This Data Processing Addendum (“DPA”) is entered into between Delta-v and Client pursuant to Delta-v General Services Terms and Conditions (the “Service Terms”). Delta-v may make changes to this DPA from time to time in its sole discretion by updating the DPA terms and conditions at http://www.delta-v.co.za/dpa.

1. DEFINITIONS:
   The definitions and interpretation provisions under the Service Terms and the applicable SOW shall apply to this DPA. In addition, unless the context requires otherwise, the terms “Controller”, “Data Subject”, “Personal Data”, “Processor”, “Processing” and “Supervisory Authority” where used in this DPA shall have the same meaning as in Applicable Data Protection Legislation (and their cognate terms shall be construed accordingly). “Client Personal Data” means Client Data (as defined in the Service Terms) that constitute Personal Data.
2. PROCESSING OF PERSONAL DATA
   1. Processing Territories. This DPA applies to the processing of personal data of data subjects pursuant to the laws of South Africa, the European Union and the United Kingdom only. If Delta-v agrees in a SOW to process personal data on behalf of Client outside these territories, the Parties will enter into separate data processing addendums in respect of each such other territory.
   2. Roles of the Parties. With regard to the Processing of Client Personal Data, Client is the Controller and Delta-v is the Processor. For the sake of clarity, Client Personal Data include prospect data sourced from third party data providers by Delta-v on Client’s behalf.
   3. Processing Activities. If Delta-v has agreed to process Personal Data on behalf of Client under a SOW, the Parties shall annex a Data Processing Schedule to such SOW for the purposes of Applicable Data Protection Legislation. Each Party shall process Personal Data in accordance with Applicable Data Protection Legislation.
      Data Processing Schedule. The Data Processing Schedule to each SOW shall specify the scope, nature and purpose of Processing by Delta-v on behalf of Client under the applicable SOW, the duration of processing, the types of Personal Data, categories of Data Subject and the Processing Territories in respect of which Delta-v will be Processing Personal Data on behalf of Client in the provision of the Services under such SOW.
   4. Disclosure of Personal Data. The Client undertakes (a) to only disclose Personal Data to Delta-v to the extent necessary for Delta-v to carry out the agreed Services under the applicable SOW, and (b) not to send any Personal Data to Delta-v (via email or otherwise) for processing under any circumstances unless expressly agreed by Delta-v. If Delta-v has agreed to process Personal Data on its systems on behalf of Client, such Personal Data shall be disclosed to Delta-v only in the manner specified in the applicable SOW.
   5. NO SENSITIVE PERSONAL DATA. The Client further agrees that it shall under no circumstances disclose Sensitive Personal Data to Delta-v without Delta-v’s prior written consent. If Delta-v consents in writing to the disclosure of Sensitive Personal Data, Client shall disclose such data to Delta-v only within a system owned or controlled by Client, and shall not, under any circumstances, send (for example via email or electronic message) or otherwise disclose Sensitive Personal Data to Delta-v.
   6. Processing Purpose. Delta-v shall treat Client Personal Data as confidential and shall only Process Client Personal Data on behalf of Client for the following purposes: (i) Processing in accordance with the applicable SOW(s); (ii) Processing initiated by Data Subjects in relation to the Services; and (iii) Processing to comply with instructions provided by Client.
   7. Instructions for Processing. Client instructs Delta-v (and authorises Delta-v to instruct each sub-processor) to Process Client Personal Data and, in particular, to transfer Client Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with a SOW. Client warrants and represents that (a) it has the necessary rights, licenses and/or consents to authorise Delta-v and its sub-processors to Process and transfer Client Personal Data it discloses to Delta-v for purposes of providing the Services; and (b) its instructions for the Processing of Client Personal Data shall at all times comply with Applicable Data Protection Legislation and Client’s Privacy Policy.
