Product Release
Introducing Foresight AI
Foresight Logo
Products
Customers
Company
Get a Demo
Get a Demo
EU and UK Data Processing Addendum
Exhibit A
Details of Processing
Exhibit B
Exhibit C
Exhibit D
UK Addendum

SCHEDULE C

DATA PROCESSING ADDENDUM.

EU and UK Data Processing Addendum

This EU and UK Data Processing Addendum (“DPA”) supplements the Software as a Service Agreement (the “Agreement”) between Client (as identified in the applicable Order Form) (“Client”) and Foresight Data, Inc. (“Foresight”). By executing the Agreement or an Order Form that incorporates this DPA, each Party enters into this DPA as of the Effective Date, and Foresight does so on behalf of itself and, where required by Applicable Laws, its Affiliates. Capitalized terms not defined in this DPA have the meanings given in the Agreement. Client’s and Foresight’s legal names, addresses, and contact details are as set forth in the Agreement and/or applicable Order Form and are incorporated by reference into this DPA (including the SCCs/UK Addendum).

  1. Definitions
    1. “Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
    2. “Applicable Laws” means any applicable laws, rules, and regulations in any relevant jurisdiction applicable to the DPA, the Agreement, or the use or processing of Personal Data, as well as applicable Industry Standards, including those concerning privacy, data protection, confidentiality, information security, availability and integrity, or the handling of Personal Data. Applicable Laws expressly include, as applicable(i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 - 1798.199) (“CCPA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together, collectively, the “GDPR”), (iii) the Swiss Federal Act on Data Protection, ; (iv) the UK Data Protection Act 2018; and (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing”, “processor,” “controller,” and “supervisory authority” shall have the meanings set forth in the GDPR. 
    3. “Authorized Employee” means an employee of Vendor or a Vendor Affiliate who has a need to know or otherwise access Personal Data in order to enable Vendor to perform its obligations under this DPA or the Agreement and who has undergone appropriate background screening and training by Vendor.
    4. “Authorized Person” means an Authorized Employee or Authorized Subcontractor.
    5. “Authorized Subcontractor” means a third-party subcontractor, agent, reseller, or auditor engaged by Vendor, or employee of the same, that has a need to know or otherwise access Client’s Personal Data to enable Vendor to perform its obligations under this DPA or the Agreement, and that has been previously approved by Client in writing to do so, and who is bound in writing by a data processing agreement pursuant to which their duties and obligations to protect Personal Data are in strict accordance with the terms hereof.
    6.  “Data Exporter” means Client.
    7. “Data Importer” means Vendor. 
    8. “Data Subject Rights” means the rights recognized and granted to Data Subjects with respect to their Personal Data under Applicable Laws, including, when effective, the GDPR (as set forth in Articles 12 through 22 thereof).
    9.  “EU SCCs” means standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time), as modified by Section 6.2 of this DPA. 
    10. “ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic
      Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR. 
    11.  “ex-UK Transfer” means the transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018. 
    12.   “Incident” means a situation whereby Personal Data in either Vendor’s or any Authorized Person’s systems, backups, networks, servers, databases, computers, or other hardware or technical infrastructure, was lost with a low risk of potential harm or damage to Data Subjects.
    13.   “Industry Standards” shall mean the then-current industry best data protection and data processing practices relating to the processing of the Personal Data.
    14.   “Instruction” means a direction issued by Client to Vendor and/or any Authorized Person, documented either in textual form (including without limitation by e-mail) or by using a software or online tool, regarding the processing of Personal Data.
    15.   “Services” shall have the meaning set forth in the Agreement.
    16.  “Standard Contractual Clauses” means the EU SCCs and the UK SCCs.
    17. “Suspected Incident” means an interruption in either Vendor’s or any Authorized Person’s systems, backups, networks, servers, databases, computers, or other hardware or technical infrastructure, whether or not connected to the Internet, whereby an Incident is suspected.   
    18.   “UK SCCs” means the EU SCCs, as amended by the UK Addendum.
    19. “Technical and Organizational Security Measures” means measures taken by Vendor and Authorized Persons aimed at (i) ensuring the confidentiality, security, integrity, and availability of Personal Data, including protecting against an Incident, a Personal Data Breach, or other accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure or access to Personal Data (in particular where processing involves the transmission of Personal Data over a network) and other unlawful forms of processing and/or (ii) assisting and enabling Client to comply with its obligations to respond to requests by Data Subjects to exercise their Data Subject Rights; including, without limitation, the measures described in Exhibit C. 
  2. Processing of Data
    1. Vendor agrees to comply with this DPA, at no additional cost to Client, at all times during the term of the Agreement.  Any failure by Vendor to comply with the obligations set forth in this DPA, or any Personal Data Breach, will be considered a material breach of the Agreement, and Client will have the right, without limiting any of the rights or remedies under this DPA or the Agreement, or at law or in equity, to immediately terminate the Agreement for cause.  Vendor acknowledges that Client may be the controller of the Personal Data or may be a processor of the Personal Data on behalf of another controller, in which case Vendor is the sub-processor. 
