GET DEMO

Data Processing Agreement (DPA)

Last revised: October 17, 2023

This Data Processing Agreement including its Attachments (“DPA”) between either (i) Top Producer Software Inc. if Customer is located in the United States of America, or (ii) Top Producer Software Corp. if the Customer is located in Canada (“Vendor”) and the entity that receives any Vendor Products from Vendor (the “Customer”) pursuant to a written or electronic agreement which governs the provision of those Vendor Products (the “Agreement”) shall apply to the extent that (i) Vendor Processes Personal Data on behalf of the Customer, and (ii) either the Agreement expressly incorporates this DPA by reference or the parties sign this DPA.   

 

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon the earlier of signature or its incorporation into the Agreement, which incorporation may be specified in the Agreement or an executed amendment to the Agreement. In case of any conflict or inconsistency between the terms of the Agreement and this DPA, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. 

 

The term of this DPA shall follow the Term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement. 

 

  1. Definitions 

 

“California Personal Information” means Personal Data that is subject to the CCPA. 

 

“Canadian Privacy Laws” means the data protection laws applicable in Canada and/or its provinces, in each case as hereinafter amended, supersede, or replaced, including:  

 

  1. The Personal Information Protection and Electronic Documents Act of 2000 (“PIPEDA”);  

 

  1. In Quebec: the Act to Modernize Legislative Provisions As Regards the Protection of Personal Information, also known as Law 25 (formally known as Bill 64), and the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1, which is amended thereby (collectively “Law 25”); 

 

  1. In Alberta: the Personal Information Protection Act [of Alberta] (“PIPA Alberta”); and  

 

  1. In British Columbia: the Personal Information Protection Act [of British Columbia] (“PIPA BC”).   

 

“Consumer,” “Business,” “Sell” and “Service Provider” shall have the meanings given to them in the CCPA.  

 

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. 

 

Data Protection Laws means all applicable legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation US Data Privacy Laws, and Canadian Data Privacy Laws; in each case to the extent applicable and as amended, repealed, consolidated or replaced from time to time.  

 

Data Subject means the individual to whom Personal Data relates. 

 

Instructions means the written, documented instructions issued by Customer to Vendor and directing the same to perform a specific or general action with regard to Personal Data. 

 

Permitted Affiliates means any of Customer’s Affiliates (as defined under the Agreement):  

 

  1. That are permitted to use the Products pursuant to the Agreement, but have not signed their own separate agreement with Vendor;  

 

  1. For whom Vendor Processes Personal Data; and  

 

  1. That are subject to Data Protection Laws. 

 

Personal Data means any information provided by or collected on behalf of Customer relating to an identified or identifiable individual where such information is protected under applicable Data Protection Laws as personal data, personal information, personally identifiable information, or any equivalent thereof. 

 

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Vendor and/or its Sub-Processors in connection with the provision of the Products. “Personal Data Breach” shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. 

 

Processing means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly. 

 

Processor means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller. 

 

“Products” means the goods and services provided by Vendor to Customer under the Agreement. 

 

Sub-Processor means any third-party engaged by Vendor to carry out specific Processing activities in accordance with the Instructions and subject to further limitations set forth in this DPA. 

 

Third Country means, for the Processing of Personal Data that is subject to the GDPR, UK GDPR, or FADP, a country that is not a member of the EEA, United Kingdom, or Switzerland, respectively, and not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws). 

 

“US Privacy Laws” means the data protection laws applicable in the United States of America and/or its states, in each case as hereinafter amended, supersede, or replaced, including: 

 

  1. In California: the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the “CCPA”); 

 

  1. In Colorado: the Colorado Privacy Act (the “CoPA”); 

 

  1. In Connecticut: the Connecticut Personal Data Privacy and Online Monitoring Act (the “CPDP”); 

 

  1. In Utah: the Utah Consumer Privacy Act, which goes into effect on December 31, 2023 (the “UCPA”); and 

 

  1. In Virginia: the Virginia Consumer Data Protection Act (the “VCDPA”). 

 

  1. Roles of the Parties 

 

  1. a. Under the CCPA. With respect to California Personal Information, the parties acknowledge and agree that Customer is a Business and Vendor is a Service Provider, unless and only to the extent that Attachment 1, Section A identifies any purposes for which Vendor Processes Personal Data as a ‘third party’ as that term is defined under the CCPA (“CCPA Third Party”), in which case Vendor is a CCPA Third Party.

