%20-200x43.png)
CROSSCHQ, INC.
AND ITS AFFILIATES AND SUBSIDIARIES
Data Processing Agreement "DPA"
(For Customers Subject to GDPR & CCPA)
Last Updated: July 25, 2025
THIS DATA PROCESSING AGREEMENT ("DPA") is entered into by and between Crosschq, Inc., a Delaware corporation located at 145 E. Prospect Avenue, Danville, CA 94526, USA, its affiliates and subsidiaries, including but not limited to Crosschq, Inc. (collectively, "Crosschq"), and the Customer agreeing to the Underlying Agreement(s) (as defined below) ("Customer"). Customer is entering into this Agreement on behalf of itself and its Authorized Affiliates. All references herein to Customer also apply to Customer’s Authorized Affiliates.
WHEREAS, Crosschq and Customer have entered into, and may in the future enter into, one or more agreements that require Crosschq to provide certain Services to Customer (the "Underlying Agreement(s)");
WHEREAS, in providing the Services to Customer pursuant to the Underlying Agreement(s), Crosschq may Process Personal Data on behalf of Customer;
WHEREAS, if and to the extent Crosschq Processes Personal Data on behalf of Customer, the parties may be subject to the GDPR, the CCPA and other applicable "Data Protection Laws and Regulations";
WHEREAS, if and to the extent Crosschq processes Personal Data on behalf of Customer, Customer will be acting in the capacity of Controller (data exporter), and Crosschq will be acting in the capacity of Processor (data importer);
NOW, THEREFORE, in consideration of the foregoing, and in reliance on the mutual agreements contained herein, the parties agree as follows:
1. Definitions.
"Applicable Laws” means GDPR and CCPA and other relevant Data Protection Laws.
“Authorized Persons” means Crosschq’s employees, agents, and contractors that have a need to know or otherwise access User Data to enable Crosschq to provide the Services.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Acts of 2020, and the California Consumer Privacy Act Regulations, Cal Code Regs. Title 11, § 7000 et seq., as may be amended or superseded from time to time, and applicable implementing regulations.
“Controller” means a controller as defined under the GDPR.
“Data Protection Laws” means all applicable international, federal, state, and foreign data protection, privacy and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, including, without limitation, the EU Data Protection Laws, UK Data Protection Laws, and the CCPA, but excluding, without limitation, consent decrees.
“Data Breach” means any loss or unauthorized access, acquisition, theft, destruction, disclosure or use of User Data that occurs while such User Data is in the possession of or under the control of Crosschq.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, applicable to the processing of Personal Data for the services under the Agreement, including (where applicable) the GDPR. “UK Data Protection Laws” shall mean all laws and regulations of the United Kingdom applicable to the processing of Personal Data for the services under the Agreement. EU Data Protection Laws and UK Data Protection Laws may be collectively referred to as International Data Protection Laws.
“GDPR” means the EU General Data Protection Regulation 2016/679, including as implemented or adopted under the laws of the United Kingdom.
“Personal Data” means information relating to an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or “Processing” means any operation or set of operations that are performed upon User Data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the applicable Data Protection Laws.
“Processor” means a processor as defined under the GDPR, including any applicable “service provider” as that term is defined under CCPA.
“Services” means Crosschq’s services, solutions and products.
“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, as currently set out at https:/eur-lex.europa.eu/eli/dec_impl/2021/914/oj as may be amended, superseded, or replaced.
“Sub-Processor” shall mean a Processor engaged by Crosschq to assist it in Processing the User Data in fulfilment of Crosschq’s obligations with regard to the Services.
“Third Party” is any person or entity other than Crosschq and Customer and Customer’s Users.
“User” is a person who is affiliated with Customer and is a User of Crosschq’s Services.
“User Data” means all data relating to a User that is (i) provided to Crosschq by Customer or User or (ii) otherwise obtained, accessed, developed, or produced by Crosschq. User Data may include Personal Data.