    2. The rights and obligations of the Client with respect to processing are described herein and in the Agreement. The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects involved, are described in Exhibit A to this DPA. 
    3. Vendor acknowledges and agrees that it shall only process Personal Data for the limited and specified purposes described in Exhibit A, the terms and conditions set forth in this DPA and in any Instructions, which shall include Client’s rights and obligations regarding onward transfer.
    4. Subject to Section 2.5 of this DPA, Vendor represents and warrants that its processing of Personal Data does and will comply with all Applicable Laws, including with respect to any transmission, transfer, sharing, or otherwise disclosure of Personal Data. 
    5. Client represents and warrants that (a) it has complied, and will continue to comply, with Applicable Laws in its use of the Services and its own processing of Personal Data and (b) it has, and will continue to have, the right to transfer, or provide access to, all Personal Data transferred or otherwise shared with Vendor (or collected by Vendor on Client’s behalf) under the Agreement such that its Processing by Foresight in accordance with the terms of the Agreement and this DPA (and any Instructions) does not and will not infringe, misappropriate or otherwise violate any rights to confidentiality, or any privacy or other rights of any third party or violate any Applicable Laws. Client will ensure that its Instructions comply with Applicable Laws. Client acknowledges that Vendor is neither responsible for determining which laws or regulations are applicable to Client’s business nor whether Vendor’s provision of the Services meets or will meet the requirements of such laws or regulations. Client warrants that Vendor’s processing of Personal Data on behalf of Client, when processed in accordance with the Agreement, this DPA and Client’s Instructions, will not cause Vendor to violate any applicable law or regulation, including Applicable Laws. Vendor will inform Client if it receives notice that its processing of Personal Data under the Agreement and/or per Client’s Instructions violate any applicable law or regulation, including Applicable Laws.
    6.  CCPA Language. Vendor acknowledges and confirms that it does not receive any personal information from Client as consideration for any services or other items provided to Client. Except as expressly set forth in the Agreement, Vendor shall not have, derive or exercise any rights or benefits regarding data provided by Client constituting personal information subject to the CCPA (“Customer Data”). Vendor shall not: (a) use, retain, or disclose Customer Data other than as strictly necessary for Vendor to perform the Services and its obligations under the Agreement and this DPA, (b) use, retain, or disclose Customer Data for any purpose other than the specific business purposes set forth in Exhibit A or outside of the direct business relationship between the parties, including for Vendor’s commercial purposes, (c) disclose, sell, assign, lease or otherwise provide Customer Data to third parties (other than to its affiliates or Authorized Subcontractors) or share any Customer Data for cross-context behavioral advertising, including in any anonymized and/or aggregated formats, or (d) merge or combine Customer Data with other data, modify or commercially exploit any Customer Data including in any anonymized or aggregated formats, except that the Vendor may combine personal information to perform the specific business purpose as set forth in this Addendum. If Vendor is legally required by Applicable Laws to process Customer Data otherwise than as instructed by Client, Vendor will notify Client in writing before such processing occurs, unless the law requiring such processing prohibits Vendor from notifying Client on an important ground of public interest, in which case Vendor will notify Client as soon as that law permits Vendor to do so. Vendor certifies that it understands the restrictions set out in this Section 2.5 and will comply with them. Vendor shall notify Client as soon as practicable in writing if it determines that it cannot meet its obligations under the CCPA. The terms “personal information,” “sale,” “sell,” and “share” for the purposes of this Section 2.5 are as defined in Section 1798.140 of the CCPA. 
  3. Security of Personal Data.  
    1. At a minimum, and without limiting the foregoing, Vendor represents and warrants that it shall maintain all Personal Data in strict confidence, which is more than or equal to the degree of care and Technical and Organizational Security Measures that meet or exceed applicable Industry Standards and that ensure a level of security appropriate to the particular risks of accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure or access of Personal Data presented by the processing and the Personal Data (collectively, “Risks”), including (i) limiting access to Personal Data to Authorized Persons only; (ii) ensuring that all Authorized Persons are made aware of the confidential nature of Personal Data before they may access such data; (iii) securing its physical, technical, and administrative infrastructure, including all relevant business facilities, data centers, paper files, servers, networks, platforms, databases, cloud computing resources, back-up systems, passwords and credentials, hardware, and mobile devices; (iv) implementing authentication and access controls within all relevant media, applications, networks, operating systems and equipment; (v) encrypting Personal Data when transmitted over public or wireless networks or where otherwise appropriate in light of the Risks; (vi) strictly segregating Personal Data from information of Vendor or its employees or other customers; (vii) maintaining appropriate personnel security and integrity procedures and practices, as set forth in Section 4; (viii) maintaining written plans and policies for responding to Suspected Incidents, Incidents, and Personal Data Breaches; (ix) maintaining and regularly testing processes for restoring the availability and access to Personal Data in a timely manner in the event of an Incident or Suspected Incident; (x) regularly testing, assessing, and evaluating the effectiveness of all Technical and Organizational Security Measures; and (xi) any other measures necessary to ensure the ongoing confidentiality, integrity, and availability of Personal Data and the ongoing security and resilience of systems and services used for processing.