 

  1. b. Under US Privacy Laws, except the CCPA. With respect to Personal Data that is Processed under this DPA and governed by US Privacy Laws except the CCPA, the parties acknowledge and agree that Vendor is a Processor and Customer is either (i) a Controller, or (ii) a Processor acting on behalf of a Controller that is not a party to the Agreement or this DPA

 

  1. c. Under Canadian Privacy Laws. With respect to Personal Data that is Processed under this DPA and governed by Canadian Privacy Laws, the parties acknowledge and agree that (i) Vendor Processes Personal Data on behalf of Customer and assumes the obligations under applicable Canadian Privacy Laws that apply to that role, and (ii) Customer, through its Instructions to Vendor, determines the purposes and means of the Processing of Personal Data and assumes the obligations under applicable Canadian Privacy Laws that apply that role. 

 

  1. Customer Responsibilities 

 

a. Compliance with Laws. With respect to the Personal Data that Vendor collects from or on behalf of Customer, Customer shall be responsible for complying with all its obligations under applicable Data Protection Laws and shall inform Vendor without undue delay if it is not able to comply with its responsibilities under this sub-section (a) or applicable Data Protection Laws.  In particular but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it shall be solely responsible for:  

 

(i) the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data;  

 

(ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes);  

 

(iii) ensuring it has the right to transfer, or provide access to, the Personal Data to Vendor for Processing in accordance with the terms of the Agreement (including this DPA); 

 

(iv) ensuring that its Instructions to Vendor regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and  

 

(v) complying with all laws (including Data Protection Laws) applicable to any content created, sent or managed through the Products, including those relating to obtaining consents (where required) to send communications, the content of the communications, and its communication deployment practices.  

 

b.  Instructions. The parties agree that the following constitutes Customer’s complete and final Instructions to Vendor in relation to the Processing of Personal Data: (i) the terms of the Agreement and this DPA, including the Attachments hereto, (ii) direction from Customer through its use of the Products in accordance with the Agreement, and (iii) this general authorization by Customer which hereby permits Vendor to use Personal Data for any business operations incident to providing the Products to Customer.  Additional instructions outside the scope of the Instructions must be agreed to according to the process for amending the Agreement or this DPA, where applicable. 

 

  1. SecurityCustomer is responsible for independently determining whether the data security provided for in the Products adequately meets its obligations under applicable Data Protection Laws. Customer is also responsible for its secure use of the Products, including protecting account access to the Products and the security of Personal Data in transit to and from the Products (including the secure backup or encryption of any such Personal Data).

 

  1. Vendor Obligations 

 

a. Compliance with Instructions. Vendor shall only Process Personal Data for the purposes described in this DPA, including Attachment 1, or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by applicable law. Vendor is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not generally applicable to Vendor. 

 

b. Conflict of Laws. If Vendor becomes aware that it can no longer meet its obligations under the applicable Data Protection Laws or Process Personal Data in accordance with Customer’s Instructions due to a legal requirement under any applicable law, Vendor will: 

 

(i) promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and  

 

(ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Customer issues new Instructions with which Vendor is able to comply. If this provision is invoked, Vendor will not be liable to Customer under the Agreement for any failure to provide the applicable Products until such time as Customer issues new lawful Instructions with regard to the Processing. 

 

c. Technical and Organizational Measures. Vendor shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Attachment 2 (Technical and Organizational Measures) of this DPA. Notwithstanding any provision to the contrary, Vendor may modify or update the contents of Attachment 2 at its discretion provided that such modification or update does not result in a material degradation in the technical and organizational measures set forth therein.  

 

d. Confidentiality. Vendor shall ensure that any personnel whom Vendor authorizes to Process Personal Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data. 

 

e. Personal Data Breaches. In the event that Vendor becomes aware of any Personal Data Breach, Vendor will notify Customer without undue delay, and in any case within any time period set forth in applicable Data Protection Laws. Vendor shall provide Customer with timely information relating to the Personal Data Breach as it becomes known.  At Customer’s request, Vendor will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws. 

 

f. Deletion or Return of Personal Data. Vendor will delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA on termination or expiration of the Products in accordance with the procedures and timeframes set out in the Agreement, save that this requirement shall not apply to the extent Vendor is required by applicable law to retain some or all of the Personal Data, or to Personal Data that Vendor has archived on back-up systems, which data Vendor shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices. 

 

  1. Aggregate, Deidentified, and Anonymized Data. Vendor may aggregate, deidentify, or anonymize Personal Data so it no longer meets the Personal Data definition under applicable Data Protection Laws, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes or for any other purpose that is not prohibited under applicable Data Protection Laws. Vendor shall take reasonable measures to ensure that the data cannot be associated with a Data Subject and shall not attempt to re-identify the data. Vendor shall contractually obligate any recipients of the data to comply with the requirements of this Section 3(g). 