2. Data Privacy.
2.1 Roles of the Parties. The Parties shall comply with their obligations under all Data Protection Laws. For purposes of the GDPR, if Customer is the Controller then Crosschq is its Processor; if Customer is a Processor, then Crosschq is its Sub-Processor. For purposes of the CCPA, Crosschq is a Service Provider as that term is defined by the CCPA.
2.2 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Crosschq as Processor (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws.
2.3 Crosschq’ s Processing of Personal Data. Crosschq shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Underlying Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Underlying Agreement. For the avoidance of doubt, Crosschq shall comply with all applicable provisions of, and is prohibited from selling or sharing Personal Data in contravention of the requirements of, the CCPA.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by Crosschq is the performance of the Services pursuant to the Underlying Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 2 (Description of Processing/Transfer) to this DPA.
2.5 Data Minimization and Sensitive Personal Data. Customer and Users should provide Crosschq only with Personal Data that is requested by Crosschq on behalf of Customer or that is otherwise necessary for Crosschq to provide the Services. Crosschq is not responsible for any other Personal Data. Customer represents and warrants that it has obtained all consents from any Users to provide their Personal Data to Crosschq. Customer and Users are advised not to provide Crosschq with Sensitive Personal Data (as defined under “Applicable Laws”).
3. Sub-Processors. Crosschq may engage Sub-Processors in connection with the provision of the Services, provided, however, that Crosschq may not provide a Sub-Processor with access to Personal Data unless the Sub-Processor has: (i) a business need to know / access the relevant Personal Data, as necessary for the purposes of the Services; (ii) signed a written obligation of confidentiality or are under professional obligations of confidentiality; and (iii) implemented technical, operational, physical, and organization safeguards to protect Personal Data against accidental or unlawful destruction or alteration and unauthorized disclosure or access. Crosschq shall be responsible for the acts and omissions of its Sub-Processors for breaches of Crosschq’s obligations in relation to the Processing of Personal Data as though they were the acts or omissions of Crosschq. Crosschq shall give Customer written electronic notice of the appointment of any new Sub-Processor through the Service and also found at https://www.crosschq.com/legal/subprocessors or such other URL provided to Customer. If, within thirty (30) days of receipt of that notice, Customer notifies Crosschq in writing of any reasonable objection to the proposed appointment on data protection grounds, the Parties shall negotiate in good faith a mutually acceptable alternative. If no such alternative is agreed within sixty (60) days of the objection, Customer will have the right to terminate the applicable Underlying Agreement to the extent it relates to services which require use of the proposed Sub-Processor.
4. Data Subject Rights; Cooperation. Crosschq shall use commercially reasonable efforts to cooperate and assist with a Data Subject’s exercise of his/her rights under applicable Data Protection Laws with respect to Personal Data Processed by Crosschq, including, without limitation, the right to be forgotten, the right to data portability, and the right to access data under the Applicable Laws. Upon Customer’s request, Crosschq shall provide Customer with reasonable assistance needed to fulfill Customer’s obligation under Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Crosschq.
5. Return or Destruction of User Data. Upon the written request of a Data Subject, Crosschq will return Personal Data to the Data Subject in a commonly readable format or securely delete Personal Data as soon as reasonably practicable. However, if Crosschq is required by law to retain Personal Data or if Personal Data is stored in a manner such that it cannot readily be returned or destroyed then Crosschq will continue to protect such Personal Data in accordance with this DPA and limit any use to the purposes of such retention.
6. Data Security.
6.1 Security Program Requirements. Crosschq will maintain a security program that contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities. Crosschq’s security program shall be designed to protect the security and confidentiality of Personal Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage or loss of Personal Data. At a minimum, Crosschq’s security program shall include: (a) limiting access of Personal Data to Authorized Persons; (b) implementing network, application, database, and platform security; (c) means for securing information transmission, storage, and disposal within Crosschq’s possession or control; (d) means for encrypting Personal Data stored on media within Crosschq’s possession or control by using modern acceptable cyphers and key lengths, including backup media; (e) means for encrypting Personal Data transmitted by Crosschq over public or wireless networks by using modern acceptable cyphers and key lengths; and (f) means for keeping firewalls, routers, servers, personal computers, and all other resources current with appropriate security-specific system patches.