    2. Vendor shall promptly notify Client if Vendor makes a determination that it can no longer meet any of the security measures outlined in Section 3.1 above. Upon such notice, Vendor shall assist Client by taking reasonable and appropriate steps to stop and remediate unauthorized processing. 
    3. Upon Client’s written request, or, upon the termination or expiration of the Agreement for any reason, Vendor shall, and shall ensure that all Authorized Persons, (i) promptly and securely dispose of or return to Client in an encrypted format, at Client’s choice, all copies of Personal Data, including backup or archival copies, and (ii) promptly certify in writing to Client when the measures described in subsection (i) hereof have been completed. Vendor shall, and shall ensure that all Authorized Persons, comply with all Instructions provided by Client with respect to the return or disposal of Personal Data.  Any disposal of Personal Data must ensure that such data is rendered permanently unreadable and unrecoverable by any reasonable means. Vendor and/or Authorized Persons shall be excused from performing the foregoing obligations only if, and solely to the extent that, Applicable Law(s) explicitly prevent them from doing so.
    4. Where and to the extent disposal of Personal Data in accordance with Section 3.3 is explicitly prevented by Applicable Law(s) or technically infeasible, Vendor and/or Authorized Persons, as applicable, shall (i) take measures to block such Personal Data from any further Processing (except to the extent necessary for continued Processing explicitly required by Applicable Law(s)), and (ii) continue to exercise appropriate Technical and Organizational Security Measures to protect such Personal Data until it may be disposed of in accordance with Section 3.3, whereupon Vendor shall (a) promptly and securely dispose of such Personal Data and (b) promptly certify in writing to Client that such disposal is complete.
  4. Authorized Persons 
    1. Client acknowledges and agrees that Vendor may engage the Authorized Subcontractors listed in Exhibit B to this DPA to access and process Personal Data in connection with the Services.  Vendor represents, warrants, and covenants that it has not and will not permit any other third party other than Vendor and its Authorized Employees to Process Personal Data on behalf of Vendor in its provision of Services to Client without the prior written consent of Client. Only upon such prior written consent shall any such third party be considered an Authorized Subcontractor. Vendor shall submit the request for Client’s prior written authorization at least thirty (30) days prior to the engagement of any such third party, together with any information necessary to enable Client to decide on such authorization. Vendor shall promptly send Client a copy of any Authorized Subcontractor agreement relevant to this DPA. 
    2. Vendor shall perform appropriate screening of all Authorized Persons, including without limitation background checks in accordance with Applicable Laws, and shall ensure the reliability and appropriate training of all Authorized Persons.
    3. Vendor represents, warrants, and covenants that it has executed written agreements with each Authorized Subcontractor that bind them to all obligations set forth in this DPA with respect to the Processing of the Personal Data. 
    4. Vendor represents, warrants, and covenants that it has executed confidentiality agreements with each Authorized Person that prevents them from disclosing or otherwise Processing, both during and after their engagement by Vendor, any Personal Data except in accordance with their obligations in connection with the Services.
    5. Vendor shall be fully responsible for the acts and omissions of Authorized Subcontractors and any other of its subcontractors, independent contractors, and other service providers to the same extent that Vendor would itself be liable under this DPA had it conducted such acts or omissions, and shall fully indemnify Client for all losses arising from or related to such acts and omissions.
  5. Suspected Incident, Incident, and Personal Data Breach Notification
    1. Vendor shall notify Client of a Suspected Incident as soon as reasonably practicable, but in any event, not more than forty-eight (48) hours after becoming aware of such Suspected Incident. If such Suspected Incident becomes an Incident or a Personal Data Breach, Vendor shall notify Client pursuant to Section 5.2.
    2. Vendor shall notify Client immediately upon becoming aware of an Incident or a Personal Data Breach and shall, in a written report, provide sufficient information to enable Client to comply with its obligations under Applicable Laws with respect to such Incident or Personal Data Breach, including any obligation to report or notify such Incident or Personal Data Breach to Supervisory Authorities and/or Data Subjects, as applicable. Such report will include (i) a description of the nature of the Incident or Personal Data Breach, (ii) the categories and approximate number of Data Subjects and Personal Data sets affected or alleged to be affected, (iii) the likely consequences of the Incident or Personal Data Breach, and (iv) any measures that have been or may be taken to address and mitigate the Incident or Personal Data Breach. 
