Perch Insights Data Processing Addendum

This Data Processing Addendum (“Addendum” or “DPA”) is effective concurrent with the commencement date  (“Addendum Effective Date”) of any sales order, statement of work or similar commercial contract (“SOW”)  between  Perch Insights, Inc. (“Perch Insights” or “Service Provider”) and the party that executes the SOW (“Company”), and forms part of the Perch Insights Terms of Service, which are found at the following link (“Agreement”). 

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.



The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.


  1. Definitions.


    1. EU/UK Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.
    2. Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).
    3. Company Personal Data” means information that is processed by Service Provider, or collected by Service Provider, on behalf of Company which identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular identified or identifiable person or household.
    4. Process” means any operation or set of operations that are performed on Company Personal Data.
    5. Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Company or Service Provider respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
    6. Applicable Laws” or “Applicable Data Protection Laws” means any privacy or security law that applies to Company Personal Data.
    7. Subprocessor” means any Processor (including any third party and any Service Provider Affiliate) appointed by Service Provider to Process Company Personal Data.
    8. Processor” means any entity that performs the Processing of Company personal data. For the purposes of this Agreement and Addendum, Service Provider and any authorized subcontractors are Processors.
    9. Regulator” refers to any government agency responsible for enforcing the Applicable Laws
    10. CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this DPA;
    11. Data Subject” means any identifiable individual or household included, or previously included, within the Company Personal Data.
    12. Personal Data Breach” means the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Company Personal Data transmitted, stored or otherwise processed. Should any other definition of “breach,” “data breach,” or “personal data breach” that appears in any Applicable Law be broader in scope than the definition provided here, the definition in said law shall control.
    13. Capitalized terms used in this DPA shall have the same meaning given to them under Applicable Data Protection Laws, unless a different meaning is specified herein. In regards to the CCPA, terms used in the applicable provisions of the DPA where the CCPA is the applicable law shall be replaced as follows: “Personal Data” shall mean “Personal Information”; “Controller” shall mean “Business”; “Processor” shall mean “Service Provider”; and “Data Subject” shall mean “Consumer”.

  2. Authorization to Process Data.
    1. Service Provider may Process Company Personal Data as per the terms of the Agreement and this Addendum.
    2. Service Provider shall not Process Company Personal Data for any purpose other than those specified in the Agreement, this Addendum, or Company’s documented instructions. Service Provider shall promptly inform the Company if, in its opinion, any processing instruction infringes upon any Applicable Law.
    3. The Company, as Controller, remains solely responsible for the lawfulness of the Company Personal Data, the Company Processing and its documented instructions, especially with regard to principles and obligations related to legal grounds of the Company Processing and information of Data Subjects under Applicable Data Protection Laws. Company remains solely responsible for the performance of its obligations under Applicable Laws and under any other laws or regulations that may apply to its activities.

  3. Confidentiality. Service Provider shall take reasonable steps to ensure the confidentiality of Company Personal Data by any employee, agent or contractor that has access to the Company Personal Data. Among other things, Service Provider will limit access to those individuals who need to access Company Personal Data and will contractually require all individuals that have access to Company Personal Data to keep such data confidential.

  4. Security.
    1. Service Provider Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Service Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. At a minimum, the Service Provider shall put in place and maintain the technical and organizational measures as set out in Schedule 2. Company is reputed to have approved of these measures in Schedule 2 as of the date of entering this Addendum.

