This Data Processing Addendum (the "Addendum") is incorporated into and forms part of each Covered Agreement between Verito, Inc. ("Verito") and the customer identified in the applicable Covered Agreement ("Customer"). Customer accepts this Addendum by entering into a Covered Agreement, accessing or using Verito's website or Services after this Addendum is made available, or otherwise manifesting assent to the applicable Covered Agreement or Services. Customer may also accept this Addendum through any click-through, electronic, or other acceptance mechanism used in connection with the applicable Covered Agreement or Services.
This Addendum applies to Customer Personal Data that Verito Processes on behalf of Customer in connection with the Services. This Addendum does not apply to data for which Verito acts as a controller, business, or independent party for its own business purposes, including Verito Business Data.
In the event of a conflict between this Addendum and the Covered Agreement, this Addendum controls solely with respect to the Processing of Customer Personal Data. In all other respects, the Covered Agreement remains in full force and effect.
Affiliate
means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party.
Applicable Data Protection Laws
means privacy, security, breach-notification, and data-protection laws applicable to Verito's Processing of Customer Personal Data under the Covered Agreement. References in this Addendum to industry guidance, frameworks, or customer compliance obligations are included only to describe the context of the Services and do not, by themselves, expand Verito's legal obligations beyond applicable law and the Covered Agreement.
Covered Agreement
means the agreement, order, statement of work, or online terms governing the applicable Services between Verito and Customer, which may include, as applicable, Verito's website Terms of Use, Cloud Terms of Service, MIT Terms of Service, WISP Services Agreement, an order form, a statement of work, or another written agreement.
Customer Personal Data
means Personal Data that Verito Processes on behalf of Customer in connection with the Services under the Covered Agreement. Customer Personal Data does not include Verito Business Data.
Process or Processing
means any operation performed on Customer Personal Data, whether or not by automated means, including access, collection, recording, organization, storage, use, disclosure, transfer, analysis, retrieval, combination, restriction, deletion, or destruction.
Subprocessor
means a third party engaged by Verito to Process Customer Personal Data on Customer's behalf in connection with the Services.
Verito Business Data
means all information relating to Verito's business and delivery of the Services, including but not limited to Personal Data concerning Customer and its employees or representatives, (b) other data concerning or relating to Customer's account, transaction history, use of the Services and identity verification, and (c) subject to any restrictions under any applicable Data Protection Laws, De-Identified Data. Verito Business Data includes personal data described in Verito's privacy policy when Verito collects or uses that data for its own purposes.
2.1. Customer as Controller or Processor
2.1.1
Where Customer is a Controller of Customer Personal Data, Customer: (a) is solely responsible for determining the purposes and means of Processing such Customer Personal Data (b) represents and warrants that it has all necessary rights, authority, consents, permissions, and other lawful bases to provide the Customer Personal Data to Verito for Processing in connection with the Services and (c) will comply with its obligations as a Controller under Applicable Data Protection Laws.
2.1.2
Where Customer is a Processor of Customer Personal Data, Customer: (a) is solely responsible for complying with its agreements and other arrangements with the applicable Controller(s) on whose behalf Customer Processes such Customer Personal Data (b) represents and warrants that it has provided all notices and obtained all rights, authority, consents, permissions, and other approvals necessary to provide the Customer Personal Data to Verito for Processing in connection with the Services and (c) will comply with its obligations as a Processor under Applicable Data Protection Laws.
2.1.3
Customer expressly acknowledges and agrees that Verito is not responsible for determining which laws, regulations, or industry standards apply to Customer's business, Customer's Processing activities, or Customer's use of the Services. Customer is solely responsible for determining whether the Services, the applicable Covered Agreement, and this Addendum satisfy Customer's business, contractual, compliance, and legal obligations. Customer will ensure that its instructions to Verito regarding the Processing of Customer Personal Data comply with Applicable Data Protection Laws and do not cause Verito to violate Applicable Data Protection Laws.