    3. As soon as reasonably practicable after providing the report described in Section 5.2, Vendor shall provide Client with a comprehensive report on its initial findings regarding the Incident or Personal Data Breach, and thereafter shall provide regular updates describing subsequent findings with respect to such Incident or Personal Data Breach. As soon as reasonably practicable after Vendor has concluded its examination of the Incident or Personal Data Breach, it shall provide Client with a comprehensive final report regarding the Incident or Personal Data Breach.
    4. Vendor and/or any relevant Authorized Subcontractor shall use its reasonable efforts to immediately mitigate and remedy any Incident or Personal Data Breach and prevent any further Personal Data Breach or recurrence thereof, at Vendor’s own expense and in accordance with Applicable Laws.
    5. Neither Vendor nor any Authorized Subcontractor shall publicly disclose any information regarding any Suspected Incident, Incident or Personal Data Breach without Client’s prior written consent, except that Vendor and any relevant Authorized Subcontractor may disclose any Suspected Incident, Incident or Personal Data Breach to (i) its own employees, customers, advisors, agents, or contractors, or (ii) where and to the extent explicitly compelled to do so by Applicable Laws, to applicable Supervisory Authorities and/or Data Subjects without Client’s prior written consent.
    6. Vendor and/or any relevant Authorized Subcontractor shall, at Vendor’s expense, fully cooperate with Client and provide any assistance necessary for Client to comply with any obligations under Applicable Laws with respect to an Incident or Personal Data Breach, including obligations to report or notify an Incident or Personal Data Breach to Supervisory Authorities and/or Data Subjects. Such assistance may include drafting disclosures, press releases and/or other communications for Client with respect to such Incident or Personal Data Breach. 
  6. Transfers of Personal Data
    1. If Vendor transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision (each, a “Restricted Transfer”), Vendor represents, warrants, and covenants that  (i) Restricted Transfer by Vendor may only be made to Authorized Persons as approved by Client in accordance with Section 4 of this DPA; (ii) any Restricted Transfer conducted by Vendor or any Authorized Person shall be undertaken in accordance with the appropriate Standard Contractual Clauses entered into in accordance with Applicable Law; and (iii) that each Restricted Transfer will be made after appropriate safeguards have been implemented for the Restricted Transfer of Personal Data in accordance with Applicable Laws.
    2. Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
      1. Module Two (Controller to Processor) of the EU SCCs. 
      2. Module Three (Processor to Subprocessor) of the EU SCCs;
      3. Module Four (Processor to Controller) of the EU SCCs. 
    3. For each module, where applicable the following applies: 
      1. The optional docking clause in Clause 7 does not apply.;
      2. In Clause 9, Option 1 (specific prior authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 4.1 of this DPA; 
      3. In Clause 11, the optional language does not apply;
      4. All square brackets in Clause 13 are hereby removed; 
      5. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of Ireland;
      6. In Clause 18(b), disputes will be resolved before the courts of Ireland.
      7. Exhibit B to this DPA contains the information required in Annex I of the EU SCCs; 
      8. Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and 
      9. By entering into this DPA, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes. 
    4. Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum, which is incorporated herein as Exhibit D of this DPA.
    5.  Transfers from Switzerland. The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications: 
      1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
      2. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP. 
      3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Section 13 shall be observed. 
      4. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs. 
    6. Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
      1. As of the date of this DPA, Vendor has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Client’s Personal Data (“Government Agency Requests”); 
      2. If, after the date of this DPA, Vendor receives any Government Agency Requests, Data Importer shall attempt to redirect the law enforcement or government agency to request that data directly from Data Exporter. As part of this effort, Vendor may provide Data Exporter’s basic contact information to the government agency. If compelled to disclose Client’s Personal Data to a law enforcement or government agency, Vendor shall give Data Exporter reasonable notice of the demand and cooperate to allow Data Exporter to seek a protective order or other appropriate remedy unless Vendor is legally prohibited from doing so.  Vendor shall not voluntarily disclose Personal Data to any law enforcement or government agency. Data Exporter and Vendor shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of the such Government Agency Requests; and]
      3. The Data Exporter and Vendor will meet regularly to consider whether:
        1. the protection afforded by the laws of the country of Vendor to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
        2. additional measures are reasonably necessary to enable the transfer to be compliant with the Applicable Laws; and 
        3. it is still appropriate for Personal Data to be transferred to the relevant Vendor, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities. 
