partnerstack.com
Open in
urlscan Pro
3.233.126.24
Public Scan
URL:
https://partnerstack.com/legal/data-processing-addendum
Submission: On September 19 via manual from US — Scanned from US
Submission: On September 19 via manual from US — Scanned from US
Form analysis 2 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7012252/c4858e85-6110-40dc-a3ac-c0272b1b4bd0
<form id="hsForm_c4858e85-6110-40dc-a3ac-c0272b1b4bd0" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7012252/c4858e85-6110-40dc-a3ac-c0272b1b4bd0"
class="hs-form-private hsForm_c4858e85-6110-40dc-a3ac-c0272b1b4bd0 hs-form-c4858e85-6110-40dc-a3ac-c0272b1b4bd0 hs-form-c4858e85-6110-40dc-a3ac-c0272b1b4bd0_1730ff89-80ac-42cf-91e6-f31715860d6a hs-form stacked"
target="target_iframe_c4858e85-6110-40dc-a3ac-c0272b1b4bd0" data-instance-id="1730ff89-80ac-42cf-91e6-f31715860d6a" data-form-id="c4858e85-6110-40dc-a3ac-c0272b1b4bd0" data-portal-id="7012252"
data-test-id="hsForm_c4858e85-6110-40dc-a3ac-c0272b1b4bd0">
<fieldset class="form-columns-3">
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-c4858e85-6110-40dc-a3ac-c0272b1b4bd0" class="" placeholder="Enter your UTM Source"
for="utm_source-c4858e85-6110-40dc-a3ac-c0272b1b4bd0"><span>UTM Source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-c4858e85-6110-40dc-a3ac-c0272b1b4bd0" class="" placeholder="Enter your UTM Medium"
for="utm_medium-c4858e85-6110-40dc-a3ac-c0272b1b4bd0"><span>UTM Medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-c4858e85-6110-40dc-a3ac-c0272b1b4bd0" class="" placeholder="Enter your UTM Content"
for="utm_content-c4858e85-6110-40dc-a3ac-c0272b1b4bd0"><span>UTM Content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-2">
<div class="hs_utm_term hs-utm_term hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term-c4858e85-6110-40dc-a3ac-c0272b1b4bd0" class="" placeholder="Enter your UTM Term"
for="utm_term-c4858e85-6110-40dc-a3ac-c0272b1b4bd0"><span>UTM Term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-c4858e85-6110-40dc-a3ac-c0272b1b4bd0" class="" placeholder="Enter your UTM Campaign"
for="utm_campaign-c4858e85-6110-40dc-a3ac-c0272b1b4bd0"><span>UTM Campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-c4858e85-6110-40dc-a3ac-c0272b1b4bd0" class="" placeholder="Enter your Email" for="email-c4858e85-6110-40dc-a3ac-c0272b1b4bd0"><span>Email</span><span
class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-c4858e85-6110-40dc-a3ac-c0272b1b4bd0" name="email" required="" placeholder="Enter your email" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
</fieldset>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1726785630540","formDefinitionUpdatedAt":"1714679183063","lang":"en","disableCookieSubmission":"true","clonedFromForm":"e0b88d31-9d89-4636-b1f0-79114e2bfd18","renderRawHtml":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","pageTitle":"DPA","pageUrl":"https://partnerstack.com/legal/data-processing-addendum","isHubSpotCmsGeneratedPage":false,"formTarget":"#hbspt-form-1730ff89-80ac-42cf-91e6-f31715860d6a","rumScriptExecuteTime":1486.4000000953674,"rumTotalRequestTime":2038.5999999046326,"rumTotalRenderTime":2115.300000190735,"rumServiceResponseTime":552.1999998092651,"rumFormRenderTime":76.7000002861023,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1726785631861,"originalEmbedContext":{"portalId":"7012252","formId":"c4858e85-6110-40dc-a3ac-c0272b1b4bd0","region":"na1","target":"#hbspt-form-1730ff89-80ac-42cf-91e6-f31715860d6a","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true},"correlationId":"1730ff89-80ac-42cf-91e6-f31715860d6a","renderedFieldsIds":["utm_source","utm_medium","utm_content","utm_term","utm_campaign","email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5999","sourceName":"forms-embed","sourceVersion":"1.5999","sourceVersionMajor":"1","sourceVersionMinor":"5999","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1726785630847,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"DPA\",\"pageUrl\":\"https://partnerstack.com/legal/data-processing-addendum\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1726785630849,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"US\""}]}"><iframe
name="target_iframe_c4858e85-6110-40dc-a3ac-c0272b1b4bd0" style="display: none;"></iframe>
</form>/search
<form action="/search" id="search-field-popup" class="site-search-bar w-form"><input class="search-field-popup w-input" maxlength="256" name="query" placeholder="Search for something..." type="search" id="search" required=""><input type="submit"
class="site-search-button w-button" value="Search"></form>Text Content