6.2 Regular Reviews. Crosschq shall ensure that its security measures are regularly reviewed and revised to address evolving threats and vulnerabilities. Crosschq shall maintain an audit program to help ensure adherence with the obligations set forth in this DPA.
6.3 Audit Rights. Customer may contact Crosschq to request an audit of Crosschq’ s Processing activities covered by this DPA (“Audit”). An Audit may be conducted by Customer either itself or through a Third-Party auditor selected by Customer when:
(i) the information available from “Third-Party certifications and audits” is not sufficient to demonstrate compliance with the obligations set out in this DPA and its Schedules;
(ii) Customer has received a notice from Crosschq of a Data Breach; or
(iii) such an Audit is required by Data Protection Laws or by Customer’s competent supervisory authority.
Any such Audits will be limited to no more than once per year, and shall only be of applicable Personal Data Processing and storage facilities operated by Crosschq or any of Crosschq’ s Affiliates where Customer’s Personal Data is processed. Customer acknowledges that Crosschq operates a multi-tenant cloud environment. Accordingly, Crosschq shall have the right to reasonably adapt the scope of any such Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other Crosschq customers’ information.
7. Data Breach Procedures.
7.1 Notification. Crosschq shall notify Customer and any affected User of any Data Breach as soon as practicable and without undue delay after becoming aware of it. Such notification shall at a minimum: (i) describe the nature of the Data Breach, the categories and numbers of Users concerned, and the categories and numbers of Personal Data records concerned; (ii) communicate the name and contact details of Crosschq's data protection officer or other relevant contact from whom more information may be obtained; and (iii) describe the measures taken or proposed to be taken to address the Data Breach.
7.2 Remedial Actions. In the event of a Data Breach for which Crosschq is responsible, Crosschq will use commercially reasonable efforts to: (a) remedy the Data Breach condition, investigate, document, restore the Services, and undertake legally required response activities; (b) provide regular status reports to Customer on Data Breach response activities; (c) assist Customer with the coordination of media, law enforcement, or other Data Breach notifications; and (d) assist and cooperate with Customer in its Data Breach response efforts.
8. Cross-Border Transfers.
8.1 Location. Crosschq systems and Crosschq’s Processing of User Data will occur within the following jurisdictions: United States of America and Ireland (the “Processing Jurisdictions”). Crosschq will not transfer any User Data outside of the Processing Jurisdictions except as directed by or with the consent of Customer and/or User. To the extent that Crosschq is a recipient of Personal Data protected by the GDPR, Crosschq agrees to abide by and Process such Personal Data in compliance with the Standard Contractual Clauses, which are incorporated into this Addendum by Exhibit A, to enable the lawful transfer of EU Personal Data.
8.2 Sub-Processors. Before providing User Data of a European or UK citizen (for purposes of this DPA, “European” shall include the European Union, the European Economic Area and Switzerland, and “UK” shall refer to the United Kingdom) to Sub-Processors, Crosschq will use commercially reasonable efforts to ensure that the Sub-Processors will enter into a Data Protection Agreement which incorporates the Standard Contractual Clauses.
9. Other Obligations. Any indemnification and/or limitation of liability obligations of the parties are as set forth in the Underlying Agreement(s).
Schedule 1 – Transfer Mechanisms for European Data Transfers
1. STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS
For the purposes of the European Union Controller to Processor Transfer Clauses (hereinafter, “EU C-to-P Transfer Clauses”) and the European Union Processor to Processor Transfer Clauses (hereinafter, “EU P-to-P Transfer Clauses”), Customer is the data exporter and Crosschq is the data importer and the Parties agree to the following. If and to the extent an Authorized Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to “Customer” in this Schedule, include such Authorized Affiliate. Where this section 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.
1.1 Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Schedule 2.