  5. Data Subject Rights.
    1. Service Provider shall provide all reasonable and timely assistance to enable Company to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Laws; and (ii) any other correspondence received from a regulator or public authority in connection with the processing of Company Personal Data. In the event that any such communication is made directly to Service Provider, Service Provider shall promptly inform Company providing full details of the same; shall not respond to the communication unless specifically required by law or authorized by Company; and shall promptly provide the information or services necessary for Company to respond to access, deletion or change requests in relation to Company Personal Data. The Service Provider shall comply with Company’s documented instructions regarding implementation of a Data Subject’s request, e.g. instructions aimed at correction or erasure of certain Company Personal Data, to the extent the Service Provider is in capacity, has the rights necessary to perform the requested operations on the concerned Company Personal Data, and is required to by Applicable Laws.
    2. For the avoidance of doubt, Company is responsible for verifying the identity and authenticity of the aforementioned requests and Service Provider shall comply with such requests unless Company Personal Data must be retained to comply with applicable laws or is no longer available on Service Providers’ Systems.

  6. CCPA Personal Information Processing


    1. Instructions for CCPA Personal Information Processing. Service Provider shall not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purpose of providing the Services, or as otherwise permitted by the CCPA. Service Provider acknowledges and agrees that it shall not retain, use or disclose CCPA Personal Information for a commercial purpose other than providing the Services. Processing CCPA Personal Information outside the scope of this DPA or the Agreement will require prior written agreement between Company and the Service Provider on additional instructions for Processing. In no event will the Service Provider sell (as defined in the CCPA, “Sell” or its cognate, “Sale”) any Company Personal Data to another business or third party without the prior written consent of Company.
    2. Required consents and notices. Where required by Applicable laws, Company will ensure that it has obtained/will obtain all necessary consents, and has given/will give all necessary notices, for the Processing of CCPA Personal Information by the Service Provider in accordance with the Agreement.

  7. Personal Data Breach.
    1. Service Provider shall cooperate with, assist and notify Company without undue delay upon Service Provider or any Subprocessor becoming aware of a Personal Data Breach potentially affecting Company Personal Data, and will provide Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects or relevant Regulators of the Personal Data Breach.

  8. Deletion or return of Company Personal Data.
    1. Service Provider shall promptly upon Company’s request or in any event within 60 calendar days of the effective date of termination of the Agreement: (a) return a copy of all Company Personal Data to Company by secure file transfer in such format as notified by Company to Service Provider; or (b) irrevocably delete and procure the irrevocable deletion of all other copies of Company Personal Data Processed by Service Provider or any Subprocessor.
    2. Notwithstanding Section 9.1 of this Addendum, Service Provider may retain Company Personal Data to comply with applicable law, regulation, and industry standards and best practices. Notwithstanding, Service Provider shall ensure the confidentiality of all such Company Personal Data in accordance with this DPA and the Agreement and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified under the Agreement.

  9. Relevant Records and Audit Rights.
    1. Upon Company’s request, Service Provider shall promptly make available to Company all information reasonably necessary to demonstrate compliance with this Addendum. Notwithstanding the foregoing, Company may, in its sole discretion, accept Service Providers’ SOC2 or ISO 27001 report in lieu of conducting an audit.

  10. Subprocessing. The Service Provider may engage another processor (Subprocessor) to conduct specific processing activities. In this case, the Service Provider shall inform the Company, in writing beforehand, of any intended changes concerning the addition or replacement of other processors. This information must clearly indicate which processing activities are being subcontracted out, the name and contact details of the Subprocessor and the dates of the subcontract. The Company has a minimum timeframe of fifteen (15) days from the date on which it receives said information to object thereto. Such Subprocessing is only possible where the Company has not objected thereto within the agreed timeframe.

  11. International Data Transfer. Insofar as the Agreement involves the transfer of Company Personal Data from a jurisdiction where the Applicable Law requires that additional steps, or safeguards, be imposed before the data can be transferred to a second jurisdiction, Service Provider agrees to cooperate with Company to take appropriate steps to comply with Applicable Law. The Service Provider agrees to comply, where applicable, with Standard Contractual Clauses (EU SCCs and/or UK SCCs). In the event of any conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall control and supersede. The parties hereby acknowledge and agree that Company Personal Data relating to individuals in the European Economic Area, the United Kingdom, and Switzerland is processed by a cloud services provider like Amazon Web Services.