2.2. Verito as Processor or Service Provider
2.2.1
With respect to Customer Personal Data Processed by Verito on behalf of Customer in connection with the Services, the parties acknowledge and agree that, except as otherwise expressly set forth in this Addendum, Verito will act as a Processor, Service Provider, or Contractor, as applicable under Applicable Data Protection Laws, and will Process such Customer Personal Data only: (a) to provide the Services and related support under the applicable Covered Agreement (b) on Customer's documented instructions as set forth in the Covered Agreement, this Addendum, and any other written instructions mutually agreed by the parties and (c) as otherwise required by applicable law.
2.2.2
Notwithstanding Section 2.2.1, Verito will act as a Controller, Business, or other analogous independent legal role, and not as Customer's Processor, Service Provider, or Contractor, with respect to Verito Business Data.
2.2.3
Nothing in this Addendum restricts Verito from Processing Verito Business Data for Verito's own legitimate business purposes, provided that Verito Processes such data in accordance with Applicable Data Protection Laws and its applicable privacy notice(s). For the avoidance of doubt, this Addendum does not apply to Verito's Processing of Verito Business Data.
2.3. Affiliates
2.3.1 Customer Affiliates
For purposes of this Addendum, any Customer Personal Data provided to Verito or any Verito affiliate by a Customer affiliate for Processing on behalf of Customer and/or such Customer affiliate in connection with the Services shall be deemed to be Customer Personal Data provided by Customer. Customer represents and warrants that it will take all measures reasonably necessary to ensure its Affiliates comply with Customer's obligations under this Addendum. Customer is responsible for its Affiliates' compliance with this Addendum.
2.3.2 Verito Affiliates
For purposes of this Addendum, any Customer Personal Data received or Processed by a Verito Affiliate in connection with the Services shall be deemed to have been received or Processed by Verito. Verito will take all measures reasonably necessary to ensure its Affiliates comply with Verito's obligations under this Addendum. Verito is responsible for its Affiliates' compliance with this Addendum.
2.4.1
The applicable Covered Agreement, together with this Addendum, constitutes Customer's complete and final documented instructions to Verito for the Processing of Customer Personal Data, unless the parties otherwise agree in writing.
2.4.2
Verito will not be obligated to follow any instruction that, in Verito's reasonable opinion, would violate Applicable Data Protection Laws or otherwise impose obligations on Verito beyond those set forth in the Covered Agreement and this Addendum. In such event, Verito may notify Customer and suspend compliance with the affected instruction until the parties resolve the issue.
Verito will not: (a) sell or share Customer Personal Data (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Covered Agreement and this Addendum (c) Process Customer Personal Data outside the direct business relationship between Verito and Customer except as permitted by applicable law or (d) combine Customer Personal Data with personal data received from another source except as permitted by Applicable Data Protection Laws and reasonably necessary to provide, secure, maintain, or improve the Services.
Nothing in this Addendum prohibits Verito from generating and using de-identified or aggregated information derived from the Services, provided that such information: (a) does not identify Customer, any Customer end user, or any data subject (b) is not used to re-identify any individual and (c) is used only for lawful internal analytics, security, service-improvement, benchmarking, and business-operations purposes. Verito will maintain and use reasonable measures designed to ensure the information cannot be associated with an identified or identifiable individual and will not attempt to re-identify it.
3.1
Verito will ensure that persons authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and are granted access only to the extent reasonably necessary to perform their duties in connection with the Services.
3.2
Verito will provide appropriate privacy and security training to relevant personnel consistent with their responsibilities.
4.1
Verito will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. The current categories of measures are described in Schedule 2.
4.2
Verito may update its security measures from time to time, provided that Verito does not materially reduce the overall security posture applicable to the Services purchased by Customer.
4.3
Any service-specific security commitments expressly stated in the Covered Agreement or an applicable order or statement of work will control over general descriptions in Schedule 2 to the extent of any inconsistency.