PartnerStack Network Connect App for HubSpot has launched. Learn more -> For Vendors PLATFORM FEATURES One platform to power your partner ecosystem Watch a 5-minute demo Learn how PartnerStack can scale your SaaS business: Recruit Attract high-quality, great-fit partners Activate Enable partners with best-in-class resources Track Monitor every partner-sourced lead Commission Incentivize partners with rewards and commissions Optimize Improve performance with reports and insights Book a demoPricing Platform features -> Platform FeaturesPricingBook a demo For Partners & Publishers Resources RESOURCES ECOSYSTEM RESOURCES IN YOUR BACK POCKET Perfect your partnerships with our curated collection of resources designed for growth All resources Research Lab Access data-driven reports and trends Customers Learn why our customers love us Guides Find the answers you need from experts Partner Playbook Explore proven plays by our customers Articles Discover industry best practices and tips Glossary Decode buzzwords and learn the industry lingo GET FREE ECOSYSTEM ADVICE Sign up for our newsletter to enjoy premium partnerships and ecosystem content you can’t get anywhere else. UTM Source UTM Medium UTM Content UTM Term UTM Campaign Email* PartnerStack ResourcesResearch LabGuidesGlossaryCustomersArticles About Us Login Get started <- Back to PartnerStack's Legal Hub DATA PROCESSING ADDENDUM How we process Personal Data on your behalf in connection with providing services or use of the PartnerStack Platform. You can sign this Data Processing Addendum here. DATA PROCESSING ADDENDUM 1. PARTIES AND BACKGROUND a. CUSTOMER as named in the relevant order form, exhibit, attachment, addendum or other agreement (the “Customer”); and PARTNERSTACK INC., a corporation incorporated under the laws of Delaware, having its registered office at 1000 Brickell Avenue Suite #715 (PMB-315) Miami, FL 33131 (“PartnerStack”) (each a “Party” and together the “Parties”) entered into a services agreement as dated in the relevant order form, exhibit, attachment, addendum or other agreement (the “Agreement”). This Data Processing Addendum forms part of the Agreement and shall be effective as of the effective date of the Agreement and shall continue in effect until PartnerStack deletes or returns Customer Personal Data as set forth herein. b. To the extent that PartnerStack processes Customer Personal Data (as defined below) on behalf of Customer or its affiliates in connection with providing the Services, the Parties have agreed that it shall do so under the terms of this Data Processing Addendum (“DPA”). c. In the event of any conflict between this DPA and the Agreement, the DPA shall control with respect to any processing of Customer Personal Data. 2. ROLES OF THE PARTIES a. The Parties acknowledge and agree that: i. for the purposes of the GDPR, Customer is the Data Controller and PartnerStack is the Data Processor; and ii. for the purposes of the CCPA, PartnerStack is a Service Provider to Customer. 3. DETAILS OF DATA PROCESSING a. The details of data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data and data subjects) are described in the Agreement and in Appendix 1. b. PartnerStack will only process Customer Personal Data according to the instructions of Customer and in accordance with applicable law. The Agreement and this DPA constitute Customer's instructions for PartnerStack’s processing of Customer Personal Data. c. In using the PartnerStack Platform, Customer represents and warrant that they: (i) will at all times comply with all applicable laws (including all applicable privacy laws); and (ii) have obtained all required rights, authorizations, consents and permissions for all information, material, or content that they enter into the Platform including any information about identifiable individuals (“Personal Information"). If Customer has collected Personal Information from another site and are sharing it on the Platform, Customer represents that they have disclosed that fact in a publicly facing and appropriate privacy policy. d. If PartnerStack believes Customer’s instructions are not compliant with applicable law or outside the scope of the Agreement or the DPA, PartnerStack will promptly inform Customer thereof, unless prohibited by applicable law (without prejudice to the SCCs) and will not further process Customer Personal Data until the issue is resolved. e. PartnerStack may anonymize Customer Personal Data through a reliable state of the art anonymization procedure and may use such anonymized data for its own business purposes, including for research, development of new products and services, and security purposes. 4. SUB-PROCESSORS a. PartnerStack may utilize Sub-processors to process Customer Personal Data subject to Section 4 (b). PartnerStack’s current Sub-processors are identified as of the Effective Date. b. PartnerStack shall (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data than PartnerStack’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA. c. Should PartnerStack elect to engage another Sub-processor (including any addition or replacement of any Sub-processors), it shall provide Customer with at least thirty (30) days' notice. Customer may object to the new Sub-processor by providing PartnerStack with written notice of the objection within ten (10) days after PartnerStack has provided notice to Customer of such proposed change (an "Objection"). With an Objection, Customer and PartnerStack will work together in good faith to resolve the Objection. If the parties cannot resolve the Objection within a reasonable time, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party. During any such Objection period, PartnerStack may suspend the affected portion of the Services. If Customer does not object during the period set forth above, it shall be deemed to have consented to the use of the new Sub-processor. 