This Data Processing Addendum (“DPA”) is referred to in, and forms an integral part of, SharpSpring Ads’s Terms of Service (the “Terms of Service”) and is effective upon acceptance of the Terms of Service. The terms used in this DPA shall have the meanings set forth herein. Capitalized terms not otherwise defined shall have the meaning given to them in the Terms of Service. Except as modified below, the terms set forth in the Terms of Service shall remain in full force and effect. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set forth below shall be added as a DPA to the Terms of Service.

1. Data Protection.

   1. Definitions:
      • (a) “controller”, “processor”, “data subject”, and “processing”; (and “process”) shall have the meanings given in Applicable Data Protection Law.
      • (b) “Applicable Data Protection Law” shall mean: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
      • (c) “Personal Data” shall mean any data related to an identified or identifiable individual natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to its physical, physiological, mental, economic, cultural or social identity.
   2. Relationship of the parties: You (the “controller”) appoint SharpSpring Ads as a processor to process the Personal Data described in the Terms of Service and his DPA. Each party shall comply with this DPA and any obligations that apply to it under Applicable Data Protection Law.
   3. Prohibited data: You shall not disclose (and shall not permit any data subject to disclose) any special categories of Personal Data to SharpSpring Ads for processing.
   4. Purpose limitation: SharpSpring Ads shall process the Personal Data as a processor as necessary to perform its obligations under the Terms of Service and/or strictly in accordance with your documented instructions (the “Permitted Purpose”).
   5. International transfers: SharpSpring Ads shall not transfer Personal Data (nor permit Personal Data to be transferred) outside of the European Territories unless it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, to a recipient that participates in the EU-US Privacy Shield certification program, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
   6. Confidentiality of processing: SharpSpring Ads shall ensure that any person that it authorises to process Personal Data (including SharpSpring Ads’s staff, agents and subcontractors) (an “Authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process Personal Data who is not under such a duty of confidentiality.
   7. Security: SharpSpring Ads shall implement appropriate technical and organizational measures to protect the Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Personal Data (a “Security Incident”).
   8. Subcontracting: You consent to SharpSpring Ads engaging third party subprocessors to process Personal Data for the Permitted Purpose provided that: (i) SharpSpring Ads maintains an up-to-date list of its subprocessors to be provided to you upon request, which it shall update with details of any proposed change a reasonable time in advance of appointing or replacing a subprocessor; (ii) SharpSpring Ads imposes data protection terms on any subprocessor it appoints that require it to protect the Personal Data to the standard required by Applicable Data Protection Law and this DPA; and (iii) SharpSpring Ads remains liable for any breach of this provision caused by an act, error or omission of its subprocessor. A list of approved subprocessors is attached with Schedule A. You may object to SharpSpring Ads appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, SharpSpring Ads will either not appoint or replace the subprocessor or, if this is not possible, you may suspend or terminate the Terms of Service (without prejudice to any fees incurred by you prior to suspension or termination) upon 30 days written notice to SharpSpring Ads.
   9. Cooperation and data subjects’ rights: SharpSpring Ads shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to you (at your expense) to enable you to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to SharpSpring Ads, SharpSpring Ads shall promptly inform you providing full details of the same.
   10. Data Protection Impact Assessment: SharpSpring Ads shall provide reasonable cooperation to you (at your expense) in connection with any data protection impact assessment that you may be required to conduct under Applicable Data Protection Law.
   11. Security incidents: Upon becoming aware of a Security Incident, SharpSpring Ads shall inform you without undue delay and shall provide all such timely information and cooperation as you may require in order for you to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. SharpSpring Ads shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep you up-to-date about all developments in connection with the Security Incident.
   12. Deletion or return of Personal Data: Upon termination or expiry of the Terms of Service, SharpSpring Ads shall (at your election) destroy or return to you all Personal Data in its possession or control (including any Personal Data subcontracted to a third party for processing). This requirement shall not apply to the extent that SharpSpring Ads is required by any EU (or any EU Member State) law to retain some or all of the Personal Data, in which event SharpSpring Ads shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
   13. Audit: SharpSpring Ads shall permit you (or your appointed third party auditors) to audit SharpSpring Ads’s compliance with this DPA, and shall make available to you all information, systems and staff reasonably necessary for you (or your third party auditors) to conduct such audit. SharpSpring Ads acknowledges that you (or your third party auditors) may enter its premises for the purposes of conducting this audit, provided that you provide reasonable prior notice of your intention to audit, conduct your audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to SharpSpring Ads’ operations. You will not exercise your audit rights more than once in any 12 calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) you believe a further audit is necessary due to a Security Incident.

1. Data exporter

   You are the data exporter receiving services under the Terms of Service.

2. Data importer

   The data importer is a software as a service internet accessible advertising analytics provider that is providing services under the Terms of Service and aiming to measure, manage and optimize its customers’ advertising budgets and revenues.

3. Data subjects

   The Personal Data transferred concern the following categories of data subjects: (i) internet users accessing the data exporter’s website and/or using the data exporter’s online services; (ii) authorized users of the SharpSpring Ads application; and/or (iii) prospective and existing customers of the data exporter.