3. THIRD PARTY DATA PROVIDERS
   1. Sourced Data. Client instructs Delta-v to source Personal Data of sales prospects on its behalf from third party B2B data providers in accordance with the SOW. Personal Data obtained from any third party data provider by Delta-v on Client’s behalf pursuant to a SOW (“Sourced Data”) (a) constitutes Client Personal Data, and (b) is sourced by Delta-v on Client’s behalf subject to the terms and conditions of such third party (the “Data Provider Terms”). Unless otherwise provided for in the applicable Data Provider Terms, (a) Client and the relevant third party data provider shall each be a Controller of the Sourced Data in its possession, and (b) Sourced Data shall be deemed to be in Client’s possession if it is hosted in a system or environment owned or controlled by Client, its processors and subprocessors (for example, Client’s CRM or sales engagement platform), including Client Personal Data housed in Delta-v’s Salesloft environment on behalf of Client pursuant to a SOW
   2. Third Party Data Providers. Delta-v will source prospect data on Client’s behalf from one or more of third party data providers contracted by either Delta-v or Client, as specified in the SOW. Delta-v may, from time to time, contract with one or more third party data providers in its sole discretion. Delta-v may update its below list of contracted third party data providers from time to time:
      • LinkedIn Corporation
      • Cognism Ltd
      • Zenleads Inc. d/b/a Apollo.io
      • Lusha Systems Inc.
   3. DISCLAIMER. Delta-v makes no representations or warranties of any kind whatsoever, whether express or implied, regarding Sourced Data, or regarding any third party’s platform or services. Delta-v provides Sourced Data to Client on an “as is” and “as available” basis, without warranties of any kind, whether express or implied, other than the warranties explicitly specified herein and then only to the extent so specified, including the warranty of title, merchantability, non-infringement, and fitness for a particular purpose or accuracy. Notwithstanding anything to the contrary in the Service Terms, SOW or this DPA, DELTA-V ACCEPTS NO LIABILITY DAMAGES OR LOSSES ARISING FROM OR ON IN CONNECTION WITH USE OF SOURCED DATA BY OR ON BEHALF OF CLIENT.
4. RIGHTS OF DATA SUBJECTS
   Delta-v shall, to the extent legally permitted, promptly notify Client if Delta-v receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Delta-v shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Legislation. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, Delta-v shall upon Client’s request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent Delta-v is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Legislation. To the extent legally permitted, Client shall be responsible for any costs arising from Delta-v’s provision of such assistance.
5. DELTA-V PERSONNEL
   1. Confidentiality and reliability. Delta-v shall ensure that Delta-v Personnel engaged in the Processing of Client Personal Data are informed of the confidential nature of the Client Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Delta-v shall take commercially reasonable steps to ensure the reliability of any Delta-v Personnel engaged in the Processing of Client Personal Data.
   2. Limitation of Access. Delta-v shall ensure that Delta-v’s access to Client Personal Data is limited to those Delta-v Personnel performing Services in accordance with a SOW.
   3. Data Protection Officer. To the extent required by applicable Data Protection Legislation, Delta-v has appointed a data protection officer.
6. SUB-PROCESSORS
   1. Google and Salesloft.
      1. Delta-v uses Google Workspace for document management and communication. Client authorises Delta-v to appoint Google Cloud EMEA Limited (“Google”) and its Affiliates as sub-processors (and permits Google and its Affiliates to appoint sub-processors) to process Client Personal Data on Client’s behalf in connection with Delta-v’s Services to Client.
      2. If under the SOW, Delta-v processes Client Personal Data on behalf of Client in a Salesloft account under Delta-v’s agreement with Salesloft Inc. (“Salesloft”), Client authorises Delta-v to appoint Salesloft and its Affiliates (and permits Salesloft and its Affiliates to appoint sub-processors) to process Client Personal Data on Client’s behalf in connection with Delta-v’s Services to Client.
