LeadRocks Data Processing Agreement

to the LeadRocks Terms of Use and Privacy Policy entered into between LeadRocks and the Client. This Data Processing Agreement (the “DPA”) is an integral part of the foregoing documents and incorporated thereto by reference. 

GENERAL

The Vendor shall process the Client’s Personal Data as described below. The Vendor shall process the Client’s Personal Data as a data Processor acting on behalf of the Client as the Controller of such Personal Data.

The Client hereby instructs the Vendor to process the Client’s Personal Data only for the limited purposes of providing the Vendor’s Services to the Client. Under no circumstances shall the Vendor process any the Client’s Personal Data for its own purposes, thereby becoming a data controller of such personal data itself.

The Vendor shall reasonably assist the Client in responding to requests to exercise Data Subject rights under applicable laws, including EU Data Protection Laws. The Vendor shall: (i) Promptly notify the Client if it receives a request from a Data Subject under EU Data Protection Laws in respect of the Client’s Personal Data; and (ii) Ensure that it does not respond to that request except on the documented instructions of the Client or as strictly required by applicable laws to which the Vendor is subject.

Upon expiration or termination of the provision of the Vendor’s Services, the Vendor shall promptly delete or return all copies of the Client’s Personal Data, at the Client’s choice, except as required to be retained in accordance with applicable law. Upon the Client’s prior written request, the Vendor Chief Privacy Officer or equivalent shall provide written certification to the Client that it has fully complied with this section.

DESCRIPTION OF PROCESSING

Categories of data subjects whose personal data is processed: business professionals requested by the Client. 

Categories of personal data (the “Personal Data”): the Business and Shared Data as defined in the Privacy Policy. No special categories will be processed.

Nature of the processing: recording, storage, consultation, use, disclosure by transmission and erasure.

Purpose(s) of the data processing and further processing: the provision of LeadRocks’s services

The period for which the Personal data will be retained: the period of the Agreement (as specified in the Terms). LeadRocks shall be entitled to maintain the personal data following the termination of the main agreement for statistical and/or financial purposes provided that LeadRocks maintains such personal data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such personal data.

The Client may only use the LeadRocks Service to process personal data pursuant to a recognized and applicable lawful basis under the GDPR. The Customer shall provide LeadRocks only with instructions that are lawful under the GDPR and would not cause LeadRocks to breach the GDPR.

TECHNICAL AND ORGANISATIONAL MEASURES LEADROCKS FOLLOWS

Security Policies and Procedures. LeadRocks maintains and implements security policies and procedures designed to ensure employees and contractors Process Personal Data in accordance with this DPA.

Intrusion Prevention. LeadRocks ensures that its security infrastructure is consistent with leading industry standards for virus protection, firewalls and intrusion prevention technologies to prevent any unauthorized access or compromise of LeadRocks’s network, systems, servers and applications from unauthorized access.

Security Awareness Training. LeadRocks implements and maintains security awareness training regarding the handling and securing of confidential information and sensitive information such as Personal Data consistent with applicable law.

Physical Access Controls. LeadRocks has established limits on physical access to information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to data centers and offices is limited to authorized individuals.

Logical Access Controls. LeadRocks ensures proper user authentication for all employees and contractors with access to Personal Data, including, without limitation, by assigning each employee/contractor unique access credentials for access to any system on which Personal Data Processed by LeadRocks in accordance with this DPA can be accessed and prohibiting employees/contractors from sharing such access credentials.  LeadRocks restricts and tracks access to Personal Data Processed by LeadRocks in accordance with this DPA to only those employees/contractors whose access is necessary to perform the services. LeadRocks implements and maintains logging and monitoring technology to help detect and prevent unauthorized access attempts to networks and production systems. LeadRocks conducts periodic reviews of changes affecting systems’ handling authentication, authorization, and auditing, and privileged access to production systems. LeadRocks shall ensure that upon termination of any employee/contractor, the terminated employee’s access to any Personal Data Processed by LeadRocks in accordance with this DPA on LeadRocks’s systems will be immediately revoked.

Environmental Access Controls. LeadRocks implements and maintains appropriate and reasonable environmental controls for data centers, such as air temperature and humidity controls, and appropriate protections against power failures.

Disaster Recovery and Back-up Controls. LeadRocks maintains: (i) periodic backups of production file systems and databases according to a defined schedule; and (ii) a formal disaster recovery plan for the production data center and conduct regular testing on the effectiveness of such plan.

Business Continuity and Cyber Incident Response Plan. LeadRocks maintains business continuity and incident response plans to manage and minimize the effects of unplanned events (cyber, physical, or natural) (“Incident Response Plans”) that include procedures to be followed in the event of an actual or potential security breach or business interruption and which have a stated goal of resumption of routine services within thirty-six (36) hours of such an event.  The Incident Response Plans shall require record keeping of root cause analysis and remediation efforts.

Storage and Transmission Security. LeadRocks secures the transmission of all Personal Data Processed by LeadRocks in accordance with this DPA and encrypt such data while in motion consistent with industry standards and at a minimum of 256-bit encryption.

Internal Audits. LeadRocks regularly conducts internal security audits and shall contract annually for external security assessments and penetration tests of LeadRocks systems including, without limitation, cloud architecture, business processes and procedures, access controls and encryption measures.

Risk Identification and Assessment. LeadRocks implements and maintains a risk assessment program to help identify foreseeable internal and external risks to its information resources and to determine if existing controls, policies, and procedures are adequate.

Vendor and Services Providers. Prior to engaging new third-party contractors, service providers or vendors who will have access to Personal Data Processed by LeadRocks in accordance with this DPA (collectively, “Vendors”), LeadRocks shall conduct a risk assessment on Vendor’s data security practices. 

Change and Configuration Management. LeadRocks implements and maintains policies and procedures for managing changes to production systems, applications, and databases, including without limitation, processes for documenting testing and approval of changes into production, security patching, and authentication.