Data Privacy Addendum
This Data Privacy Addendum (“DPA”) sets forth the privacy and data protection obligations applicable to the processing of Personal Data by the vendor (“Vendor”) on behalf of Yipit LLC, d/b/a YipitData or the YipitData affiliate identified in the agreement (“YipitData”), each a “Party” and collectively the “Parties”. This DPA is incorporated by reference into the agreement between YipitData and Vendor (including any other addendum, order form, statement of work, or equivalent, the “Agreement”) and forms part of the Agreement. In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA will prevail.
YipitData and Vendor agree as follows:
1. Definitions. For purposes of this DPA:
a. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”), privacy laws passed by other U.S. states (together with the CCPA, “U.S. State Privacy Laws”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”), and the Swiss Federal Act on Data Protection (“FADP”). For the avoidance of doubt, if Vendor’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
b. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
c. “Data Privacy Framework” means, collectively, the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. Data Privacy Framework (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), the texts of which are located at https://www.dataprivacyframework.gov/s/framework-text.
d. “EEA” means the European Economic Area, consisting of the member states of the European Union in addition to Iceland, Liechtenstein, and Norway.
e. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 7 below.
f. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that is Processed in relation to the Agreement.
g. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
h. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
i. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).
2. Roles of the Parties; Scope and Purposes of Processing.
a. This DPA applies to all Personal Data that Vendor Processes pursuant to the Agreement.
b. Terms in quotations are defined as in applicable Data Privacy Laws. The Parties agree that where YipitData is a data “controller” or “business”, Vendor is its “processor” or “service provider”. Where YipitData is a processor or service provider, Vendor acts as YipitData’s processor (i.e., its subprocessor) or service provider.
c. Vendor will Process Personal Data solely: (1) to fulfill its obligations to YipitData under the Agreement, including this DPA; (2) on YipitData’s behalf; and (3) in compliance with Data Privacy Laws. Vendor will:
i. not retain, use, or disclose the Personal Data outside of the direct business relationship between YipitData and Vendor;
ii. not “sell” or “share” any Personal Data, as such terms are defined in applicable U.S. State Privacy Laws, to any third party;
iii. not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without YipitData’s express written permission;
iv. not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of YipitData;
v. comply with any applicable restrictions under Data Privacy Laws on combining the Personal Data with personal data that Vendor receives from, or on behalf of, another person or persons, or that Vendor collects from any interaction between it and any individual;
vi. provide the same level of protection for the Personal Data as is required under Data Privacy Laws applicable to YipitData;
vii. not otherwise engage in any Processing of the Personal Data that is prohibited or not permitted by “processors” or “service providers” under Data Privacy Laws; and
viii. immediately notify YipitData if Vendor determines that (a) it can no longer meet its obligations under this DPA or Data Privacy Laws; or (b) it has breached this DPA, and shall cooperate to remediate such breach; or (c) in Vendor’s opinion, an instruction from YipitData infringes Data Privacy Laws.
d. YipitData retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.
e. Vendor certifies that it understands and will comply with its obligations under this DPA, including those in this Section 2.
3. Personal Data Processing Requirements. Vendor will:
a. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b. Assist YipitData in the fulfillment of YipitData’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data).
c. Promptly, and in any event within five (5) days, notify YipitData of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Vendor’s Processing of Personal Data on YipitData’s behalf, unless prohibited by Data Privacy Laws. If Vendor receives a third-party, Data Subject, or governmental request, Vendor will await written instructions from YipitData on how, if at all, to assist in responding to the request. Vendor will provide YipitData with reasonable cooperation and assistance in relation to any such request.
d. Provide reasonable assistance to and cooperation with YipitData for YipitData’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Privacy Laws.
e. Provide reasonable assistance to and cooperation with YipitData for YipitData’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Vendor under Data Privacy Laws to consult with a regulatory authority in relation to Vendor’s Processing or proposed Processing of Personal Data.
4. Data Security. Vendor will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in the Security Addendum referenced in the Vendor Addendum.
5. Security Breach. Vendor will notify YipitData promptly, and in any event within forty-eight hours, of any Security Breach. Vendor will comply with the Security Breach-related obligations directly applicable to it under Data Privacy Laws and will assist YipitData in YipitData’s compliance with its Security Breach-related obligations, including without limitation by:
a. At Vendor’s own expense, taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
b. Providing YipitData with the following information, to the extent known:
i. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
ii. The likely consequences of the Security Breach; and
iii. Measures taken or proposed to be taken by Vendor to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. Subcontractors.
a. YipitData acknowledges and agrees that Vendor may use Vendor affiliates and other subcontractors to Process Personal Data in accordance with the provisions within this DPA and Data Privacy Laws. Where Vendor sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Vendor will: (i) take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Privacy Laws; and (ii) require that each subcontractor complies with obligations that are no less restrictive than those imposed on Vendor under this DPA.
