This Data Processing Agreement (“DPA”) forms part of the electronic Agreement/Insertion Order (“Agreement”) between ReachStream, Inc. (“Company”) and the Customer for the purchase, access to, and/or licensing of products, services and/or platforms (collectively the “Services”) to reflect the parties’ agreement with regard to the Processing of Personal Data. In the event of a conflict between the terms of the Agreement as it relates to the Processing of Personal Data and this DPA, the DPA shall prevail.
This DPA consists of the following:
Capitalised terms that are not defined in this DPA shall have the meaning set out in the Agreement. References in this DPA to the terms “Controller“, “Processor”, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the meanings ascribed to them under Data Protection Laws.
“Customer Personal Data” means Personal Data provided by Customer to ReachStream.
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area (EEA) and their member states, Switzerland, the United Kingdom, and any other applicable data protection law of any country to which the Parties are subject, including but not limited to, the GDPR, UK GDPR and the California Consumer Privacy Act (CCPA).
“Data Subject” means the identified or identifiable person or household to whom Personal Data relates.
“European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
“GDPR” means EU General Data Protection Regulation 2016/679 and the UK GDPR.
“Leads Data” has the meaning provided in the Agreement.
“Subprocessor” means any third party, including without limitation a subcontractor, engaged by ReachStream in connection with the Processing of Personal Data.
This Part 1 of this DPA applies to the processing of Customer Personal Data by ReachStream in the course of providing the Services.
1.1 Customer’s Processing of Personal Data. For the purposes of Part 1 of this DPA, Customer is Controller, ReachStream is Processor. Customer shall, in its use of the Services, be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Customer Personal Data and the instructions it issues to ReachStream.
1.2 ReachStream’s Processing of Personal Data. ReachStream shall process Customer Personal Data only in accordance with Customer’s reasonable and lawful instructions unless otherwise required to do so by applicable law. Customer hereby authorizes and instructs ReachStream and its Subprocessors to:
1.2.1 process Customer Personal Data;
1.2.2 transfer Customer Personal Data to any country or territory subject to Section 10 (International Transfers);
1.2.3 engage any Subprocessors subject to Section 3 (Subprocessors),
as reasonably necessary for the provision of the Services and to comply with ReachStream’s rights and obligations under the Agreement and DPA. Customer warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give such instruction.
1.3 Description of Processing. Schedule 2 to this DPA sets out a description of the processing activities to be undertaken as part of the Agreement and this DPA.
1.4 Confidentiality. To the extent the Personal Data is confidential, ReachStream shall maintain the confidentiality of the Personal Data in accordance with the Agreement and shall require persons authorized to process the Personal Data (including its Subprocessors) to have committed to materially similar obligations of confidentiality.
ReachStream shall in relation to the Customer Personal Data implement reasonably appropriate technical and organizational measures, based on industry standards, to ensure a level of security appropriate to any reasonably foreseeable security risks, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, ReachStream shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
Customer agrees to the continued use of those Subprocessors already engaged by ReachStream as of the date of this Agreement and listed at Schedule 2, Annex III and further generally authorises ReachStream to appoint additional Subprocessors in connection with the provision of the Services, provided that:
Taking into account the nature of the Processing, ReachStream shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is reasonably possible, for the fulfilment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws (“Data Subject Request”). To the extent that Customer is unable to independently address a Data Subject Request, then upon Customer’s written request ReachStream shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Personal Data under the Agreement. Customer shall reimburse ReachStream for the commercially reasonable costs arising from this assistance.
5.1 ReachStream shall notify Customer without undue delay upon ReachStream or any Subprocessor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
5.2 ReachStream shall make reasonable efforts to identify the cause of the Personal Data Breach and take those steps necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within ReachStream’s reasonable control. The obligations herein shall not apply to incidents caused by Customer.
To the extent Customer does not otherwise have access to the relevant information, and to the extent the information is available to ReachStream, ReachStream shall provide reasonable assistance to Customer with any data protection impact assessments to fulfil Customer’s obligations under GDPR. ReachStream shall provide reasonable assistance to Customer in the co-operation or prior consultation with Supervising Authorities or other competent data privacy authorities, as required under GDPR. In each case this is solely in relation to Customer’s use of Services and the Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to ReachStream.
Following termination of the Services, ReachStream will delete or, upon Customer’s written request, return Customer Personal Data, except to the extent ReachStream is required by applicable law to retain some or all of the Customer Personal Data. The terms of this DPA will continue to apply to that retained Customer Personal Data.
ReachStream shall make available to Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by ReachStream. Any costs or fees incurred by ReachStream related to any audits requested by Customer shall be the sole responsibility of Customer. Customer shall provide ReachStream with a minimum thirty (30) days notice if such audit is required. Such audit shall be at the maximum conducted once per calendar year, except where an additional audit is required by the Data Protection Law, or a Supervisory Authority.