      4. If Applicable Laws require the Data Exporter to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to a Vendor as a separate agreement, Vendor shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Applicable Laws. 
      5. If either (i) any of the means of legitimizing transfers of Personal Data outside of the EEA or UK set forth in this DPA cease to be valid or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, Vendor agrees to amend the means of legitimizing transfers or alternative arrangements with Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Applicable Laws.
  7. Rights of Data Subjects
    1. Vendor shall, to the extent permitted by Applicable Laws and taking into account the nature of the processing hereunder, provide all appropriate assistance to Client to support Client’s response to requests by Data Subjects to exercise Data Subject Rights, including, as applicable, a Data Subject’s right to: (a) confirm whether his or her Personal Data has been or is being Processed; (b) access a copy of all Personal Data of his or hers that has been or is being Processed; (c) rectify or supplement his or her Personal Data; (d) transfer his or her Personal Data to another Client; (e) confirm that his or her Personal Data has been or is being subject to Processing that constitutes automated decision-making; (f) restrict or cease the Processing of his or her Personal Data; and (g) withdraw consent to the Processing of his or her Personal Data held by Vendor. Such assistance shall also include (x) maintaining records sufficient to demonstrate Vendor’s performance of its obligations under Applicable Laws with respect to Data Subject Rights, (y) promptly notifying Client if Vendor or an Authorized Subcontractor receives a request from a Data Subject to exercise a Data Subject Right and refraining from responding to such requests (and ensuring that Authorized Subcontractors refrain from responding to such requests) except upon receipt of, and in accordance with, Instructions from Client, and (z) informing Client in the event that Applicable Laws or any judicial, law enforcement, or Supervisory Authority operate to prevent Vendor (or any Authorized Subcontractor) from performing the obligations described in this Section 7.1.
  8. Audit Rights 
    1. Vendor shall maintain materially complete and accurate records in connection with Vendor’s performance under this DPA, and shall retain such records for a period of three (3) years after the termination or expiration of the Agreement.
    2. Client shall have reasonable access during regular business hours upon reasonable notice to review, audit and copy such records relevant to Vendor’s provision of Services and discharge of obligations under this DPA.  
    3. Client also reserves the right to actively test at reasonable intervals Vendor’s compliance with Client’s security requirements, including without limitation security configuration (e.g., server parameters, security settings and control environment) and network perimeter controls; provided that such tests are not unreasonably disruptive to Vendor’s business. Vendor agrees, at its cost, to make any changes requested by Client to correct inadequacies discovered in such audits or tests.
  9. Indemnity
    1. Vendor shall, at its own expense, protect, defend, indemnify and hold harmless Client and its officers, directors, employees, successors, assigns, distributors, contractors, agents, affiliates and customers, from all claims or actions, damages, liabilities, assessments, losses, costs, and other expenses (including, without limitation, reasonable attorneys’ fees and legal expenses and breach notification expenses) arising out of or resulting from (a) any breach by Vendor of its warranties or representations in this DPA, (b) any acts and omissions of any Authorized Subcontractors with respect to the Processing of any Personal Data; or (c) any Incident or Personal Data Breach attributable to Vendor’s breach of this DPA (collectively, “Claims”).
    2. Client shall provide Vendor with prompt written notice of any Claim. Upon receipt of any such notice, Vendor must immediately take all necessary and appropriate action to protect Client’s interests with regard to any Claims. Client shall provide reasonable cooperation, information, and assistance in connection with any Claim (except that failure to do so shall only excuse Vendor from its obligations to the extent such failure materially prejudiced the defense of the Claim). Vendor shall have sole control and authority to defend, settle or compromise any Claim, provided that Vendor shall not make any settlement that requires a materially adverse act or admission by Client without Client's written consent (such consent not to be unreasonably delayed, conditioned or withheld).  If Vendor provides counsel for the defense of any Claim and Client, in its sole discretion, determines that such counsel is unacceptable or that a conflict of interest exists between Client and such counsel, Client may request Vendor replace the counsel.  If Vendor fails to timely replace counsel, the Vendor agrees that its counsel shall work in good faith with Client’s counsel until the Claim is resolved.
  10. Miscellaneous 
    1.  This DPA may be amended or modified only by a writing signed by both Parties.  Vendor acknowledges and agrees that the Client (whether it is acting as a controller or a processor on behalf of another controller) may disclose this DPA to third parties (including other controllers, data subjects and regulators) for purposes of demonstrating compliance with Applicable Laws.  
    2.  The Parties hereby acknowledge and agree that any remedies arising from any Personal Data Breach or any breach by Vendor or any Authorized Person of the terms of this DPA are not and shall not be subject to any limitation of liability provision that applies to Vendor under the Agreement.
    3.  In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; and (2) the terms of this DPA; (3) the Agreement.