  12. General Terms. Any obligation imposed on Service Provider under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. Company and Service Provider expressly recognize and agree that this Addendum includes provisions addressed in other portions of the Agreement. Company and Service Provider hereby agree that the terms and conditions set out herein shall be added as an Addendum to the Agreement. This Addendum and the other portions of the Agreement shall be read together and construed, to the extent possible, to be in concert with each other. In respect of any conflict between the Agreement and this Addendum, the provisions which provide the greatest protection of the Company Personal Data shall prevail; provided, however, that in no event shall this Addendum be deemed to eliminate, limit, or otherwise diminish Service Provider’s obligations or commitments to Company under portions of the Agreement.

Schedule 1

Schedule 2

  1. Service Provider represents and warrants that it maintains internal policies and procedures, and ensures that its Subprocessors also maintain internal policies and procedures, which are designed to: (a) secure any Company Personal Data Processed by Service Provider against any Security Incident; (b) identify reasonably foreseeable and internal risks to security and unauthorized access to any Company Personal Data; and (c) minimize security risks, including through risk assessment and regular testing. In the event of a conflict between the provisions of this Schedule 1 and a provision of the DPA, the provision that is more stringent will control.


  2. Service Provider agrees that it will implement and maintain (for so long as Service Provider continues to Process any Company Personal Data) comprehensive control measures in accordance with current industry security standards (e.g. CIS top 20, NIST or ISO), including, without limitation:
    1. Inventory and Control of Hardware Assets – Actively manage (inventory, track, and correct) hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
    2. Inventory and Control of Software Assets – Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
    3. Continuous Vulnerability Management – Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
    4. Controlled Use of Administrative Privileges – Actively manage the processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
    5. Physical and logical access control measures – At a minimum, timely removal of users in case of termination and/or reassignment, provisioning of users based on business need and regularly reviewed for appropriateness.
    6. Operations management and network security measures – At a minimum, hardening, change control, segregation of duties, separation of development and production environments, technical architecture management, virus protection, media controls, information in transit, data integrity, encryption, audit logs, time synchronization, and network segregation.
    7. Maintenance, Monitoring and Analysis of Audit Logs – Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
    8. Email and Web Browser Protections – Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
    9. Limitation and Control of Network Ports, Protocols, and Services – Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.
    10. Data Recovery Capabilities – Actively manage the processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
    11. Business continuity programs – Develop and continuously review a recovery plan, sufficient to ensure Service Provider can continue to function through an operational interruption and continue to provide services to Company within a reasonable period after any disaster.
    12. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches – Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
    13. Boundary Defense – Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
    14. Data Protection – Actively manage the processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
    15. Controlled Access Based on the Need to Know – Actively manage the processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
    16. Account Monitoring and Control – Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
    17. Implement a Security Awareness and Training Program – For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
    18. Application Software Security – Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
    19. Incident Response and Management – Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.
    20. Penetration Tests and Red Team Exercises – Test the overall strength of an organization’s defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.
    21. Access to Sensitive Data – At a minimum, ensuring employees and independent contractors are qualified to Process Company Personal Data, have received proper role based training that is renewed at least annually, access such Company Personal Data only on a need-to-know basis, and are required to comply with Service Provider’s obligations under this DPA; Users with access to sensitive data have background checks conducted.
    22. Personnel controls – Develop and continuously review documented procedures to ensure data is encrypted in transition, at rest, backed up routinely, monitored for successful completion, validated, and retained in accordance with applicable laws and the requirements of this DPA.

  3. Service Provider will, and will also procure that its Subprocessors will, conduct periodic reviews (no less than annually) to: (a) evaluate the security of its network and associated services as well as the adequacy of its information security program as measured against current industry security standards, Service Provider’s policies and procedures, and all applicable information security requirements in the DPA and/or Agreement; and (b) determine whether additional or different security measures are required (i) for Service Provider’s continued compliance with the foregoing, and (ii) respond to new security risks or findings generated by the periodic reviews.