9.1 ReachStream may, in connection with the provision of the Services, or in the normal course of business, make international transfers of Personal Data from the European Union, the EEA and/or their member states (“EU Data”), Switzerland (“Swiss Data”) and the United Kingdom (“UK Data”) to its Subprocessors. When making such transfers, ReachStream shall ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with the Agreement and this DPA.
9.2 Where the provision of Services involves the international transfer of EU Data, the Parties agree to the Standard Contractual Clauses as approved by the European Commission under Decision 2021/914 of 4 June 2021 (“New EU SCC”), which shall be automatically incorporated by reference and form an integral part of this DPA. The EU SCCs shall apply completed as follows:
9.2.1 Module Two (Section 2.1.1.) and/or Three (Section 2.1.2.) will apply;
9.2.2 in Clause 7, the optional docking clause will apply;
9.2.3 in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 3 above;
9.2.4 in Clause 11, the optional language will not apply;
9.2.5 in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish Law
9.2.6 in Clause 18(b), disputes shall be resolved before the courts of Ireland;
9.2.7 Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex I-A of this DPA; and
9.2.8 Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex II of this DPA.
9.3 Where the provision of Services involves the international transfer of UK Data, the Parties agree to the template Addendum B.1.0, International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (the “UK IDT Addendum”), shall amend the SCCs in respect of such transfers and Part 1 of the UK IDT Addendum shall be completed as follows:
9.3.1 Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter and ReachStream as importer.
9.3.2 Table 2. The “Addendum EU SCCs” are the modules and clauses of the SCCs selected in relation to a particular transfer in accordance with Section 9.2 above.
9.3.3 Table 3. The “Appendix Information” is as set out in Schedule 2, Annex I-A of this DPA.
9.3.4 Table 4. The exporter may end the UK IDT Addendum in accordance with its Section 19.
9.4 Where the provision of Services involves the international transfer of Swiss Data subject to the Federal Act on Data Protection (“FADP”), the Parties agree to the EU SCC, which shall be automatically incorporated to this DPA in accordance with section 9.2 and with applicable references replaced with the Swiss equivalent.
This Part 2 of this DPA applies to the processing of Leads Data by Customer in the course of receiving the Services.
10.1 Customer acknowledges and agrees to its obligations as an independent Controller of Leads Data that it receives from ReachStream.
11.1 Customer that is located in a Third Country may, in connection with using the Services or in the normal course of business, be a recipient of EU Data, Swiss Data or UK Data. Where international transfer of EU Data occurs, the Parties agree to enter into the EU SCC which shall be automatically incorporated by reference and form an integral part of this DPA. The EU SCCs shall apply completed as follows:
11.1.1 Module One will apply;
11.1.2 in Clause 7, the optional docking clause will apply;
11.1.3 in Clause 11, the optional language will not apply;
11.1.4 in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
11.1.5 in Clause 18(b), disputes shall be resolved before the courts of Ireland;
11.1.6 Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex I-B of this DPA; and
11.1.7 Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2, Annex II of this DPA.
11.2 Where the provision of Services involves the international transfer of UK Data, the Parties agree to the UK IDT Addendum which shall amend the SCCs in respect of such transfers and Part 1 of the UK IDT Addendum shall be completed as follows:
11.2.1 Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are ReachStream as exporter and Customer as importer.
11.2.2 Table 2. The “Addendum EU SCCs” are the modules and clauses of the SCCs selected in relation to a particular transfer in accordance with Section 11.1 above.
11.2.3 Table 3. The “Appendix Information” is as set out in Schedule 2, Annex I-B of this DPA.
11.2.4 Table 4. The exporter may end the UK IDT Addendum in accordance with its Section 19.
11.3 Where the provision of Services involves the international transfer of Swiss Data subject to the FADP, the Parties agree to the EU SCC, which shall be automatically incorporated to this DPA in accordance with section 11.1 and with applicable references replaced with the Swiss equivalent.
12.1 Changes in Data Protection Laws. If any variation is required to this DPA as a result of a change in Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes with a view to agreeing and implementing those variations as soon as is reasonably practicable.
12.2 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.3 Liability. For the avoidance of doubt and to the extent permitted by Data Protection Laws, each party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the MSA.
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
See documentation in ReachStream’s in below link:
https://www.reachstream.com/wp-content/uploads/2025/02/RS-Information-Systems-Security-Policy.pdf
LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors:
Name of Other Processor: Description of Processing: Location of Other Processors
AWS: Database Program: USA
AWS: Web Services Backup Storage: USA
ZohoDesk – Support Ticketing: USA