5. DATA SUBJECT REQUESTS a. Customer shall have sole responsibility to respond to requests by any Data Subject related to their rights in relation to Customer Personal Data (“Data Subject Request”). b. If PartnerStack receives a Data Subject Request, it will forward it to Customer without undue delay and may advise the individual to submit their request directly to Customer. c. PartnerStack will (taking into account the nature of the processing of Customer Personal Data) provide Customer with reasonable assistance as necessary and at Customer’s expense to allow Customer to fulfil its obligation to respond to Data Subject Requests, including if applicable, Customer’s obligation to respond to requests to exercising the rights set out in the GDPR or CCPA. 6. SECURITY AND AUDITS a. Taking into account the state of the art, the implementation costs as well as the nature, scope, context and purposes of processing, PartnerStack will implement and maintain appropriate technical and organizational measures designed to ensure security of Customer Personal Data, including, without limitation, protection against unauthorized or unlawful processing, unauthorized or unlawful disclosure of, access to and/or alteration of Customer Personal Data and against accidental loss, destruction, or damage of or to Customer Personal Data. b. PartnerStack will ensure that its personnel who are authorized to access Customer Personal Data are subject to appropriate confidentiality obligations. c. PartnerStack will implement and maintain the measures set out in Annex II. PartnerStack may periodically update or modify the security measures set out in Annex II. d. Upon thirty (30) days’ notice and at Customer’s expense, Customer or its independent third-party auditor reasonably acceptable to PartnerStack may audit PartnerStack’s compliance with its obligations under this DPA up to once per year unless more frequent audits are required by a competent data authority or following a Security Incident. All such audits must be conducted during regular business hours and may not unreasonably interfere with PartnerStack business activities. e. Customer will promptly notify PartnerStack of any non-compliance discovered by an audit and provide PartnerStack any audit reports generated in connection with any audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. f. PartnerStack shall audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with data protection law and the obligations set upon Sub-processors according to the data processing agreement concluded with them. 7. SECURITY INCIDENTS a. PartnerStack shall notify the Customer without undue delay after becoming aware of any incident where the security of Customer Personal Data has been compromised or is likely to have been compromised (a “Security Incident”). PartnerStack will investigate the Security Incident and provide the Customer with such co-operation and assistance as may be reasonably required to comply with any notification or reporting obligations which may apply in respect of any such personal data breach. 8. DELETION AND RETURN a. PartnerStack shall, within 45 days of the date of termination or expiry of the Agreement, (a) if requested to do so by Customer within that period, return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by Customer to PartnerStack; and (b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by PartnerStack or any Sub-processors unless EU law or the laws of an EU Member State require storage of the personal data. 9. IMPACT ASSESSMENTS a. PartnerStack will (taking into account the nature of the Processing and the information available to PartnerStack) reasonably assist Customer at Customer’s expense in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of PartnerStack’s information security program and the security measures applied in connection therewith and (b) providing the other information contained in the Agreement, including this DPA. 10. DATA TRANSFERS a. PartnerStack and its sub-processors may process personal data outside the EEA in one or more countries that have not received an adequacy decision as required by GDPR. The transfer of personal data from the Customer to PartnerStack in these circumstances shall be governed by the Standard Contractual Clauses, which are hereby incorporated into this DPA. For the purpose of the Standard Contractual Clauses: i. The data exporter is the Customer; ii. The data importer is PartnerStack; b. For the purpose of Annex I to the Appendix to the Standard Contractual Clauses, the (A) list of parties, (B) description of the transfer, and (C) competent supervisory authority. are as set out or referenced in Annex I to this DPA; c. For the purpose of Annex II to the Appendix to the Standard Contractual Clauses, the technical and organisational measures implemented by PartnerStack are set out or referenced in Annex II to this DPA; d. For the purpose of Annex III to the Appendix to the Standard Contractual Clauses, the list of sub-processors is set forth in Section 4(a) of this DPA; and 11. CUSTOMER PERSONAL DATA SUBJECT TO UK AND SWISS DATA PROTECTION LAWS a. To the extent that the processing of Customer Personal Data is subject to UK or Swiss data protection laws, the UK Addendum and/or Swiss Addendum (as applicable) set out in Schedule 1 shall apply. 