Exhibit A

Details of Processing

Foresight and Customer agree that Customer’s Personal and Firm Information shall be Processed in accordance with the terms of the Agreement, together with any amendments agreed from time to time between parties in writing.

Categories of Data

The categories of Customer’s End Users’ Personal Data that Vendor will Process under this Agreement are (please specify):

  • Personal details, including any information that identifies the data subject and their personal characteristics, including: name, email address 
  • End users role at the Customer organization 

The categories of Customer’s Firm Data that Vendor will Process under this Agreement are (please specify):

  • Assets under management (AUM)
  • Number of employees
  • Investment transaction details, including positions in companies, the size of positions in companies, projected returns on company investments
  • Notes and insights recorded by end users about prospective and active investments
  • Prospective deal pipeline
  • Cap table data
  • Legal terms and documents associated with transactions

The categories of Customer’s Portfolio Company Data

  • Cap table data
  • Financial statement data, including cash on hand, revenue, revenue projects, profit margin
  • Employee count
  • Board presentations and materials
  • KPIs 
  • Legal terms and documents associated with transactions

The categories of Customer’s Third-Party Data 

  • People data, including work history, contact email addresses, educational history
  • Company data, including firmographic data and investment history
  • Alternative data, including website traffic, app down activity, and social engagement 

Processing Activities

The Personal Information Processed under this Agreement will be subject to the following basic Processing activities:

  • Receiving data, including collection, accessing, retrieval, recording, and data entry
  • Holding data, including storage, organization, and structuring
  • Using data, including analyzing, visualizing, testing, automated decision making and profiling
  • Updating data, including correcting, deduping, and unifying
  • Protecting data, including restricting, encrypting, and security testing

Nature and Purpose of Processing:   Vendor will process Client’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this Addendum, and in accordance with Client’s instructions as set forth in this Addendum. 

Duration of Processing: Vendor will process Clients’s Personal Data only during the term of the Agreement.

Categories of Data Subjects: Client end-users/investors AND/OR Client employees 

Sensitive Data or Special Categories of Data: None

Exhibit B

The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum. 

1. The Parties 

Data exporter(s): (as applicable)

Name: Client, as identified in the Order Form (the “Data Exporter”)

Address: As set forth in the Order Form Contact person’s name, position and contact details: As set forth in the Order Form

Data protection officer (if applicable): As set forth in the Order Form; otherwise “Not applicable.”

EU/UK representative (if applicable): As set forth in the Order Form; otherwise “Not applicable.”

Activities relevant to the data transferred under these Clauses: Provision and receipt of the Services under the Agreement

By executing the Agreement/Order Form, Data Exporter is deemed to have executed these Clauses as of the Effective Date.

Role (controller/processor): As specified in Section 2 of this Addendum (or the Order Form, if stated there).

Data importer(s):

Name: Foresight, Inc. (the “Data Importer”)

Address: As set forth in the Agreement/Order Form

Contact person and contact details: As set forth in the Agreement/Order Form

Data protection officer (if applicable): As set forth in the Agreement/Order Form; otherwise “Not applicable.”

EU/UK representative (if applicable): As set forth in the Agreement/Order Form; otherwise “Not applicable.”

Activities relevant to the data transferred under these Clauses: Provision of the Services under the Agreement

Signature and date: By executing the Agreement/Order Form, Data Importer is deemed to have executed these Clauses as of the Effective Date.

Role (controller/processor): As specified in Section 2 of this Addendum.

2. Description of the Transfer

Document management & closing workflows
See Exhibit A of the Addendum
Categories of Personal Data
See Exhibit A of the Addendum
Special Category Personal Data (if applicable)
See Exhibit A of the Addendum
Nature of the Processing 
See Exhibit A of the Addendum
Purposes of Processing
See Exhibit A of the Addendum
Duration of Processing and Retention (or the criteria to determine such period) 
See Exhibit A of the Addendum
Frequency of the transfer
As necessary to perform the Services and other obligations as provided in the Agreement or Addendum. 
Recipients of Personal Data Transferred to the Data Importer
See Section 4 below.

3. Competent Supervisory Authority 

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13.

