This Data Processing Agreement (“DPA”) forms part of the agreement between Lead Forensics and Customer for the purchase of services from Lead Forensics (the “Agreement”). It is entered into in accordance with Applicable Data Protection Laws (as defined below, “DP Laws”). While providing Services to the Customer under the Agreement, Lead Forensics may process Personal Data on behalf of the Customer.
In the event of a contradiction between this DPA and the provisions of related Agreements between the Parties, when this DPA is agreed upon or entered into thereafter, this DPA shall prevail.
The parties agree to comply with the provisions of this DPA regarding Personal Data processed under the Agreement. By signing the Agreement, the Customer enters the terms of this DPA on behalf of itself and its affiliates if and to the extent Lead Forensics processes Personal Data for such affiliates.
To receive notifications of updates, please click here https://www.leadforensics.com/dpa-update-notification/ or check these pages periodically.
1. Introduction
1.1 This DPA sets out the provisions concerning Personal Data and the Service that will apply between the parties. For the purposes of DP Laws, Lead Forensics shall always be a Data Processor, and the Customer shall be a Data Controller.
2. Definitions
2.1 The terms in this DPA shall have the following meanings:
a. “Agreement” refers to the contract between the parties in relation to the Service.
b. “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” shall each have the meanings ascribed to them under the DP laws.
c. “DP Laws” means, to the extent applicable, the data protection or privacy laws of the relevant country in which the Services are being performed, which shall (where applicable) include including without limitation, as applicable, the Health Insurance Portability and Accountability Act (“HIPAA”), the Gramm-Leach-Bliley Act of 1999 (“GLBA”), the California Consumer Privacy Act of 2018, (“CCPA”), the Virginia Consumer Data Protection Act (from and after January 1, 2023) (the “VCDPA”), the Colorado Privacy Act (from and after July 1, 2023) (the “CoPA”), all other comprehensive state data privacy laws in effect, Washington My Health My Data Act (as effective) and similar state laws governing consumer health data, the European Union General Data Protection Regulation, (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), Canada’s Personal Data Protection and Electronic Documents Act (“PIPEDA”), all state and local laws requiring notice of breaches involving Personal Data and any and all orders, rules and regulations promulgated under any of the foregoing, all as the same have been amended and may be amended in the future.
d. “Services” as defined in the Agreement.
e. “Sub-Processors” means approved sub-processors appointed by Lead Forensics to process Personal Data as part of the Services. Click this link to request access to the sub-processors processed as part of the service https://www.leadforensics.com/sub-processor-data-access-request/
3. Instruction to Process
3.1 Lead Forensics will only use Personal Data in accordance with the Customer’s instructions (which will be deemed an affirmative instruction if prior notification is provided and objection is not received) to perform the Services in accordance with the Agreement, except to the extent Lead Forensics is required by DP Laws to process or share that Personal Data. In this case, Lead Forensics shall inform the Customer of that requirement unless the law prohibits this on important grounds of public interest.
3.2 Notwithstanding any other provision in this DPA, Lead Forensics may process Personal Data and Customer Data for analysis as part of the Service, including creating, compiling, and producing aggregated data sets and/or statistics to assist Customers’ reporting, provided that such aggregated datasets and statistics will not enable any living individual to be identified.
3.3 If the Customer is based in a country that does not have an adequacy decision with the US and is contracting with Lead Forensics, Inc., an international safeguard mechanism will be required for the transfer of personal data. The Customer will need to contact [email protected]
4. Personal Data
4.1 Lead Forensics will only use Personal Data per the Customer’s instructions (per clause 3.1) to perform the Services in accordance with the Agreement.
4.2 Notwithstanding any other provision in this DPA, Lead Forensics may process Personal Data and Customer Data for analysis as part of the Service, including creating, compiling, and producing aggregated data sets and/or statistics to assist Customers’ reporting, provided that such aggregated datasets and statistics will not enable any living individual to be identified.
4.3 The processing particulars are set out in Appendix A of this DPA.
4.4 The duration of the Personal Data processing shall be the term of this DPA.
5. Security of Processing
5.1 Technical and Organisational Measures
5.1.1 Lead Forensics shall implement and maintain technical and organisational measures in the context of processing Personal Data to ensure a level of security appropriate to the risk. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data (Personal Data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
5.1.2 The Customer shall review the Technical and Organisational Measures (Appendix B). The Technical and Organisational Measures provided are subject to review and further development. The supplier may implement a revised version without reducing the security level. It shall provide the Customer with an updated copy as soon as reasonably practicable.
5.2 Access and Confidentiality
5.2.1 Lead Forensics shall ensure that personnel with access to Customer data for the performance of the Service is limited, and such personnel are subject to contractual terms of confidentiality.
5.3 Personal Data Breach
5.3.1 Lead Forensics shall notify the Customer without undue delay and, in any event, within 48 hours upon becoming aware of a Personal Data Breach impacting the Customer’s Personal Data.
5.3.2 Lead Forensics shall assist the Customer in notifying the Personal Data Breach to the competent supervisory authority/ies unless DP laws do not require such notification.
