection Laws and/or any other applicable laws.

    3.3. Confidentiality Obligations. LeadsNavi shall take reasonable steps, including with respect to its personnel, to help ensure the confidentiality, data protection and security of the Subscriber Personal Data.

    3.4. Subscriber Obligations

    The Subscriber shall ensure that throughout the duration of its use of the Services it:

    1. has a valid legal basis for the Processing;
    2. complies with all required notices, consents, permissions and rights of data subjects as required under Applicable Data Protection Laws; and
    3. shall not provide or otherwise make available to LeadsNavi any Subscriber Personal Data that contains sensitive personal data or Special Category Personal Data (as defined in UK GDPR).

    3.5. Security

    Taking into account the state of the art, the costs of implementing and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons, LeadsNavi shall, in relation to the Subscriber Personal Data, implement appropriate technical and organisational measures to help ensure a level of security appropriate to the risk of Processing.

    3.6. Sub-Processing

    3.6.1. Subscriber provides general authorisation to LeadsNavi's use of sub-Processors to provide Processing activities in relation to Subscriber Personal Data. Information on LeadsNavi's Sub-Processors is available at LeadsNavi Sub-processors

    3.6.2. In relation to any sub-Processors LeadsNavi shall:

    1. impose equivalent data protection obligations on the sub-Processor that protect the Subscriber Personal Data, in substance, to the same standard provided by this DPA; and
    2. remain fully liable for any breach of this DPA that is caused by an act, error or omission of the sub-Processor to the extent that LeadsNavi would be liable under this DPA if it were performing such Processing itself directly.

    3.7. Data Subject Rights

    3.7.1. Taking into account the nature of the Processing and the Services provided by LeadsNavi, and unless Applicable Data Protection Laws require otherwise, the Parties agree that where a data subject exercises their data privacy rights under Applicable Data Protection Laws:

    1. LeadsNavi shall notify the Subscriber if it receives a request from a data subject as soon as reasonably practicable and direct the data subject to submit the request to the Subscriber; and
    2. the Subscriber will be responsible for responding to any such request.

    3.8. Third Party and Public Authority Access Requests

    3.8.1. Unless prohibited from doing so under applicable law, LeadsNavi will notify the Subscriber if it:

    1. receives any legally binding requests from a public authority, including judicial authorities; or
    2. becomes aware of any direct access by public authorities or unauthorised third parties to Subscriber Personal Data and the details of any such access.

    3.9. Security Incident

    3.9.1. LeadsNavi shall notify the Subscriber without undue delay upon becoming aware of a Security Incident in relation to the Subscriber Personal Data. Such notification or responses to Security Incident shall not be construed as an acknowledgement of fault or liability by LeadsNavi with respect to the Security Incident.

    3.9.2. Where appropriate, LeadsNavi will provide the Subscriber with reasonable information relating to the Security Incident to allow the Subscriber to comply with its obligations under Applicable Data Protection Laws.

    3.9.3. Where the Subscriber notifies a data protection or other supervisory authority of a Security Incident and such notice directly or indirectly refers to or otherwise identifies LeadsNavi, the Subscriber shall:

    1. promptly notify LeadsNavi in advance and in writing; and
    2. in good faith consult with LeadsNavi on the content of the notification including any references to LeadsNavi (taking on board any reasonable corrections of clarifications provided by LeadsNavi that relate to LeadsNavi's involvement in the Security Incident).

    3.10. Deletion or return of Subscriber Personal Data

    If so requested by the Subscriber, LeadsNavi shall return or delete (or procure the return or deletion of) all copies of the Subscriber Personal Data unless any applicable laws require that copies are kept.

    3.11. Restricted Transfers

    To the extent that the transfer of Personal Data from the Subscriber to LeadsNavi is a Restricted Transfer, the Parties agree that the relevant sections of Schedule 1 of this DPA shall apply.

    3.12. Assistance

    3.12.1. Taking into account (i) the nature of the Services provided, (ii) the Processing undertaken by LeadsNavi and (iii) the information available to LeadsNavi, LeadsNavi shall:

    1. provide the Subscriber with reasonable assistance to help the Subscriber comply with its obligations under Applicable Data Protection Laws (where applicable); and
    2. make available to the Subscriber information necessary to demonstrate compliance with this DPA and cooperate with reasonable audit requests provided that such audits are (i) conducted in line with internationally recognised standards and by qualified auditors, (ii) subject to a reasonable scope (determined by LeadsNavi), (iii) subject to reasonable advance notice (iv) subject to confidentiality terms in form and substance acceptable to LeadsNavi, (v) conducted within reasonable business hours during which relevant LeadsNavi personnel are available and with minimal disruption to LeadsNavi's business, (vi) conducted in accordance with LeadsNavi's security and other relevant policies, (vii) do not impact the security, confidentiality, integrity or availability of the Services to other LeadsNavi subscribers and (viii) conducted no more than once per calendar year.

    3.12.2. The Parties agree that LeadsNavi shall be entitled to recover reasonable costs and expenses incurred in connection with complying with sections 3.12.1.1 and/or 3.12.1.2 (as applicable) and such costs and expenses will be payable by the Subscriber to LeadsNavi within 30 days of receipt of LeadsNavi's invoice.

SCHEDULE 1

TRANSFER PROVISIONS

  1. UK RESTRICTED TRANSFERS

    1.1. In this section 1, "UK Addendum" means the International Data Transfer Addendum (version B.1.0) to the EU SCCs issued by the United Kingdom's Information Commissioner and laid before the Parliament in accordance with s119A of the Data Protection Act 2018, in force 21 March 2022.