b. To the extent Vendor Processes Personal Data subject to applicable Data Privacy Laws in the European Economic Area, Switzerland, or the United Kingdom, Vendor agrees to provide to YipitData a complete and accurate list of its current subprocessors by submitting the list to privacy@yipitdata.com within thirty (30) days of accepting this DPA or upon YipitData’s request, and YipitData hereby consents to Vendor’s use of such subprocessors. Vendor will maintain an up-to-date list of its subprocessors, and it will provide YipitData with reasonable notice of any new subprocessor added to the list prior to transferring Personal Data to such new subprocessor. In the event YipitData objects to a new subprocessor, Vendor will not transfer Personal Data to the new subprocessor and will use reasonable efforts to make available to YipitData a change in the services or recommend a commercially reasonable change to YipitData’s use of the services to avoid Processing of Personal Data by the objected-to subprocessor without unreasonably burdening the YipitData. YipitData may, in its sole discretion, terminate the Agreement at any time and by providing written notice to Vendor in the event that it objects to a subprocessor and Vendor is unable to change the services to satisfy YipitData.
c. Vendor will provide copies of the subprocessor agreements that must be sent to YipitData pursuant to Clause 9(c) of the EU SCCs upon YipitData’s request. Vendor may have all commercial information, or clauses unrelated to the EU SCCs or their equivalent, removed or redacted before providing to YipitData.
7. Data Transfers.
a. Vendor will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Privacy Laws. Where Vendor engages in an onward transfer of Personal Data, Vendor shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
b. If Vendor is duly certified under the Data Privacy Framework, it may receive Personal Data regarding EEA, UK, and/or Swiss Data Subjects pursuant to the Data Privacy Framework in lieu of another transfer mechanism, subject to the following provisions.
i. If Vendor is certified under the EU-U.S. DPF, it may receive Personal Data regarding EEA Data Subjects pursuant to such certification instead of pursuant to the EU SCCs.
ii. If Vendor is certified under the UK Extension, it may receive Personal Data regarding UK Data Subjects pursuant to such certification instead of the UK SCCs.
iii. If Vendor is certified under the Swiss-U.S. DPF, it may receive Personal Data regarding Swiss Data Subjects pursuant to such certification instead of Section 7(e) below, but not until such time as Switzerland recognizes the adequacy of the Swiss-U.S. DPF and all other necessary processes take place in order for the Swiss-U.S. DPF to be an independently sufficient transfer mechanism.
iv. To receive Personal Data pursuant to the Data Privacy Framework instead of the EU SCCs, UK SCCs, and/or Section 7(e) below (as applicable), Vendor must have an active, current Data Privacy Framework certification, as evidenced by its listing on the U.S. Department of Commerce’s Data Privacy Framework List of “Active” participants (located at https://www.dataprivacyframework.gov/s/participant-search), that authorizes Vendor to receive non-HR Personal Data under the Data Privacy Framework.
v. Vendor represents and warrants that it will comply with all of its obligations under the Data Privacy Framework regarding Personal Data transferred thereunder and will provide YipitData with all information reasonably necessary to demonstrate such compliance upon YipitData’s reasonable request. Vendor will notify YipitData immediately if Vendor determines that it can no longer comply with its Data Privacy Framework obligations.
vi. If YipitData becomes aware that Vendor is in violation of its obligations under the Data Privacy Framework, YipitData may, in its sole discretion, suspend transfers of affected Personal Data until the violation is resolved to YipitData’s satisfaction; transfer the affected Personal Data pursuant to the EU SCCs, UK SCCs, or Section 7(e) below (as applicable); or terminate this DPA and the Agreement without penalty.
vii. If Vendor’s Data Privacy Framework certification becomes inactive during the term of the Agreement for any reason not including Vendor’s violation of the Data Privacy Framework or Data Privacy Law, the Parties may agree to conduct transfers of Personal Data regarding EEA, UK, and/or Swiss Data Subjects (as applicable) for the remainder of the term pursuant to the EU SCCs, UK SCCs, or Section 7(e) below (as applicable); provided that any such agreement must be in writing.
c. To the extent legally required, by entering into this DPA, YipitData and Vendor are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 7(e) below) will be deemed completed as follows:
i. Module 2 of the EU SCCs applies to transfers of Personal Data from YipitData (as a controller) to Vendor (as a processor) and Module 3 of the EU SCCs applies to transfers of Personal Data from YipitData (as a processor) to Vendor (as a sub-processor);
ii. Clause 7 of Modules 2 and 3 (the optional docking clause) is not included;
iii. Under Clause 9 of Modules 2 and 3 (Use of sub-processors), the Parties select Option 2 (General written authorization). Vendor will provide YipitData the initial list of sub-processors, and Vendor shall propose an update to that list at least 10 business days in advance of any intended additions or replacements of sub-processors in accordance with Section 6(b) of this DPA;
iv. Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
v. Under Clause 17 of Modules 2 and 3 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland;
vi. Under Clause 18 of Modules 2 and 3 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
vii. Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in Exhibit A of this DPA;
viii. Under Annex I(C) of Modules 2 and 3 (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
ix. Annex II of Modules 2 and 3 (Technical and organizational measures) is completed with the Security Addendum referenced in the Vendor Addendum; and
x. Annex III of Modules 2 and 3 (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9.
d. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables within UK SCCs are deemed completed as follows:
i. Table 1: The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in the Agreement.
ii. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 7(c) of this DPA.
iii. Table 3: Annexes I and II are set forth in Exhibits A and the Security Addendum referenced in the Vendor Addendum. Annex III is inapplicable.
iv. Table 4: YipitData may end this DPA as set out in Section 19 of the UK SCCs.
v. By entering into this DPA, the Parties are deemed to be signing the UK SCCs.
e. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(c) of this DPA, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
8. Additional Safeguards for the Transfer and Processing of Personal Data from the EEA, Switzerland, and the United Kingdom. To the extent that Vendor (x) is located in a jurisdiction other than the United States that has not been deemed “adequate” by the European Commission and (y) Processes Personal Data of Data Subjects located in or subject to the applicable Data Privacy Laws in the European Economic Area, Switzerland, or the United Kingdom, Vendor agrees to the following safeguards (“Additional Safeguards”) to protect such data to an equivalent level as applicable Data Privacy Laws:
a. Vendor uses encryption for data both in transit and at rest.
b. Vendor shall use all available legal mechanisms to challenge any demands for access to Personal Data by Public Authorities (as such term is understood under the GDPR and EU SCCs) that it receives, as well as any non-disclosure provisions attached thereto.
c. Vendor will notify YipitData if Vendor can no longer comply with the Model Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
9. Audits. Vendor will make available to YipitData all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by YipitData or another auditor mandated by YipitData, provided that, except in the case of a Security Breach, for which there is no frequency limitation, such audit shall occur not more than once every six (6) calendar months, upon reasonable prior written notice, and to the extent Vendor’s personnel are required to cooperate therewith, only during Vendor’s normal business hours.
10. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Privacy Laws, Vendor will, at the choice of YipitData, return to YipitData and/or securely destroy all Personal Data upon (a) written request of YipitData or (b) termination of the Agreement. Except to the extent prohibited by Data Privacy Laws, Vendor will inform YipitData if it is not able to return or delete the Personal Data.
11. Indemnification and Limitation of Liability. To the extent permitted by Data Privacy Laws, the Parties will indemnify each other and their liability will be limited as provided in the Agreement.
12. Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Vendor or its subcontractors Process the Personal Data.
Exhibit A
ANNEX I TO THE EU SCCS
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Data exporter(s):
Name: The data exporter is YipitData.
Activities relevant to the data transferred under these SCCs: The data exporter is a user of the data importer’s Services pursuant to their underlying Agreement. The data exporter acts as a controller with respect to its own personal data. To the extent permitted by the Agreement, the exporter also is permitted to use the contracted Services as a processor on behalf of third parties.
Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these SCCs by both parties.
Data importer(s):
Name: The data importer is Vendor.
Activities relevant to the data transferred under these SCCs: The data importer is the provider of Services to the data exporter and its customers pursuant to their underlying Agreement. The data importer acts as the data exporter’s processor.
Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these SCCs by both parties.
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Categories of data subjects whose personal data is transferred may include, but are not limited to the following:
- Employees and contractors of YipitData, job applicants, employees or contact persons of YipitData’s customers, business partners, vendors and other business partners, website visitors and individuals who otherwise interact with YipitData.
Categories of personal data transferred may include, but are not limited to the following:
- Identifiers, such as first and last name, business contact information (e.g., company name, title email, phone, physical address), and personal contact information (e.g., email, cell phone)
- Online activity information, including connection data such as IP address, device identifiers, network logs, and usage metadata
Commercial information, such as records of products or services purchased or other transactional and payment data - Account and authentication data (e.g., login credentials, account identifiers, profile information)
- HR-related data (for employees, contractors, and job applicants)
- Any other personal data that Company may process or transfer in connection with the operation of its business and provision of services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous for the duration of the Agreement.
Nature of the processing:
Data importer’s Processing activities shall be limited to those discussed in the Agreement and the DPA.
Purpose(s) of the data transfer and further processing:
The objective of the transfer and further processing of personal data by Vendor is to provide services to YipitData.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal data will be retained for the period of time necessary to provide the Services to YipitData under the Agreement, the DPA, and/or in accordance with applicable legal requirements.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Same as above to the extent such information is provided to subprocessors for purposes of providing the Services.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
See Section 7(c)(viii) of the DPA.
Last Updated September 2025