6. Sub-Processors
6.1 Lead Forensics may continue to use any sub-processors already engaged by Lead Forensics as part of the Services prior to the effective date of this DPA.
6.2 Lead Forensics shall publish the details of any new or alternative sub-processor, which shall be deemed notice to the customer. If, within 14 working days of the date of such notice:
6.3 The customer notifies Lead Forensics in writing of any reasonable objections to the appointment or change of such sub-processor; the parties will work in good faith to address the concerns. If the Customer objects, Lead Forensics will consider remedial steps within a reasonable timeframe, which may include no longer using the sub-processor or restricting its use for the Customer’s Personal Data
6.4 In the absence of such objection, the update shall be considered approved.
6.5 When Lead Forensics engages a sub-processor to process personal data, Lead Forensics will;
6.6 Remain liable to the Customer for the performance of the sub-processor in accordance with this DPA.
6.7 Have a contract with the sub-processor that offers substantially the same level of protection for Personal Data as those set out in this DPA.
7. Assistance to the Customer
7.1 Lead Forensics shall inform the Customer if, in its opinion, the Customer’s instructions could infringe DP laws.
7.2 Insofar as the Customer is subject to an inspection by a competent supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the personal data processed by the Supplier, the Supplier shall make every reasonable effort to support the Customer.
7.3 Data Subject Rights
7.3.1 Lead Forensics will promptly notify the Customer of any request it has received from a data subject. Lead Forensics will not respond to the request itself unless authorised to do so.
7.4 Lead Forensics shall assist the Customer in fulfilling its obligations to respond to the data subject’s requests to exercise their rights, taking into account the nature of the processing.
7.5 Data Protection Impact Assessment
7.5.1 Lead Forensics will provide reasonable assistance to the Customer concerning any data protection impact assessments required under Articles 35 or 36 of EU/UK GDPR or equivalent DP Laws, taking into account the nature of the data processing.
7.6 Audit Rights
7.6.1 Lead Forensics shall allow the Customer to audit compliance with its obligations under this DPA upon giving reasonable written notice. The Customer shall bear the costs of such an audit. If the Customer mandates a third party to conduct the audit on its behalf, the third-party auditor shall agree to comply with a Non-Disclosure Agreement issued by Lead Forensics.
7.6.2 An audit may only be carried out concerning the Customer’s Personal Data processed by Lead Forensics as defined in Appendix A and as relevant to the Customer’s processing activities.
8. General Obligations on the Customer
8.1 The Customer agrees to comply with DP Laws concerning its obligations as a Data Controller of the Personal Data (Appendix A).
8.2 The Customer shall be responsible for ensuring that any notification is provided to Data Subjects, that any required consent is obtained, and that there is a lawful basis, in accordance with DP laws, for the Personal Data that Lead Forensics is instructed to process.
8.3 Lawful Jurisdiction
8.4 The laws of England and Wales shall govern this DPA.
8.5 A Data Subject may bring legal proceedings against Lead Forensics or the Customer before the courts of the Member State in which they have their habitual residence.
8.6 Lead Forensics and the Customer are compelled to the jurisdiction of such courts.
9. Commencement and Termination
9.1 This DPA shall become effective in alignment with the Customer Agreement and in accordance with updates https://www.leadforensics.com/dpa-update-notification/
9.2 Personal Data, as defined by Appendix A, is deleted from the Services as described in the Agreement within thirty (30) days of the confirmed termination that the contract has been terminated.
9.3 Lead Forensics retains backup data via Sub-Processors, as described in 7.3, for 2 (two) years unless the Customer submits a written request or DP Laws require storage of the Personal Data.
9.4 The Customer shall retrieve (via self-serve options via the Service) all required data within thirty (30) days of the confirmed termination that the contract has been terminated.
9.5 This DPA shall be considered terminated when the Customer’s Personal Data has been deleted per Lead Forensics’ retention policy or upon the Customer’s written request (whichever is first).
APPENDIX A (Personal Data)
Click this link to request access to the personal data processed as part of the service https://www.leadforensics.com/sub-processor-data-access-request/
APPENDIX B (Technical and Organisational Measures)
1. Overview
1.1 To ensure the security of personal data, we have implemented a risk-based approach to our technical and organisational measures in accordance with the principles of integrity, availability, and confidentiality.
1.2 Lead Forensics runs an ISO 27001-accredited information security management system.
2. The Lead Forensics Product
2.1 Lead Forensics offers a SaaS solution that identifies website visitors and provides actionable leads within a business-to-business environment.
3. Information Security Management System (ISMS) Framework
3.1 Lead Forensics runs an ISMS that implements a risk-based approach to information security. It selects appropriate security controls and processes based on a risk assessment that is regularly reviewed and updated.
3.2 ISO 27001 is the international standard that provides the specification for a best-practice ISMS and covers compliance requirements. The Lead Forensics ISMS is certified to ISO27001 by independent UKAS-accredited auditors.
4. Access to ISMS Documentation
4.1 We can freely share our ISO27001 Statement of Applicability and Information Security Policy with customers, prospective customers, and other relevant parties. Once the requesting party has agreed to an NDA, detailed policies, external audit reports, and technical procedures can be shared as part of a due diligence procedure.