4. Categories of data

   Personal Data transferred include the following: (i) Order ID; (ii) Product ID; (iii) Currency Code; (iv) Product Category; (v) Product Unit Price; (vi) Conversion Type; (vii) User agent; (viii) Referring application; and (ix) Onsite behavior (page clicks).
   For SharpSpring Ads application users, Personal Data transferred may include the following: (i) Email address; (ii) first and last name; (iii) phone number; (iv) employment mailing address; (v) credit card information; and (vi) banking details.

5. Special categories of data (if appropriate)

   Personal Data transferred concern the following special categories of data: None.

6. Processing operations

   The following processing operations apply as below:
   The data importer collects data via the SharpSpring Ads tracking pixel (cookie). This cookie is placed on the data importer’s websites by the data importer for the collection of data. These data are stored and processed by the data exporter at its data centers which are located in Dublin Ireland, California USA, Virginia USA, and Singapore. The Personal Data processed by the data importer may also be shared with certain Advertising Exchanges on the data importer’s behalf to bid on advertising properties on the Internet. The data importer uses the following entities as subprocessors under the Terms of Service:

   • Salesforce Incorporated – https://www.salesforce.com/company/privacy/full_privacy/
   • Marketo Inc. – https://documents.marketo.com/legal/privacy/
   • Amazon Webservices – https://aws.amazon.com/privacy/
   • Google – https://gsuite.google.com/security/ & https://policies.google.com/privacy?hl=en
   • Mixpanel – https://mixpanel.com/legal/privacy-policy/
   • Intercom – https://www.intercom.com/terms-and-policies
   • Mailgun – https://www.mailgun.com/gdpr
   • MongoHQ – https://www.mongodb.com/cloud/compliance
   • OpenRedis – https://openredis.com/privacy
   • Heroku – https://www.heroku.com/policy/security

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

1. Unauthorized persons are prevented from gaining access to the data processing systems with which the transferred data are processed or used (physical access control):
   1. SharpSpring Ads requires its co-location facility partners to restrict physical access to those with prior authorization and picture identification. SharpSpring Ads’ data center is co-located in an SSAE No. 16 audited Tier IV Gold facility. Only individuals authorized by SharpSpring Ads can access SharpSpring Ads’ equipment. SharpSping Ads requires its providers to enforce verification of SharpSpring Ads service requests; providers may not attempt to gain any sort of access to SharpSpring Ads’ systems without written instructions from SharpSpring Ads. Beyond this, no external physical connections to SharpSpring Ads systems are allowed including keyboards, displays and network monitoring systems.
2. Data processing systems are prevented from being used without authorization (logical access control):
   1. Data processing systems are prevented from being used without authorization. Administrative access to SharpSpring Ads’ servers are restricted to trained and authorized members of the data
      importer’s staff. Administrative access to theSharpSpring Ads application are strictly controlled by the data importer to authorized individuals on a need-to-know basis. Remote administrative access is only available via cryptographically secure connections.
   2. The data importer uses a strong password policy and two-factor authentication for access to all corporate computing assets. Remote access to the data importer’s corporate networks are via secure VPN. The data importer stores all data behind its firewalls and employs advanced alerting systems to detect unauthorized access. All access attempts are logged for the data importer’s applications and corporate systems.
3. Persons entitled to use a personal data processing system can gain access only to such data as they are entitled to accessing in accordance with their access rights, and, in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorization (data access control):
   1. The data importer uses a role-based provisioning process when providing access to the SharpSpring Ads applications and its third party customer relationship management software (the “CRM”). Only individuals with a “need-to-know” basis are provided access to customer data in the SharpSpring Ads applications and the CRM.
   2. The data importer maintains a strict back-ground check process for all staff and a tightly controlled termination process for revoking access. User provisioning for corporate systems are reviewed twice annually. The data importer’s customers control the user provisioning for their users in the SharpSpring Ads applications.
4. Personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged (transmission control):
   1. Personal data cannot be read, copied, modified, or removed without authorization during electronic transmission, transportation, or storage. All personal data in the SharpSpring Adse applications is protected behind secure firewalls and all access to the data storage is logged in the SharpSpring Ads applications and in the server logs. SharpSpring Ads uses alerting software to provide alerts for any unauthorized access. Login credentials to the SharpSpring Ads application are hashed in storage and encrypted in transmission.
5. It is possible to check and establish whether and by whom personal data have been entered into, modified in, or removed from data processing systems (input control):
   1. It is possible to retroactively examine and establish whether and by whom personal data have been process, accessed, or modified. The SharpSpring Ads applications and CRM systems contain robust logging features which identify when data are access, modified, or deleted. The data importer and its customers review these logs regularly.
6. Personal data processed on the basis of commissioned processing are processed strictly in accordance with the instructions of the data controller (job control):
   1. The data importer only processes personal data based on the instructions of the data exporter as described in the applicable services agreement between the parties.
7. Personal data are protected against accidental destruction or loss (availability control):
   1. The data importer maintains appropriate and regular back-up procedures daily to prevent accidental destruction of loss of personal data. Data are backed up at regular intervals throughout the day and every complete data back-up are performed every 24 hours.