 

  1. f. Demonstration of Compliance. Vendor shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws and shall allow for and contribute to audits, including inspections by Customer, in order to assess compliance with this DPA and applicable Data Protection Laws. Customer acknowledges and agrees that it shall exercise its audit and inspection rights under this DPA by instructing Vendor to supply, on a confidential basis, (i) a summary copy of an independently validated report of its security programs (e.g. SOC 2, Type II Report), along with copies of any related policies and other documentation, or its hosting provider’s security programs and related policies and documentation if Vendor does not host the Personal Data itself, or (ii) if Vendor does not have such a report, written responses to all reasonable requests for information made by Customer necessary to confirm Vendor’s compliance with this DPA, along with copies of any related policies and other documentation. Customer shall not exercise this right to audit and inspect more than once per calendar year.

 

  1. Vendor Assistance to Customer.  To the extent required by applicable Data Protection Laws, Vendor shall assist Customer with Customer’s obligations under those applicable Data Protection Laws.  Such assistance may be provided through Product functionality, in which case Customer agrees to utilize such functionality before asking Vendor for further assistance. 

 

  1. Data Subject Requests 

 

As part of Vendor’s obligation under Section 4(f) above, where required by applicable Data Protection Laws, Vendor will assist Customer with Customer’s obligation to respond to requests from data protection authorities and Data Subjects that seek to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).  All Data Subject Requests must provide sufficient information to verify the identity of the Data Subject. Customer shall reimburse Vendor for any commercially reasonable costs that arise from any such assistance that is in addition to that which Vendor normally provides to its customers. 

 

If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Vendor, Vendor will, to the extent that Vendor can identify Customer as the source of the Personal Data in question through its standard due diligence processes, promptly inform Customer of such Data Subject Request and will advise the Data Subject to submit their request to Customer. Customer shall otherwise be solely responsible for responding to any Data Subject Requests and all other communications with Data Subjects that relate to their Personal Data. 

 

  1. Data Protection Assessments 

 

To the extent required by applicable law, Vendor will provide reasonable assistance to Customer to enable Customer to conduct and document data protection assessments, provided that the required information is reasonably available to Vendor, and Customer does not otherwise have access to the required information. 

 

  1. Sub-Processors 

 

Customer agrees that Vendor may engage Sub-Processors to Process Personal Data on Customer’s behalf.  

 

Where Vendor engages Sub-Processors, Vendor will execute a written agreement with any Sub-Processor that imposes data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA and that requires the Sub-Processor to meet the obligations of the Vendor with respect to the Personal Data, to the extent applicable to the nature of the services provided by such Sub-Processors. Vendor will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Vendor to breach any of its obligations under this DPA. 

 

For those Customers that provide Personal Data of Data Subjects who are subject to CoPA, Customer has the right to object to the use of any particular Sub-Processor, in which case Customer may request a list of Vendor’s Sub-Processors. 

 

  1. International Processing 

 

Customer acknowledges and agrees that Vendor may Process Personal Data on a global basis as necessary to provide the Products in accordance with the Agreement. Vendor shall ensure such transfers are made in compliance with the requirements of applicable Data Protection Laws. 

 

  1. Additional Provisions for California Personal Information 

 

a. Scope. This Section 9 (Additional Provisions for California Personal Information) shall apply only with respect to California Personal Information. In the event that the terms and conditions in this Section 9 conflict with those in the other sections of this DPA, the terms and conditions in this Section 9 shall take precedence. 

 

b. Responsibilities as a Service Provider. The parties agree that when Vendor is acting as a Service Provider (see Section 2(a)) Vendor will process California Personal Information strictly for the limited purposes set forth in Attachment 1 of this DPA and as otherwise permitted by the CCPA, including the permitted purposes set forth in the ‘business purpose’ definition in Section 1798.140(e) (the “Business Purposes”).  

 

(i) As Service Provider, Vendor shall not: 

  

(A) combine the California Personal Information that the Vendor receives from, or on behalf of, the Customer with California Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer, provided that the Vendor may combine California Personal Information to perform any Business Purposes permitted under the CCPA, and may also aggregate, deidentify, or anonymize California Personal Information so it no longer meets the California Personal Information definition, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes or for any other purpose that is not prohibited under the CCPA;  

 

(B) sell or share California Personal Information (as defined in the CCPA);  

 

(C) retain, use, or disclose California Personal Information for any purpose, including any commercial purpose, other than for the Business Purposes or as otherwise permitted by the CCPA; or  

 

(D) retain, use, or disclose California Personal Information outside of the direct business relationship between Customer and Vendor, unless permitted by the CCPA. 

