Vantage Circle Data Processing Addendum

(GDPR, Vantage Circle Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses)

Data Protection Addendum

In the course of providing the Vantage Circle service’s to our customers, Vantage Circle may process personal data on our customer’s behalf where such personal data is subject to EU data protection laws like GDPR. To this end, we offer a data protection addendum (DPA) as provided below. The DPA will only be legally binding and effective if: (1) it is duly signed by new customers ; and (2) you are Vantage Circle customer on the date it is fully executed. Please note that because we have so many customers, we are not able to change this data protection addendum for any particular customer.

1. Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Agreement” means either the Vantage Circle Terms of Use or Vantage Circle Service Agreement (as applicable) and the related Order Form, which together govern the provision of the Services to Customer.

Customer Data means any Personal Data that Vantage Circle processes on behalf of Customer as a Data Processor in the course of providing Services.

“Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data by Vantage Circle pursuant to the Agreement, including, where applicable, EU Data Protection Law.

“Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.

“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” has the meaning given to it in the GDPR and “process”, “processes”, and “processed” will be interpreted accordingly.

“Security Incident” means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Customer Data.

“Services” means any product or service provided by Vantage Circle to Customer pursuant to the Agreement.

“Sub-processor” means any Data Processor engaged by Vantage Circle or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.

2. Processing Of Personal Data

“Roles of the Parties” The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Vantage Circle is the Processor and that Vantage Circle or members of the Vantage Circle Group will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.

“Customer’s Processing of Personal Data” Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

“Processing of Personal Data” Vantage Circle shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

“Details of the Processing” The subject-matter of Processing of Personal Data by Vantage Circle is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 4 (Details of the Processing) to this DPA.

3. Rights Of Data Subjects

“Data Subject Request” Vantage Circle shall, to the extent legally permitted, promptly notify Customer if Vantage Circle receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, Vantage Circle shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Vantage Circle shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Vantage Circle is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Vantage Circle’s provision of such assistance.

4. Details of Data Processing

“Types Of Personal Data Processed” The categories of personal data are determined by the customer in its sole discretion and may include, but are not limited to: first and last name; employer, business role, professional title, contact information(eg. email, phone , physical address); business network, business experience, business interests, localisation data and device identification data.

“Special Categories Of Personal Data” Special categories of personal data, if any, are determined by customer in its sole discretion and may include, but are not limited to, information revealing racial/ethnic origin, political, religious or philosophical beliefs, trade union membership or health data.

“Nature of processing operations” Vantage Circle will process personal data as necessary to perform the subscription services pursuant to the agreement. The processing operations performed on the personal data will depend on the scope of customer’s subscription services and customer’s configuration of its vantage circle instance. Such processing operations of personal data as necessary for Vantage Circle to provide the subscription services may include the following: collecting, organise, store, use, transmission, combining, retrieval, consultation, archiving and/or destruction.

5. Subprocessing

“Appointment of Sub-processors” Vantage Circle Affiliates may engage third-party Sub-processors for providing services. The use of Sub-processors is conditioned on the requirements outlined in the agreement.

“Liability” Vantage Circle remains liable for the actions of Sub-processors.

For details on current Sub-processors, refer to Annex 2

Annex 1: Description of Processing of Client Personal Data

This Annex 1 includes details of the processing of Client Personal Data as required by Article 28(3) GDPR.

  • Subject Matter and Duration of Processing:

    The subject matter and duration of the processing of Client Personal Data are in line with the terms of the service agreement.

  • Nature and Purpose of Processing:

    The nature and purpose of processing include due diligence and background verification.

  • Categories of Data Subjects:

    Employees and contractors of clients.

  • Types of Personal Data Processed:

    First and last name, employer, business role, contact information, business network, localisation data, and device identification data.

  • Special Categories of Data:

    None.

  • Processing Operations:

    Personal data will be processed for the purpose of providing services to the Client as described in the agreement.

Annex 2: List of Authorized Sub-processors

This Annex 2 lists the Sub-processors authorized to process Client Personal Data on behalf of Vantage Circle. This list may be updated from time to time.

Subprocessor Location Service Provided Type of Data Processed
Digital Ocean United States Cloud Infrastructure Hosting and Storage
Mandrill United States Email Service Provider Email Communication Data
HubSpot United States CRM Services Contact and Engagement Data

6. Security

“Controls for the Protection of Customer Data” Vantage Circle shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the Security, Privacy and Architecture Documentation. Vantage Circle regularly monitors compliance with these measures. Vantage Circle will not materially decrease the overall security of the Services during a subscription term.

“Third-Party Certifications and Audits”Vantage Circle has obtained the third-party certifications and audits set forth in the Security, Privacy and Architecture Documentation. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Vantage Circle shall make available to Customer that is not a competitor of Vantage Circle (or Customer’s independent, third-party auditor that is not a competitor of Vantage Circle) a copy of Vantage Circle’s then most recent third-party audits or certifications, as applicable.

7. Customer Data Incident Management And Notification

Vantage Circle maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Documentation and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Vantage Circle or its Sub-processors of which Vantage Circle becomes aware (a “Customer Data Incident”). Vantage Circle shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Vantage Circle deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Vantage Circle’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.

8. Return And Deletion Of Customer Data

Vantage Circle shall return or delete Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Security, Privacy and Architecture Documentation.

(a) Vantage Circle Services. Prior to the termination of the Agreement, Vantage Circle will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the Services and Customer agrees that it is solely responsible for deleting Customer Content via the Services, upon termination of the Agreement, Vantage Circle will (i) provide Customer thirty (30) days after the termination effective date to obtain a copy of any stored Customer Content via the Services.

Upon termination of the Agreement, Vantage Circle will (i) at Customer’s election, delete or return to Customer the Customer Content (including copies) stored within any services and application programming interfaces branded as Vantage Circle.

Vantage Circle will process Customer Account Data as long as required (a) to provide the Services to Customer; (b) for Vantage Circle’s legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the Vantage Circle Privacy Notice.Vantage Circle will anonymize or delete Customer Usage Data when Vantage Circle no longer requires it for the purposes.

9. Who is responsible for this policy?

As our data protection officer (DPO), Anjan Pathak has overall responsibility for the day-to-day implementation of this policy. You should contact the DPO for further information about this policy if necessary.

DPO contact details: anjan.pathak@vantagecircle.com