12. CUSTOMER PERSONAL DATA SUBJECT TO THE CCPA a. To the extent that the processing of Customer Personal Data is subject to the CCPA, PartnerStack: (a) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described in the Agreement, pursuant to which PartnerStack will provide Customer with its services; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that PartnerStack’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by PartnerStack that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information. b. The Parties intend that PartnerStack be a Service Provider with respect to its processing of Customer Personal Data. PartnerStack shall not (a) Sell or Share Personal Information; (b) retain, use or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between PartnerStack and Customer; or (d) except as permitted by the CCPA, combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person; or (ii) collected from PartnerStack’s own interaction with any Consumer to whom such Personal Information pertains. PartnerStack certifies that it understands the obligations under this Section and will comply with them. c. Compliance with Section 4 of the DPA shall satisfy PartnerStack ’s obligation under the CCPA to give notice of Subprocessor engagements. d. The Parties acknowledge and agree that (a) PartnerStack ’s access to Personal Information is not part of the consideration exchanged by the parties in respect of the Agreement; and (b) Customer’s instructions documented in the DPA are integral to PartnerStack ’s provision of the Services and the business relationship between the Parties. 13. DEFINITIONS Capitalized terms used but not defined within this DPA shall have the meaning set forth in the Agreement. The following capitalized terms used in this DPA shall be defined as follows: a. “Affiliate" means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement. b. "Approved Addendum" means the template Addendum issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses; c. "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the Effective Date of this DPA; d. "Customer Personal Data" means the Personal Data processed by PartnerStack on behalf of Customer in connection with the provision of the Services; e. "EEA" means the European Economic Area; f. "GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 or, where applicable, the equivalent provision under Swiss data protection law; g. "Mandatory Clauses" means Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses; h. "Member State" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein; i. "Personal Data" means any information relating to an identified or identifiable individual or device, or is otherwise "personal data," "personal information," "personally identifiable information" and similar terms, and such terms shall have the same meaning as defined by applicable data protection laws. j. "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Customer Personal Data. k. "Standard Contractual Clauses" or “SCCs” means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914; and l. "Sub-processor" means PartnerStack Affiliates and third-party processors appointed by PartnerStack to process Customer Personal Data. m. “UK” means the United Kingdom of Great Britain and Northern Ireland. The terms "controller", "processor", "data subject", "process", and "supervisory authority" shall have the same meaning as set out in the GDPR. The terms “sell” and “service provider” shall have the same meaning as set out in the CCPA. ANNEX I A. LIST OF PARTIES MODULE TWO: TRANSFER CONTROLLER TO PROCESSOR Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union Name: As contained in the relevant order form, exhibit, attachment, addendum or other agreement. Address: As contained in the relevant order form, exhibit, attachment, addendum or other agreement. Contact person’s name, position and contact details: As contained in the relevant order form, exhibit, attachment, addendum or other agreement. Activities relevant to the data transferred under these Clauses: As per Agreement Role (controller/processor): Controller Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection Name: PartnerStack Inc. Address: 1000 Brickell Avenue Suite #715 (PMB-315) Miami, FL 33131 Data protection officer: privacy@partnerstack.com Activities relevant to the data transferred under these Clauses: As per Agreement Role (controller/processor): Processor