4. List of Authorized Subcontractors 

Name of Authorized Subcontractor
Address
Description of processing
Country in which subprocessing will take place 
Launch Darkly 
1999 Harrison St Suite 1100, Oakland, CA 94612
Launch Darkly holds and uses the Client username to manage the features released to certain users as an additional layer of access control on a per users basis.  This is controlled by username, but does not include any additional PII.
USA
Pendo.io, Inc.
301 Hillsborough St Ste 1900 Raleigh, NC, 27603-4274
Pendo.io holds and uses Client username to identify usage of the Foresight Materials.  This is based on username, but does not include any additional PII.
USA
Frontegg
Moshe Aviv Tower, Ramat Gan, Israel
Frontegg holds and uses Client username to support access control to the Foresight Materials.  This is based on username, but does not include any additional PII.
USA
Sentry
45 Fremont Street, 8th Floor, San Francisco, CA 94105
Sentry holds and uses Client username to provide audit logs of software errors within the Foresight Materials.  This is based on username, but does not include any additional PII.
USA
Quantifai, Inc. dba Metaplane
20 Child StCambridge, MA 02141
Metaplane holds and uses Client username to detect data incidents, provide impact diagnosis and usage analytics. This is based on username, but does not include any additional PII. 
USA
Secoda Technologies Ltd.
170 Sudbury Street Toronto, ON M6J 0A9
Secoda holds and uses Client username to catalog data and create data lineage. This is based on username, but does not include any additional PII.
USA
OneSchema AI, Inc.
466 Geary Street Suite 100, San Francisco CA94102
OneSchema detects and corrects errors in CSV data. OneScheme does not hold or use any additional PII.
USA
Viascari Pte. Ltd. (FullSuite)
101 Upper Cross St. #05-16 People’s Park Centre Singapore 058357
FullSuite reads and extracts data from legal documents associated with financing transactions and documents associated with financial performance of portfolio companies.  FullSuite enters them into Foresight Materials.
Philippines, Singapore

Exhibit C

Description of the Technical and Organisational Security Measures implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs and Appendix II of the UK Addendum. 

Measures of encryption of personal data 

All data is encrypted while in transit and while at rest.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services

Foresight maintains formal access control, data privacy, and business continuity programs in order to provide for the confidentiality, integrity, and availability of its customers. 

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Foresight maintains a formal business continuity program that includes failover capability.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing

Foresight undergoes annual SOC 2 Type 2 evaluations to assess the quality and effective of Foresight’s control. 

Measures for user identification and authorization

Foresight centrally manages internally users of enterprise applications through an identity service provider (“IdP”). The IdP is managed by the IT and Security Teams, with access provisioned in accordance with RBACs, least privilege, and “Need to Know”. 

Measures for the protection of data during transmission

Data is encrypted in transit using TLS 1.2, HTTPS, or commensurate protocol.

Measures for the protection of data during storage

Data is encrypted while at rest using AES 256 encryption.

Measures for ensuring physical security of locations at which personal data are Processed

Foresight’s platform operates on major cloud service providers whose datacenters are strictly governed and audited on a regular basis.

Measures for ensuring events logging

The Foresight platform logs events relevant to the security and operational efficacy of the services.

Measures for ensuring system configuration, including default configuration

Foresight monitors and technically enforces secure configuration standards relevant to the development and operation of the Foresight platform.

Measures for internal IT and IT security governance and management

Foresight maintains formal access and governance programs to effectively monitor and govern its information security programs. 

Measures for certification/assurance of processes and products

Foresight maintains an active SOC 2 Type 2 certification.

Measures for ensuring data minimization

Foresight collects and processes data in accordance with Customer’s instructions and as agreed to in the terms of this agreement.

Measures for ensuring data quality

Foresight collects and processes data from Customers and Third-Party Providers and performs data cleansing and enrichment and allows Customers to flag data anomalies.

Measures for ensuring limited data retention

Foresight collects and processes data in accordance with Customer’s instructions and as agreed to in the terms of this agreement.

Measures for ensuring accountability

Foresight maintains a formal security program with defined roles and responsibilities relevant to the security, privacy, and operational effectiveness of the Foresight System.

Measures for allowing data portability and ensuring erasure

Foresight maintains formal data-subject-request (“DSR”) procedures to notify Customer of DSR requests and completes tasks relevant to DSR requests at the instruction of the Customer.

Exhibit D

UK Addendum 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

Part 1: Tables

Table 1: Parties

Start Date
This UK Addendum shall have the same effective date as the DPA 
The Parties 
Exporter
Importer
Parties’ Details
Client
Vendor
Key Contact 
See Exhibit B of this DPA
See Exhibit B of this DPA

Table 2: Selected SCCs, Modules and Selected Clauses

EU SCCs
The Version of the Approved EU SCCs which this UK Addendum is appended to as defined in the DPA and completed by Section 6.2 and 6.3 of the DPA.  

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:

Annex 1A: List of Parties
As per Table 1 above
Annex 2B: Description of Transfer
See Exhibit B of this DPA
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data:
See Exhibit C of this DPA
Annex III: List of Sub processors (Modules 2 and 3 only):
See Exhibit B of this DPA 

Table 4: Ending this UK Addendum when the Approved UK Addendum Changes 

Ending this UK Addendum when the Approved UK Addendum changes
Importer
Exporter
Neither Party 

Entering into this UK Addendum:

  1. Each party agrees to be bound by the terms and conditions set out in this UK Addendum, in exchange for the other party also agreeing to be bound by this UK Addendum.
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making ex-UK Transfers, the Parties may enter into this UK Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this UK Addendum. Entering into this UK Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this UK Addendum