1.2 Docking clause. The option under clause 7 shall not apply.
1.3 Instructions. This DPA and the Underlying Agreement are Customer’s complete and final documented instructions at the time of signature of the Underlying Agreement to Crosschq for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Underlying Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in section 2.3 of this DPA and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services.
1.4 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Crosschq to Customer upon Customer’s written request.
1.5 Security of Processing. For the purposes of clause 8.6(a), Customer is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in Crosschq’s security documentation meet Customer’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by Crosschq provide a level of security appropriate to the risk with respect to its Personal Data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with this DPA.
1.6 Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with this DPA.
1.7 General authorization for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Crosschq has Customer’s general authorization to engage Sub-processors in accordance with this DPA. Crosschq shall make available to Customer the current list of Sub-processors. Where Crosschq enters into the EU P-to-P Transfer Clauses with a Sub-processor in connection with the provision of the Services, Customer hereby grants Crosschq authority to provide a general authorization on Controller’s behalf for the engagement of sub-processors by Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such sub-processors.
1.8 Notification of New Sub-processors and Objection Right for new Sub-processors. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that Crosschq may engage new Sub-processors as described in section 3 of this DPA. Crosschq shall inform Customer of any changes to Sub-processors following the procedure provided in this DPA. A list of such Sub-processors is included at Exhibit A, attached hereto and made a part hereof.
1.9 Complaints – Redress. For the purposes of clause 11, and subject to this DPA, Crosschq shall inform Data Subjects on its website of a contact point authorized to handle complaints. Crosschq shall inform Customer if it receives a complaint by, or dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. Crosschq shall not otherwise have any obligation to handle the request (unless otherwise agreed with Customer). The option under clause 11 shall not apply.
1.10 Liability. Crosschq’ s liability under clause 12(b) shall be limited by the Underlying Agreements and also limited to any damage caused by its Processing where Crosschq has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.
1.11 Supervision. Clause 13 shall apply as follows:
1.11.1 Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
1.11.2 Where Customer is established in the United Kingdom or falls within the territorial scope of application of the Data Protection Laws and Regulations of the United Kingdom (“UK Data Protection Laws and Regulations”), the Information Commissioner’s Office (“ICO”) shall act as competent supervisory authority.
1.11.3 Where Customer is established in Switzerland or falls within territorial scope of application of the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws and Regulations”), The Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.
1.12 Notification of Government Access Requests. For the purposes of clause 15(1)(a), Crosschq shall notify Customer (only) and not the Data Subject(s) in case of government access request. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.
1.13 Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the governing law section of the Underlying Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of England and Wales.
1.14 Choice of Forum and Jurisdiction. The courts under clause 18 shall be those designated in the venue section of the Underlying Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the courts of England and Wales shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
1.15 Appendix. The Appendix shall be completed as follows:
● The contents of section 1 of Schedule 2 shall form Annex I.A to the Standard Contractual Clauses.
● The contents of section 2 to 5 of Schedule 2 shall form Annex I.B. to the Standard Contractual Clauses.
● The contents of section 6 of Schedule 2 shall form Annex II to the Standard Contractual Clauses.
1.16 Data Exports from the United Kingdom under the Standard Contractual Clauses. For data transfers governed by UK Data Protection Laws, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses (“Approved Addendum”) shall apply. The information required for Tables 1 to 3 of Part One of Approved Addendum is set out in Schedule 2 of this DPA (as applicable). For the purposes of Table 4 of Part One of the Approved Addendum, neither party may end the Approved Addendum when it changes. In such case, the Parties shall assess whether international transfers of Personal Data are still needed and shall agree, as the case may be, on the appropriate legal mechanism to ensure transfers in accordance with all applicable laws.