4.2 The details of our risk assessment and some technical design details and procedures are confidential and unable to be shared. In these cases, we will share the policies that define the security standards that Lead Forensics will adhere to, even if we cannot reveal the technical details.
4.3 Security documentation requests should be emailed to [email protected]
5. Physical Security
5.1 Locked doors on all entrances/exits (e.g., electronic locks, physical locks).
5.2 Access control systems (biometric security, access card security).
5.3 24/7 reception/Security personnel.
5.4 CCTV systems.
5.5 Additional physical security measures to protect IT equipment (partitioned server room, fireproof safe, etc.).
5.6 Secure disposal bins for confidential paper waste (shredded on-site).
5.7 Certified waste disposal for electronic waste.
5.8 Control of access to IT Systems and physical environments.
5.9 Access permission to physical IT areas restricted to staff with authority.
5.10 Multi-factor authentication is required for all remote access to systems.
5.11 IT security systems have individual user logins and unique usernames.
5.12 We require the use of strong/complex passwords.
5.13 We encrypt all data in transit on public networks.
5.14 We use encryption at rest for our application data wherever we process data using cloud-hosted services. Our on-premise databases are not encrypted at rest, but they have other mitigating controls to ensure the physical security of our data.
5.15 Multi-authentical layers on internal applications.
5.16 Automatic locking of IT terminals and devices after periods of inactivity, with passwords required to re-access.
5.17 Password databases are subject to strong encryption/hashing.
5.18 Audits of security procedures are conducted annually, as a minimum.
5.19 Specialised training for employees.
6. Protect Personal Data Against Cyber-Attack
6.1 Multi-factor authentication for all remote access to systems.
6.2 Firewalls maintained with the least access rulebase.
6.3 Hardware Asset Register maintained.
6.4 Software\Firmware records maintained.
6.5 Regular Software Security Update Processes and Procedures.
6.6 All Cloud Management Platforms require MFA Authentication.
6.7 Anti-Virus\Anti-Malware Installed on systems.
6.8 Data backups encrypted with Private keys.
6.9 Regular Backup restore testing.
6.10 All offsite backups are stored encrypted in offline archives.
6.11 Annual 3rd Party Penetration Testing.
6.12 Monthly internal Penetration Testing.
6.13 All laptops encrypted.
7. Processors and the Supply Chain
7.1 We conduct due diligence on any prospective processor or supplier processing data. We require them to commit to commercial and Data Processing Agreements (where personal data is processed) that meet the necessary regulatory conditions. We conduct an annual audit to review our supply chain.
8. Storage Limitation
8.1 We have backup retention implemented with automatic lifecycle policies (archive and expiry).
8.2 We review the retention periods for personal data at least annually and apply the storage limitation principles to our data deletion/retention policy.
9. Detecting Security Events
9.1 Advanced Threat Analytics actively deployed.
9.2 Automated security event alarms.
9.3 User risky sign-in detection and alerting.
10. Detecting Security Events
10.1 Centralised un-editable Logging Systems.
11. Minimising Impact
11.1 Availability Management Policy.
11.2 Resilient IT Services with Minimised Single Points of Failure.
11.3 Role-based access control with the least privilege basis.
12. Encryption
12.1 Data at rest. We use encryption at rest for our application data whenever we process data using cloud-hosted services. Our on-premise databases are not encrypted at rest, but they have other mitigating controls to ensure the physical security of data.
12.2 Data in transit. All data is encrypted in transit over public networks. We regularly review and update the encryption standards to stay aligned with current best practices.
13. Response and Recovery Planning
13.1 We have implemented Incident Management processes and procedures, including pre-approved incident response plans for:
-
-
- Ransomware
- A security incident triggering a personal data breach
- Denial of service
-
13.2 Business Continuity Processes (BCP) and Procedures are in place and are reviewed annually.
14. Data by Design and Default
14.1 We consider appropriate data protection principles and the integration of the necessary safeguards into conceptual product and process innovation to meet the requirements of the Regulation and the rights of data subjects.
15. Data Controller and Data Processor Workflows and Agreements
15.1 We consider our technical and procedural workflows to align with the responsibility of personal data and document ROPA (Records of Processing Activities).
15.2 Binding agreements appropriate to the personal data being shared or processed are required between data controllers and data processor.
15.3 We regularly review the technical and organisational workflows and controls in place and have a formal annual audit.
16. Training and Awareness
16.1 All new employees complete IT security training.
16.2 All new employees are required to complete Data Compliance training.
16.3 Existing employees receive periodic IT security training.
16.4 Hybrid/home workers must comply with IT/HR policies.
16.5 Data Compliance is tasked with developing a culture of data protection awareness.
17. Committed to Improvement
17.1 We are committed to reviewing our processes, policies, and documentation as follows:
-
-
- ISMS system with regular process reviews and audits
- Incident Review Processes to identify improvement opportunities
- Companywide annual audit conducted by Data Compliance
- External auditors conduct quarterly audits
-
18. Certification
18.1 ISO 27001 Certification.
18.2 PCI DSS Certification.
18.3 Registered with the ICO.
| v1.2B | Last modified August 2024 |