Intapp Data Processing Addendum
This Data Processing Addendum (“Addendum”) forms part of the Master Software and Services Agreement (the “Agreement”) between: (i) Integration Appliance, Inc. and its Affiliates (collectively, “Intapp”) and (ii) Customer and its Affiliates (collectively, “Customer”).
The terms used in this Addendum shall have the meanings set forth in the Agreement unless otherwise provided. Except as modified below, the terms of the Agreement remain in effect.
In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.
1.1 In this Addendum, the following terms shall have the meanings set out below:
1.1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, or that is a successor (whether by change of name, dissolution, merger, consolidation, reorganization, sale or other disposition) to any such business entity or its business and assets.
1.1.2 “Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which the Customer is subject to EU Data Protection Laws; (b) the laws of the United States, Canada and Australia.
1.1.3 “Customer Personal Data” means any Personal Data Processed by Intapp on behalf of the Customer pursuant to or in connection with the Agreement.
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of the United States, Canada and Australia.
1.1.5 “EEA” means the European Economic Area.
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as implemented into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.1.7 “GDPR” means the EU General Data Protection Regulation 2016/679.
1.1.8 “Restricted Transfer” means a transfer of Customer Personal Data from the Customer to Intapp outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).
1.1.9 “Services” means, for the purposes of this Addendum, Services (as defined in the Agreement) as well as Support and Cloud Services (as applicable).
1.1.10 “Standard Contractual Clauses” means the contractual clauses set out in Annex 2 found at https://intapp.com/model-clauses/.
1.1.11 “Subprocessor” means any third party (including an Intapp Affiliate) appointed by or on behalf of Intapp to Process Customer Personal Data.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” have the same meaning as in the GDPR.
2. Processing of Customer Personal Data
2.1 This Addendum applies to Intapp’s Processing of Customer Personal Data in the course of Intapp providing Services to the Customer. As such, Intapp is the Processor and the Customer is the Controller.
2.2 Intapp will only Process Customer Personal Data in accordance with the Customer’s documented instructions unless Processing is required by Applicable Laws to which Intapp is subject, in which case Intapp will, to the extent permitted by Applicable Laws, inform the Customer of that legal requirement before Processing the Personal Data.
2.3 The Customer (i) instructs Intapp and (and authorises Intapp to instruct each Subprocessor) to Process Customer Personal Data, and in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement; and (ii) represents and warrants that (a) it is and will at all relevant times remain authorised to give such instructions, and (b) all such instructions comply with Applicable Laws.
2.4 Intapp will promptly notify the Customer if, in Intapp’s reasonable opinion, any instructions violate Applicable Laws.
2.5 Annex 1 to this Addendum sets out certain information regarding Intapp’s Processing of the Customer Personal Data as required by Article 28(3) of the GDPR. Customer may make reasonable amendments to Annex 1 by written notice to Intapp from time to time as Customer reasonably considers necessary to meet those requirements.
3. Intapp Personnel
Intapp will ensure that any Intapp employee, agent or contractor who may have access to the Customer Personal Data is subject to confidentiality undertakings in respect of the Customer Personal Data.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Intapp will implement appropriate technical and organisational measures in respect of Customer Personal Data to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Intapp will take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1 Customer authorises Intapp to appoint (and permit each Subprocessor appointed in accordance with this Clause 5 to appoint) Subprocessors in accordance with this Clause 5 and any restrictions in the Agreement.
5.2 Intapp may continue to use those Subprocessors it has engaged as at the date of this Addendum.
5.3 Intapp will post a notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor, on its website. Provided that Customer subscribes to notifications from Intapp, Customer will receive notice of such posting. If, within 10 business days of receiving the notice, Customer notifies Intapp in writing of any reasonable objections to the proposed appointment, Intapp will not appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken.
5.4 With respect to each Subprocessor, Intapp will:
5.4.1 Ensure that the arrangement between Intapp and the Subprocessor is governed by a written contract including terms offering at least the same level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR; and
5.4.2 If that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between Intapp and the Subprocessor, or before the Subprocessor first Processes Customer Personal Data, procure that it enters into an agreement incorporating the Standard Contractual Clauses with the Customer.
5.5 Intapp will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of any Subprocessor that cause Intapp to breach any of its obligations under this Addendum.
6. Data Subject Rights
6.1 The Services provide the Customer with a number of means by which the Customer may retrieve, correct, delete or restrict Customer Personal Data. Customer may use these means as technical and organizational measures to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from Data Subjects.
6.2 Intapp will (i) promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and (ii) not respond to that request except as required by Applicable Laws to which Intapp is subject, in which case Intapp will, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before Intapp responds to the request.
7. Personal Data Breach
7.1 Intapp will notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Intapp will cooperate with Customer and take such reasonable commercial steps as requested by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Deletion or Return of Customer Personal Data
8.1 Subject to Clause 8.2, within 90 days of the expiration or termination of the Agreement (the “Termination Date”), Intapp will delete permanently the Customer Personal Data unless the Customer has previously deleted all such Customer Personal Data before the Termination Date.
8.2 Notwithstanding the foregoing, Intapp may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws (and Intapp may retain business contact information for Customer’s staff); provided, however, that Intapp will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its retention, and for no other purpose.
9. Data Protection Impact Assessments and Audit Rights
9.1 Intapp will provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of it by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Intapp. The information made available in Clauses 9.2 through 9.4 is provided to assist the Customer in its compliance with those obligations.
9.2 Intapp is certified under ISO 27001 and agrees to maintain an information security program for the Services that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001.
9.3 Intapp uses external auditors to verify the adequacy of its security measures. This audit (i) will be performed at least annually; (ii) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; and (iii) will be performed by independent third-party security auditors. At the conclusion of the audit the auditor will prepare an audit report (“Report”). Upon the Customer’s request, Intapp will provide Customer with the Report so that Customer can reasonably verify Intapp’s compliance with its obligations under this Addendum. The Report will be deemed Intapp Confidential Information.
9.4 Customer agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by instructing Intapp to carry out the audit described in Clause 9.3. If the Standard Contractual Clauses apply, nothing in this Clause 9 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses.
10. Restricted Transfers
10.1 If Intapp does not have, at the time of a Restricted Transfer, certification under the Privacy Shield programme, Intapp will enter into the Standard Contractual Clauses in respect of any Restricted Transfer.
10.2 Intapp will notify the Customer if it ceases to maintain or anticipates the revocation or withdrawal of its Privacy Shield certification.
11. General Terms
11.1 Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
11.1.1 the Parties agree to submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
11.1.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
11.2 In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses prevail. In the event of inconsistencies between this Addendum and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum prevail.
11.3 This Addendum remains in effect until termination or expiration of the Agreement.
11.4 The liability of each Party under this Addendum is subject to the exclusions and limitations of liability set out in the Agreement.
11.5 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties” intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Customer Personal Data
Intapp provides software and/or services designed to support Customer’s management and execution of its internal business operations
The types of Customer Personal Data to be Processed
The Personal Data to be Processed by Intapp on behalf of Customer may include, but is not limited to the following categories of Personal Data:
- Names, contact details and other identification information
- Personal information
- Biographical and occupational information
- Employment and HR information
The categories of Data Subjects to whom the Customer Personal Data relates
The Personal Data to be Processed by Intapp on behalf of Customer may relate to, but is not limited to, the following categories of Data Subjects:
- Employees, workers, contractors, agents and volunteers
- Clients, customers and (where applicable) their personnel
The obligations and rights of Customer
The obligations and rights of the Customer are set out in the Agreement and this Addendum.