1.17 Data Exports from Switzerland under the Standard Contractual Clauses. For data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity. However, in respect of any data transfer(s) originating from Switzerland, the approved EU SCCs shall be modified in accordance with the statement of the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) of 27 August 2021 (available at:https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2021/Paper%20SCC%20def.en%2024082021.pdf.download.pdf/Paper%20SCC%20def.en%2024082021.pdf ). In particular: the FDPIC shall be the competent supervisory authority insofar as the data transfer is governed by the Swiss Federal Act on Data Protection (“FADP”) with parallel supervision together with the EU competent supervisory authority (Clause 13); the law of the EU country specified by the Clauses shall be the governing law (Clause 17); the courts of the EU country as specified by the Clauses shall be the choice of forum (Clause 18), but this shall not exclude individuals in Switzerland from the possibility of bringing a claim in their place of habitual residence in Switzerland, in accordance with Clause 18(c). The parties agree to adjust the protection of the Personal Data upon entry into force of the revised FADP.
1.18 Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
2. ADDITIONAL TERMS FOR THE EU P-TO-P TRANSFER CLAUSES
For the purposes of the EU P-to-P Transfer Clauses (only), the Parties agree the following.
2.1 Instructions and notifications. For the purposes of clause 8.1(a), Customer hereby informs Crosschq that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Customer warrants that its Processing instructions as set out in the Underlying Agreement and this DPA, including its authorizations to Crosschq for the appointment of Sub-processors in accordance with this DPA, have been authorized by the relevant Controller. Customer shall be solely responsible for forwarding any notifications received from Crosschq to the relevant Controller where appropriate.
2.2 Security of Processing. For the purposes of clause 8.6(c) and (d), Crosschq shall provide notification of a personal data breach concerning Personal Data Processed by Crosschq to Customer.
2.3 Documentation and Compliance. For the purposes of clause 8.9, all inquiries from the relevant Controller shall be provided to Crosschq by Customer. If Crosschq receives an inquiry directly from a Controller, it shall forward the inquiry to Customer and Customer shall be solely responsible for responding to any such inquiry from the relevant Controller where appropriate.
2.4 Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, Crosschq shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed) but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.
Schedule 2 – Description of Processing/Transfer
This Schedule forms part of the Clauses.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
1. List Of Parties
Data exporter
The data exporter is the entity identified as “Customer” in the DPA.
Data importer
The data importer is the entity identified as “Crosschq” in the DPA.
Subject matter and duration of the processing of Customer Personal Data
The subject matter, nature, purpose and duration of the processing of the Customer Personal Data are set out in the Underlying Agreements and as may be further stated below or elsewhere in this Addendum.
2. Data Subjects
The Customer Personal Data transferred to processor is determined and controlled by Customer in its sole discretion.
3. Categories Of Data
The personal data transferred to or accessed by Processor includes all relevant information required to deliver requested services under the Agreement, is determined and controlled by Customer in its sole discretion and may include:
● Personal details such as first and last name, title, position, employer, email address, telephone number and physical address, ID data, professional life data, education data, personal life data, demographic data such as race, gender, disability status and/or veteran status
● Authentication credentials to use part of the services, such as username, IP address, PC name etc.
● Activities performed by Controller personnel, its agents, contractors or affiliates as users of the performed Services
● Any other category of data agreed upon between the Parties in an Underlying Agreement and as otherwise necessary to carry out the services contemplated by the Underlying Agreements
4. Special Categories Of Data (if appropriate)
The Customer Personal Data may concern the following special categories of data:
● Sensitive categories of information may include demographic data, including but not limited to race, gender, ethnicity, disability status, and veteran status.
5. Processing Operations
Personal Data will be Processed for the purpose of and to the extent necessary for the performance of the Services requested from Customer under the Underlying Agreement only, and will be subject to the basic Processing activities set out in the Agreement for the performance of Services.
6. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Data importer has implemented appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing and the nature of the Personal Data to be protected which shall be at least equivalent to those described in the Addendum. Processor will also adhere to the procedures and requirements set forth in its Privacy Policy set forth at https://www.crosschq.com/legal/privacy-policy
EXHIBIT A
CROSSCHQ SUB-PROCESSORS
A current list of Crosschq Sub-processors can be found at: https://www.crosschq.com/legal/subprocessors