      3. Notwithstanding anything to the contrary in the Service Terms, SOW or this DPA, (a) Client acknowledges that processing of Client Personal Data by Google and Salesloft, respectively, is subject to the terms and conditions applicable to the use of their respective platform and services, and that Delta-v has no reasonable control over their processing activities. DELTA-V’S LIABILITY TO CLIENT ARISING FROM THE ACTIONS OR OMISSIONS OF GOOGLE OR SALESLOFT, THEIR AFFILIATES AND/OR THEIR RESPECTIVE SUB-PROCESSORS SHALL BE LIMITED TO THE AMOUNT OF DAMAGES DELTA-V IS ACTUALLY ABLE TO RECOUP FROM GOOGLE OR SALESLOFT (as the case may be) IN RESPECT OF SUCH CLAIM (PURSUANT TO THEIR RESPECTIVE AGREEMENTS WITH DELTA-V, USING COMMERCIALLY REASONABLE ENDEAVOURS).
   2. Appointment of Sub-processors. Client authorises Delta-v to appoint (and permit each Sub-processor appointed in accordance with this section 6.2 to appoint) Sub-processors in accordance with this section 6.2. Subject to section 6.1 (Google and Salesloft), (a) Delta-v may continue to use those Sub-processors already engaged by Delta-v as of the SOW Commencement Date, subject to Delta-v in each case as soon as practicable meeting the obligations set out in this section, and (b) Delta-v has entered or will enter into a written agreement with each Sub-processor containing data protection obligations substantially similar to those in this Agreement with respect to the protection of Client Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. Delta-v will promptly provide Client with a list of current Sub-processors at Client’s written request from time to time.
   3. Notification of and Object Right to New Sub-processors. Delta-v shall use reasonable endeavours to give Client prior written notice of the appointment of any new Sub-processor, including details of the Processing to be undertaken by the Sub-processor. If, within ten (10) business days of receipt of that notice, Client notifies Delta-v in writing of any objections (on reasonable grounds) to the proposed appointment, Delta-v shall not appoint (or disclose any Client Personal Data to) that proposed Sub-processor until reasonable steps have been taken to address the objections raised by Client and Client has been provided with a reasonable written explanation of the steps taken.
7. SECURITY
   1. Security Measures. Each Party shall maintain reasonable technical and organizational measures appropriate to the nature of the Client Personal Data designed to protect the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to, Client Personal Data), confidentiality and integrity of Client Personal Data.
   2. Client Systems. Client acknowledges and agrees that the bulk of Delta-v’s processing activities will be conducted from within environments (including third party platforms) owned and/or controlled by Client (“Client Systems”). Client shall be responsible for the security of the Client Systems. If Delta-v Processes Client Personal Data in Client Systems, Delta-v shall procure that its Personnel each keeps their username and password (“credentials”) confidential, and shall promptly notify Client if it becomes aware, or reasonably suspects that, any such credentials have been disclosed to an unauthorised person.
   3. Delta-v Systems. If Delta-v Processes Client Personal Data in its systems pursuant to a SOW, Client acknowledges and agrees that the requirements under section 7.1 (Security Measures) above shall be met where Delta-v maintains compliance with its internal information security policies, copies of which will be made available to Client from time to time at Client’s reasonable request. If Client Personal Data is processed in accordance with section 6.1 (Google and Salesloft), Client acknowledges and agrees that the requirements under section 7.1 (Security Measures) shall be met where technical and organizational measures are implemented in accordance with the provisions of Delta-v’s agreement with Google or Salesloft, respectively.
8. CROSS-BORDER TRANSFERS
   1. Transfers to Client Systems. If, pursuant to section 2.10 (Processing Instructions), Delta-v facilitates a transfer of Personal Data from a third party data provider to Clients’ nominated systems (including Client-contracted third party platforms such as Client’s CRM and Client’s sales engagement platform), (a) Client shall be the data importer for purposes of such transfer, and the third party data provider shall be the data exporter, (b) if required under Applicable Data Protection Legislation, Client shall be deemed to have entered into appropriate international transfer agreements with each such third party data provider in accordance with the applicable terms and conditions of such third party data provider, and (c) Client shall be responsible for meeting the obligations of the data importer under the Applicable Data Protection Legislation.
