The Future of TCPA Compliance and 1:1 Consent

Learn More

Table of contents

  1. DEFINITIONS
  2. INTERACTION WITH THE EULA
  3. ROLE OF THE PARTIES
  4. OBLIGATIONS OF THE PARTIES
  5. SECURITY
  6. TERM, DELETION AND RETURN
  7. DEIDENTIFIED DATA
  8. GENERAL
  9. SCHEDULE 1 - Details of Processing

Data Protection Addendum to the EULA

This VMS User Data Protection Addendum (“DPA”) forms part of the End-User License Agreement with Lead Intelligence, Inc dba Verisk Marketing Solutions (“VMS”) that incorporates this DPA by reference (“EULA”). References to “User” in this DPA refer to the counterparty to the applicable EULA.

1. DEFINITIONS

Capitalized terms used but not defined within this DPA will have the meaning set forth in the EULA. The following capitalized terms used in this DPA will be defined as follows:

Covered Data” means Personal Data provided by or on behalf of the User to VMS in connection with the VMS Products, and which VMS Processes as a Controller or as a Third Party (as applicable), as further described in Schedule 1;

Data Subject” means a natural person whose Personal Data is Processed.

Deidentified Data” means data created using Covered Data that cannot reasonably be linked to any individual, directly or indirectly.

Security Incident” means an actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Covered Data

Covered Processor Data” means Personal Data provided by or on behalf of Licensee to VMS in connection with the VMS Products, and that, except where Section 5.D applies, VMS Processes as a Processor or as a Service Provider (as applicable). Such Processing is further described in schedule 1.

The terms “Controller”, “Business”, “Processor”, “Service Provider”, “Sale”, “Share”, and “Third Party” have the meanings given to them in the Data Protection Laws.

2. INTERACTION WITH THE EULA

This DPA is incorporated into the EULA. This DPA supersedes (in case of contradictions) the EULA with respect to any Processing of Covered Data.

3. ROLE OF THE PARTIES

The Parties acknowledge and agree that:

  1. the Parties are independent “controllers” or “businesses” with regard to the Covered Data and will independently determine the purposes and means of their processing of such Covered Data;
  2. neither Party acts as a “processor” or “service provider” of the other in its performance of its obligations pursuant to the EULA and this DPA; and
  3. the Parties do not act as “joint controllers” in respect of their processing of Covered Data in connection with the EULA and this DPA.

4. OBLIGATIONS OF THE PARTIES

With respect to its Processing of Covered Data, each Party shall comply with its obligations under, and provide the same level of privacy protection as is required by, the Data Protection Laws. The Parties acknowledge and agree that the Covered Data is provided or made available to VMS solely for the purposes set out in Schedule 1. User may take reasonable steps to ensure that VMS uses Covered Data in a manner consistent with User’s obligations under Data Protection Laws; and upon reasonable advance notice, stop and remediate unauthorized use of Covered Data.

A) User Obligations

User shall: a) share only Personal Data necessary to carry out the purpose for sharing the Personal Data; and b) shall not share any Personal Data that is not relevant to the Purpose; and

B) VMS Obligations

VMS shall:

  1. Notify the User if it receives any Personal Data that is not relevant to the Purpose and shall promptly delete such Personal Data.
  2. Retain the Covered Data for no longer than is necessary for the Purpose.
  3. Implement appropriate measures to delete or anonymize (in accordance with any guidelines or standards required under Data Protection Laws) the Covered Data once it is no longer necessary for the Purpose.
  4. Give effect to Data Subject rights requests under Data Protection Laws applicable to the User’s processing of Covered Data.
  5. Promptly notify the User if VMS determines it can no longer meet its obligations under Data Protection Laws.

C) Data Subject rights requests

User will promptly notify the other if it receives a request from a Data Subject to assert their rights to the deletion, correction, or opt out of Sale of Covered Data. Each Party is independently responsible for responding to inquiries from regulatory authorities under Data Protection Laws with regard to its processing of the Covered Data.

5. SECURITY

VMS will implement and maintain appropriate technical and organisational data protection and security measures designed to ensure security of Covered Data. When assessing the appropriate level of security, VMS shall take into account the nature, scope, context, and purpose of the Processing as well as the risks that are presented by the Processing.

A) Security Incidents

VMS will promptly notify the User in writing after confirming a Security Incident. VMS will take reasonable steps to manage any Security Incident and will send the User information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate the Security Incident, and the status of the investigation.

VMS will reasonably cooperate with the User’s investigation of the Security Incident and the User’s obligations in relation to the Security Incident under Data Protection Laws, including any notification to Data Subjects or regulators.

6. TERM, DELETION AND RETURN

This DPA shall survive so long as, and to the extent that, VMS Processes Covered Data.

7. DEIDENTIFIED DATA

If VMS receives Deidentified Data from or on behalf of User, VMS shall:

  1. take reasonable measures to ensure the information cannot be associated with a Data Subject;
  2. Process the Deidentified Data solely in deidentified form and not attempt to reidentify the information; and
  3. contractually obligate any VMS’s subprocessors of the Deidentified Data to comply with the foregoing requirements and Data Protection Laws.

8. GENERAL

The Parties hereby certify that they understand the requirements in this DPA and will comply with them. The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Data Protection Laws.

SCHEDULE 1

Details of Processing

Table 1: Processing that VMS undertakes as a Third Party or Controller

Categories of Data Subjects

Data Subjects who visit User Platforms; User’s Authorized Users, and User’s Employees, Agents, Advisors, and Freelancers.

Categories of Personal Data

Data Subjects who visit User Platforms

Event Data, including, but not limited to, Contact Information (e.g., name, address, telephone number, email address), IP address, non-precise geolocation, date and time, transaction information (e.g., services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies), and internet or other electronic network activity information (e.g., browsing information and browsing history; search history; website interactions and online interests, such as information about categories of consumer interests derived from online usage; URL information including referrer URLs; and information on a consumer's interaction with a website, application, or advertisement).

User’s Employees, Agents, Advisors, and Freelancers

B2B contact information.

User’s Authorized Users

Usage data.

Special categories of Personal Data

None

Nature and Purposes of the Processing

To provide the VMS Products.