B. DESCRIPTION OF TRANSFER MODULE TWO: TRANSFER CONTROLLER TO PROCESSOR Categories of data subjects whose personal data is transferred • Customer’s employees, contractors, agents, and/or representatives • Customer’s customers and affiliates, and their employees, contractors, agents, representatives, and customers (some of which may be end users of Customer’s software products and services) Categories of personal data transferred • Demographic data: first name, last name, e-mail, IP address, postal address, phone number; may include data of birth. There is also data generated when users view products of a customer • Contact data: Personal/work email address; Personal/work telephone number; Work postal address • Digital Identifiers: IP Address, MAC Address Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. • Not Applicable The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). • Continuous basis Nature of the processing • The scope and nature of the processing is the provision of services by PartnerStack to Customer as set forth in the Agreement. Purpose(s) of the data transfer and further processing • The purpose of the data transfer and further processing is to enable PartnerStack to fulfil its obligations to Customer under the Agreement. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period • 7 Years since last used. For transfers to (sub) processors, also specify subject matter, nature and duration of the processing, see list of subprocessors Duration of the Processing: Continues until service is terminated with Sub-processors C. COMPETENT SUPERVISORY AUTHORITY MODULE TWO: TRANSFER CONTROLLER TO PROCESSOR Identify the competent supervisory authority/ies in accordance with Clause 13 ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. Measures of pseudonymisation and encryption of personal data • All data at rest is encrypted • Personally identifiable information is used on a principles of least privilege and need to know basis • Analytics data is always anonymized through aggregation and identifiers removed Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services • Holistic Information Security Management System that scopes in all the critical processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident • Business Continuity and Disaster Recovery Plan • Annual testing of BC and DR plans Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing • Annual audits (SOC 2) • Annual penetration testing done by a third-party Measures for user identification and authorisation • All access requires unique identification and/or logging to ensure auditability and accountability Measures for the protection of data during transmission • Data in transit is encrypted Measures for the protection of data during storage • Data at rest is encrypted Measures for ensuring physical security of locations at which personal data are processed • Usage of subservice providers that meet the high level of physical security of locations that hold critical data Measures for ensuring events logging • Dedicated Engineering infrastructure team is responsible for this Measures for ensuring system configuration, including default configuration • Dedicated Engineering infrastructure team is responsible for this Measures for internal IT and IT security governance and management • Information Security Management System implemented in accordance with ISO27001 and AICPA Trust Services Principles guideline Measures for certification/assurance of processes and products • PartnerStack platform is SOC 2 Type 2 compliant Measures for ensuring data minimisation • Annual risk assessment identifies and assesses risks pertaining to privacy, which includes data minimisation Measures for ensuring data quality • Engineering quality reviews and standard development practices • Data engineering team dedicated to help ensuring data quality Measures for ensuring limited data retention • Data retention policies are set at the data storage layer Measures for ensuring accountability • Audit logging enabled at all critical layers of the system and platform Measures for allowing data portability and ensuring erasure • Defined processes and tooling implemented for data portability and erasure scripts created by the Engineering team and supported by the Technical Support team For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter • Dedicated vendor risk management program to help ensure (sub-)processors are able to meet the security standards set by our organization which includes requirements such as: o Security certification programs (e.g. ISO27001, SOC 2, etc) o Demonstration of a security management system/program o Data Protection Agreements o Other risk assessments as deemed necessary APPENDIX 1 – DETAILS OF DATA PROCESSING Subject matter, nature and purpose of the processing Subject matter of processing: personal data, as defined under applicable data protection laws. Nature of Processing: the scope, nature and purpose of the processing is the provision of services by PartnerStack to Customer as