   2. Transfers to Delta-v and its Sub-processors. If Delta-v transfers, or facilitate the transfer of, Client Personal Data to its sub-processors on Client’s behalf pursuant to section 2.10 (Instructions for Processing), Client agrees that Delta-v and its sub-processors may receive, transfer, and process Personal Data outside of the EEA, UK, and Switzerland, including in the United States. Client acknowledges that Salesloft participates in and self-certifies compliance with the Data Privacy Framework (“DPF”). To the extent the DPF is recognized as a valid transfer mechanism under Applicable Data Protection Laws, Client Personal Data transferred to Salesloft will be subject to the DPF Principals (to the extent applicable), for as long as Salesloft is self-certified to the DPF. If the DPF is revoked in the future, held by a court of competent jurisdiction to be invalid, or is otherwise not a legally valid mechanism for transfers of Personal Data to a third country, the parties agree that the EU Standard Contractual Clauses and UK Standard Contractual Clauses, as applicable, shall apply.
9. AUDIT
   1. If Client is required to conduct an audit of Delta-v to comply with Client’s obligations under Applicable Data Protection Legislation, Delta-v shall reasonably cooperate with Client with regard to such audit and shall, on request, provide Client access to those records as are necessary for Client to comply with its obligations under Applicable Data Protection. Audit costs shall be borne by Client, and, unless otherwise required by a Supervisory Authority pursuant to Applicable Data Protection Legislation, such audits shall: (a) be subject to Client giving Delta-v at least 30 days’ prior written notice; (b) last no more than 5 Business Days each; (c) be subject to the confidentiality provisions of the Service Terms; and (d) be limited to no more than once per annum.
   2. Delta-v shall be entitled to a reasonable time to review and retain any audit report and to consult Client and its auditors on the content, prior to the report being submitted to a Supervisory Authority. For the avoidance of doubt, Confidential Information of Delta-v or its sub-processors obtained by Client pursuant to an Audit may not be disclosed to any third party, including, without limitation, any other agents or representatives of Client, except to the extent necessary to assert or enforce any of the Client’s rights under this DPA or is required to be disclosed by Data Protection Legislation, by any Supervisory Authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives Delta-v as much notice of this disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this section, it takes into account the reasonable requests of Delta-v in relation to the content of this disclosure.
10. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
    Delta-v maintains security incident management policies and procedures and shall notify Client without undue delay and in line with the timelines required by applicable Data Protection Legislation after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data, transmitted, stored or otherwise Processed by Delta-v or its Sub-processors which results in any actual loss or misuse of Client Personal Data (a “Client Data Incident”). Delta-v shall make reasonable efforts to assist Client to identify the cause of such Client Data Incident and take those steps as Delta-v deems necessary and reasonable in order to remediate the cause of such a Client Data Incident to the extent the remediation is within Delta-v’s reasonable control. Delta-v shall have no liability for costs arising from a Client Data Incident unless caused solely by a breach of Delta-v’s security obligations under section 8 (Security) of this DPA. In the event of a Client Data Incident, Client shall be responsible for notifying Data Subjects and/or Supervisory Authorities, provided that nothing in this section 10 shall prevent Delta-v from making any notification required by Applicable Data Protection Legislation. Before any such notification is made, Client shall consult with and provide Delta-v an opportunity to comment on any notification made in connection with a Client Data Incident.
11. RETURN AND DELETION OF CLIENT PERSONAL DATA
    Delta-v shall, at any time on the request of Client, and in accordance with a process and on terms to be mutually agreed, return all Client Personal Data in its possession to Client and/or at Client’s request delete the same from its systems, so far as is reasonably practicable, and other than any back-up copies which Delta-v, its Affiliates and/or Sub-processors are required to retain for compliance with Applicable Laws or regulatory requirements provided that such copies are kept confidential and secure in accordance with this Agreement.
12. DATA PROTECTION IMPACT ASSESSMENT
    Upon Client’s request, Delta-v shall provide Client with reasonable cooperation and assistance, at Client’s cost, needed to fulfil Client’s obligation under Applicable Data Protection Legislation to carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Delta-v. Delta-v shall provide reasonable assistance to Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this section of this DPA, to the extent required under the Applicable Data Protection Legislation.