 

(ii) As a Service Provider, Vendor shall: 

 

(A) comply with all applicable obligations imposed by the CCPA; 

 

(B) provide the same level of privacy protection as is required by the Customer under the CCPA; 

 

(C) implement reasonable security procedures and practices appropriate to the nature of the California Personal Information received to protect the California Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure; 

 

(D) promptly comply with any Customer request or instruction requiring the Vendor to provide, amend, transfer, or delete California Personal Information, or to stop, mitigate, or remedy any unauthorized processing; 

 

(E) provide the Customer with reasonable and appropriate steps to (1) stop and remediate unauthorized use of California Personal Information and (2) ensure that the Vendor uses the California Personal Information in a manner consistent with the Customer’s obligations under the CCPA; and 

 

(F) notify Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates either party’s compliance with the CCPA; specifically, the Vendor must notify the Customer within seven (7) business days if it receives a verifiable consumer request under the CCPA. 

 

  1. c. Responsibilities as a CCPA Third Party. The parties agree that when Vendor is acting as a CCPA Third Party (see Section 2(a)) Vendor will process California Personal Information strictly for the limited purposes set forth in Attachment 1 of this DPA, including any Business Purposes and any CCPA Third Party purposes as identified therein, and as otherwise permitted by the CCPA (the “CCPA Third Party Purposes”).

 

  1. As a CCPA Third Party, Vendor shall: 

 

  1. Only use the California Personal Information for the CCPA Third Party Purposes; 

 

  1. Comply with all applicable obligations imposed by the CCPA; 

 

  1. Provide the same level of privacy protection as is required by the Customer under the CCPA; 

 

  1. Implement reasonable security procedures and practices appropriate to the nature of the California Personal Information received to protect the California Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure; 

 

  1. Permit the Customer to take reasonable and appropriate steps to (1) stop and remediate unauthorized use of California Personal Information and (2) ensure that the Vendor uses the California Personal Information in a manner consistent with the Customer’s obligations under the CCPA; and 

 

(F) Notify Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates either party’s compliance with the CCPA, including any request to opt out of the sale or sharing of Personal Data; specifically, the Vendor must notify the Customer within seven (7) business days if it receives a verifiable consumer request under the CCPA. 

 

d. Certification. Vendor certifies that it understands and will comply with the restrictions set out in Section 9(b) (Responsibilities as a Service Provider) and Section 9(c) (Responsibilities as a CCPA Third Party).  

 

  1. General Provisions 

 

a. Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to Section 4(a) (Compliance with Instructions), or Section 4(c) (Technical and Organizational Measures), Vendor reserves the right to make any updates and changes to this DPA or list of Sub-Processors, and that any such modifications become effective thirty (30) days after the date that Vendor either (1) notifies Customer that the updated DPA or list of Sub-Processors has been posted to a particular URL, or (2) where applicable pursuant to CoPA, distributes the updated DPA or list of Sub-Processors to any known point-of-contact for Customer. Customer is responsible for reviewing and becoming familiar with the updated DPA or list of Sub-Processors.  If, prior to the effective date of the updated DPA or list of Sub-Processors, Customer notifies Vendor of its objection to any modification of the DPA or list of Sub-Processors, then Vendor shall either (i) negotiate with Customer in good faith to resolve any such objection, or (ii) upon thirty (30) days’ notice to Customer, terminate the DPA and any portion of the Agreement that governs Products which are dependent upon its execution.  If Vendor exercises its right to terminate pursuant to the terms of this Section, Customer shall be entitled to a pro-rata refund of any Fees already paid by Customer for the affected Products, calculated from the effective date of any such termination. 

 

b. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected. 

 

c. Limitation of Liability. Each party’s liability, and where applicable, each of Customer’s Affiliates’ liability, taken in aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the Agreement.  In no event shall either party’s liability be limited with respect to any individual Data Subject’s data protection rights under this DPA  or otherwise. 

 

d. Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws. 

 

  1. Parties to this DPA 

 

a. Permitted Affiliates. Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Permitted Affiliates, thereby establishing a separate DPA between Vendor and each such Permitted Affiliate. Each Permitted Affiliate agrees to be bound by the obligations under this DPA. For the purposes of this DPA only, the term “Customer” shall include Customer and such Permitted Affiliates. 

 

b. Authorization. The legal entity entering into this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates. 

 

c. Remedies. Except where applicable Data Protection Laws require a Permitted Affiliate to exercise a right or seek any remedy under this DPA against Vendor directly by itself, the parties agree that: (i) solely the Customer entity that is the contracting party to the Agreement shall exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all communication with Vendor under the DPA and shall be entitled to make and receive any communication related to this DPA on behalf of its Permitted Affiliates.