set forth in the Agreement. Duration Duration of the Agreement Categories of data subjects Customer’s employees, contractors, agents, and/or representatives. Customer’s customers and affiliates, and their employees, contractors, agents, representatives, and customers (some of which may be end users of Customer’s software products and services). TYPES OF PERSONAL DATA I.E. ANY INFORMATION RELATING TO AN IDENTIFIED OR IDENTIFIABLE PERSON. Demographic Data Includes, but is not limited to, first name, last name, e-mail, IP address, postal address, phone number; may include data of birth. There is also data generated when users view products of a customer Contact Details Personal/work email address Personal/work telephone number Work postal address Digital Identifiers IP Address, MAC Address Special Categories of Data Not Applicable Other N/A SCHEDULE 1 UK AND SWISS ADDENDUM 1. UK ADDENDUM With respect to any transfers of Customer Personal Data falling within the scope of the UK GDPR from Customer (as data exporter) to PartnerStack (as data importer): a. Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Mandatory Clauses; b. PartnerStack (as data importer) may end this DPA, to the extent the Mandatory Clauses apply, in accordance with clause 19 of the Mandatory Clauses; c. Neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018 (together, the "UK Data Protection Laws"); and d. The Standard Contractual Clauses are deemed to be amended to the extent necessary so they operate: i. for transfers made by Customer to PartnerStack , to the extent that UK Data Protection Laws apply to the Customer’s processing when making that transfer; and ii. to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR; 2. SWISS ADDENDUM As stipulated in Section 11 of the DPA, this Swiss Addendum shall apply to any processing of Customer Personal Data subject to Swiss data protection law or to both Swiss data protection law and the GDPR. a. Interpretation of this Addendum Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings: This Addendum This Addendum to the Clauses Clauses The Standard Contractual Clauses as further specified in Schedule 1 of this DPA Swiss Data Protection Laws The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time. This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be. This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into. B. HIERARCHY In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail. C. INCORPORATION OF THE CLAUSES i. In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA including as further specified in Schedule 1 of this DPA to the extent necessary so they operate: 1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and 2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be. ii. To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in Schedule 1 of this DPA and as required by clause 2.1 of this Swiss Addendum, include (without limitation): 1. References to the "Clauses" or the "SCCs" means this Swiss Addendum as it amends the SCCs. 2. Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer." 3. References to "Regulation (EU) 2016/679" or "that Regulation" or "“GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable. 4. References to Regulation (EU) 2018/1725 are removed. 5. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland". 6. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the transfers are governed by Swiss Data Protection Laws; 7. Clause 17 is replaced to state: These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws. 8. Clause 18 is replaced to state: Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts. Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities and legal entities shall receive the same protection under the Clauses as natural persons. iii. To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in Schedule 1 of this DPA will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 2.1 and 2.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs shall not be replaced as stipulated under clause 2.3(b)(vii) of this Swiss Addendum. iv. Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws. GET STARTED WITH PARTNERSTACK CONNECT. EARN. GROW. Build powerful B2B partnerships that fuel growth and drive revenue. Vendors EMPOWER YOUR PARTNERS. ACCELERATE GROWTH. Manage relationships and grow your ecosystem with top-notch partners. Book a demo See how it works PARTNERS & PUBLISHERS EARN MORE WITH THE BEST B2B SAAS BRANDS Partner with top software brands and start earning commissions. Join the network Learn more GENERAL * Marketplace * Company * Hiring * Resources * Legal * Help center PRODUCT * Book a demo * Pricing * New releasesIntegrations * Docs * Status MORE * Our partner program * * Partner directory * Partner playbook * Partnerships glossary Success! Thank you for subscribing. OK PartnerStack uses cookies to improve your experience on our site. By continuing to browse, you are agreeing to our use of cookies. View our privacy policy for more information. DenyAccept Cancel Try partner recruitment or ecosystems × ×