    1.2. LeadsNavi shall comply with the Importer's obligations, and the Subscriber shall comply with the Exporter's obligations, set out in the UK Addendum, which is hereby incorporated into and forms part of this DPA. The execution of this DPA as part of the Terms of Service, shall be deemed to be treated as executing the UK Addendum.

    1.3. For the purposes of the UK Addendum and where the Subscriber is acting as a controller and LeadsNavi is acting as a processor, module two (controller to processor) of the EU SCCs is in operation and:

    • Clause 7 (Docking clause) shall not apply;
    • Clause 9(a) requires prior authorisation with 30 days' notice;
    • the optional provisions in Clause 11(a) shall not apply; and
    • either Party may terminate the UK Addendum pursuant to Section 19.

    1.4. In the event that the Subscriber is acting as a processor and LeadsNavi is acting as a sub-processor, for the purposes of the UK Addendum, module three (processor to processor) of the EU SCCs is in operation and:

    • Clause 7 (Docking clause) shall not apply;
    • Clause 9(a) requires prior authorisation with 30 days' notice;
    • the optional provisions in Clause 11(a) shall not apply; and
    • either Party may terminate the UK Addendum pursuant to Section 19.

    1.5. The relevant boxes and information in Tables one to three of such incorporated UK Addendum shall be deemed completed accordingly as set out in Schedule 2 of this DPA.

  2. EU RESTRICTED TRANSFERS

    2.1. In this section 2, "EU SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

    2.2. LeadsNavi shall comply with the Importer's obligations, and the Subscriber shall comply with the Exporter's obligations, set out in the EU SCCs, which is hereby incorporated into and forms part of this DPA. The execution of this DPA as part of the Terms of Service shall be deemed to be treated as executing the EU SCCs.

    2.3. For the purposes of the EU SCCs and where the Subscriber is acting as a controller and LeadsNavi is acting as a processor, module two (controller to processor) of the EU SCCs is in operation and:

    • Clause 7 (Docking clause) shall not apply;
    • Clause 9(a) requires prior authorisation with 30 days' notice;
    • the optional provisions in Clause 11(a) shall not apply;
    • for the purposes of Clause 13(a) of the EU SCCs, all square brackets are removed and all text therein is retained;
    • for the purposes of Clause 17, the governing law shall be Ireland;
    • for the purposes of Clause 18(b), the relevant courts shall be those of Ireland; and
    • either Party may terminate the EU SCCs pursuant to Clause 19 of such EU SCCs.

    2.4. For the purposes of the EU SCCs and where the Subscriber is acting as a processor and LeadsNavi is acting as a sub-processor, module three (processor to processor) of the EU SCCs is in operation and:

    • Clause 7 (Docking clause) shall not apply;
    • Clause 9(a) requires prior authorisation with 30 days' notice;
    • the optional provisions in Clause 11(a) shall not apply;
    • for the purposes of Clause 13(a) of the EU SCCs, all square brackets are removed and all text therein is retained;
    • for the purposes of Clause 17, the governing law shall be Ireland;
    • for the purposes of Clause 18(b), the relevant courts shall be those of Ireland; and
    • either Party may terminate the EU SCCs pursuant to Clause 19 of such EU SCCs.

    2.5. The relevant boxes and information in Tables one to three of such incorporated EU SCCs shall be deemed completed accordingly as set out in Schedule 2 of this DPA.

SCHEDULE 2

DETAILS OF TRANSFERS

Importer Full Legal Name, Main Address and Official Registration No (for Annex 1A) LeadsNavi Pte. Ltd
8 Kaki Bukit Avenue 4, #08-32, Premier @ Kaki Bukit, Singapore (415875)
Official registration number - 202439191E
Importer Full name, job title and contact details (including email) of the key contact (for Annex 1A) Contact details specified in the DPA or Terms of Service.
Exporter Full Legal Name, Main Address and Official Registration No (for Annex 1A) The Subscriber as set out in the Terms of Service or otherwise associated with the Subscriber's account.
Exporter Full name, job title and contact details (including email) of the key contact (for Annex 1A) The contact details associated with the Subscriber's account.
Start Date (for UK Addendum) The date of this DPA.
Descriptions of Transfers for Annex 1B Categories of data subjects – see section 2.3 of this DPA.
Categories of personal data – see section 2.4 of this DPA.
Sensitive personal data and safeguards applicable – N/A.
Frequency of transfer – continuous
Nature of processing – see section 2.2 of this DPA.
Purposes of transfer and further processing – see section 2.2 of this DPA.
Period for which personal data will be retained – see section 2.5 of this DPA.
For transfers to sub-processors – subject matter, nature and duration of processing – the details set out in section 2 of this DPA would be applicable.
Competent Supervisory Authority For EU SCCs only – Ireland
Annex II – Technical and Organisational Measures Governance: organizational management and staff responsible for implementing, maintaining and overseeing security program.
Data security measures to help ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services including things like access management controls, encryption and threat detection.
Ongoing monitoring of security posture and appropriate reporting to senior management.
Logical access controls designed to limit access based on need to know and least privilege.
Protection measures for data in transit and storage.
Physical security of facilities and data centres.
Event logging in relation to access and system activity.
Incident management procedures designed to allow LeadsNavi to investigate and respond to security incidents.
Training and awareness to promote a culture of security and privacy including principles such as data minimization.
Annex III – Sub-processors See section 3.6.1 of this DPA.