  1. Where this UK Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
UK Addendum
means this International Data Transfer Addendum incorporating the EU SCCs, attached to the DPA as Exhibit D. 
EU SCCs
means the version(s) of the Approved EU SCCs which this UK Addendum is appended to, as set out in Table 2, including the Appendix Information
Appendix Information
shall be as set out in Table 3
Appropriate Safeguards 
means the standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making an ex-UK Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved UK Addendum
means the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as may be revised under Section ‎18 of the UK Addendum.
Approved EU SCCs
means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
ICO
means the Information Commissioner of the United Kingdom.
ex-UK Transfer  
shall have the same definition as set forth in the DPA .
UK
means the United Kingdom of Great Britain and Northern Ireland  
UK Data Protection Laws
means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR 
shall have the definition set forth in the DPA.
  1. The UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards. 
  2. If the provisions included in the UK Addendum amend the Approved EU SCCs in any way which is not permitted under the Approved EU SCCs or the Approved UK Addendum, such amendment(s) will not be incorporated in the UK Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  3. If there is any inconsistency or conflict between UK Data Protection Laws and the UK Addendum, UK Data Protection Laws applies.
  4. If the meaning of the UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies. 
  5. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after the UK Addendum has been entered into. 

Hierarchy

  1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for ex-UK Transfers, the hierarchy in Section 10 below will prevail.
  2. Where there is any inconsistency or conflict between the Approved UK Addendum and the EU SCCs (as applicable), the Approved UK Addendum overrides the EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved UK Addendum. 
  3. Where this UK Addendum incorporates EU SCCs which have been entered into to protect ex-EU Transfers subject to the GDPR, then the parties acknowledge that nothing in the UK Addendum impacts those EU SCCs. 

Incorporation and Changes to the EU SCCs:

  1. This UK Addendum incorporates the EU SCCs which are amended to the extent necessary so that:
  1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
  2. Sections 9 to 11 above override Clause 5 (Hierarchy) of the EU SCCs; and
  3. the UK Addendum (including the EU SCCs incorporated into it) is (1) governed by the [Scotland and Northern Ireland and (2) any dispute arising from it is resolved by the courts of Scotland and Northern Ireland. 
  1. Unless the parties have agreed alternative amendments which meet the requirements of Section 12 of this UK Addendum, the provisions of Section 15 of this UK Addendum will apply.
  2. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 of this UK Addendum may be made.
  3. The following amendments to the EU SCCs (for the purpose of Section 12 of this UK Addendum) are made: 
  1. References to the “Clauses” means this UK Addendum, incorporating the EU SCCs;
  2. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”,
  3. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
  4. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
  5. Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
  6. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
  7. References to Regulation (EU) 2018/1725 are removed;
  8. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
  9. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
  10. Clause 13(a) and Part C of Annex I are not used; 
  11. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
  12. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”; 
  13. Clause 17 is replaced with: “These Clauses are governed by the laws of Scotland and Northern Ireland.”;
  14. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of Scotland and Northern Ireland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.”; and
  15. The footnotes to the Approved EU SCCs do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11. 

Amendments to the UK Addendum

  1. The parties may agree to change Clauses 17 and/or 18 of the EU SCCs to refer to the laws and/or courts of Scotland and Northern Ireland.
  2. If the parties wish to change the format of the information included in Part 1: Tables of the Approved UK Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
  3. From time to time, the ICO may issue a revised Approved UK Addendum which: 
  1. makes reasonable and proportionate changes to the Approved UK Addendum, including correcting errors in the Approved UK Addendum; and/or
  2. reflects changes to UK Data Protection Laws;

The revised Approved UK Addendum will specify the start date from which the changes to the Approved UK Addendum are effective and whether the parties need to review this UK Addendum including the Appendix Information. This UK Addendum is automatically amended as set out in the revised Approved UK Addendum from the start date specified. 

  1. If the ICO issues a revised Approved UK Addendum under Section 18 of this UK Addendum, if a party will as a direct result of the changes in the Approved UK Addendum have a substantial, disproportionate and demonstrable increase in: 
  1. its direct costs of performing its obligations under the UK Addendum; and/or 
  2. its risk under the UK Addendum, 

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other party before the start date of the revised Approved UK Addendum.

  1. The parties do not need the consent of any third party to make changes to this UK Addendum, but any changes must be made in accordance with its terms.
Products
Sourcing
Diligence
Portfolio
Customers
Investors
Finance
Investor Relations
Platform
Financial Institutions
Docs
Terms of Service
Privacy Policy
Trust Center
Disclosure Policy
Support
Data Processing Addendum
Company
Mission
Resources
Careers
We are hiring
Contact Us
LinkedIn
X (formerly Twitter)
We connect the data, you connect the dots.
© Copyright {year} Foresight Data, Inc. All Rights Reserved.
Foresight Data, Inc. 174 W 4th Street, Suite 168
New York, NY 10014