5.1
Verito will notify Customer without undue delay after confirming a Security Incident involving Customer Personal Data. Where a specific notification deadline is required by Applicable Data Protection Laws for Verito's role, Verito will use commercially reasonable efforts to provide notice within that required period.
5.2
To the extent known and reasonably available at the time of notice, Verito's notice will describe the nature of the Security Incident, the categories of Customer Personal Data affected, the measures taken or proposed to address the incident, and the contact details for further information. Verito may provide information in phases as it becomes available.
5.3
Verito will take commercially reasonable steps to contain, investigate, mitigate, and remediate the Security Incident and will reasonably cooperate with Customer in connection with Customer's legally required notifications and response obligations, at Customer's reasonable expense to the extent such assistance exceeds Verito's standard incident-response obligations.
6.1
Taking into account the nature of the Processing and the functionality of the Services, Verito will provide commercially reasonable assistance to Customer in responding to requests by data subjects to exercise rights under Applicable Data Protection Laws, to the extent Customer cannot reasonably fulfill the request through the Services or its own systems.
6.2
At Customer's reasonable expense, Verito will provide commercially reasonable information and assistance reasonably requested by Customer in connection with data protection impact assessments, risk assessments, or consultations with regulators to the extent required by Applicable Data Protection Laws and directly related to Verito's Processing of Customer Personal Data.
7.1
Unless prohibited by applicable law, Verito will promptly notify Customer if Verito receives a subpoena, court order, civil investigative demand, warrant, or other compulsory legal request seeking Customer Personal Data.
7.2
Verito may disclose Customer Personal Data as required by applicable law. Unless prohibited by law, Verito will provide Customer a reasonable opportunity to seek a protective order or other appropriate remedy. At Customer's reasonable expense, Verito will provide commercially reasonable cooperation in any effort by Customer to challenge or limit the disclosure.
8.1
Customer authorizes Verito to engage Subprocessors to Process Customer Personal Data in connection with the Services. Verito will enter into a written agreement with each Subprocessor that imposes data-protection obligations materially consistent with the nature of the Services and no less protective of Customer Personal Data than the obligations imposed on Verito under this Addendum, taking into account the nature of the Services provided by the Subprocessor.
8.2
Verito will remain responsible for the acts and omissions of its Subprocessors to the extent required by applicable law and the Covered Agreement.
8.3
Verito will maintain an up-to-date Subprocessor list in Schedule 3 or at the URL identified in Schedule 3. For a new Subprocessor that will materially affect the Processing of Customer Personal Data, Verito will provide prior notice by updating the list or by direct notice. If Customer reasonably objects on data-protection grounds within fifteen (15) days after notice, the parties will work in good faith to address the objection. If the parties cannot resolve the objection within a reasonable period, Customer may terminate the affected Services on written notice, without penalty other than payment for Services provided through the effective date of termination.
To the extent Verito transfers Customer Personal Data across borders in a manner that requires a transfer mechanism under Applicable Data Protection Laws, Verito will implement an appropriate transfer mechanism, which may include the EU Standard Contractual Clauses, the UK Addendum, an adequacy decision, or another lawful transfer mechanism. Upon Customer's reasonable request, the parties will execute any supplementary transfer terms reasonably necessary to document the applicable transfer mechanism for the Services.
10.1
Upon reasonable written request, Verito will make available information reasonably necessary to demonstrate compliance with this Addendum, including then-current certifications, audit summaries, or security questionnaires customarily made available to customers, subject to confidentiality obligations.
10.2
Customer may conduct one audit in any twelve-month period, and additional audits only if required by Applicable Data Protection Laws, a regulator with jurisdiction over Customer, or following a confirmed Security Incident materially affecting Customer Personal Data. Audits must be conducted during normal business hours, with at least thirty (30) days' prior written notice, in a manner that does not unreasonably disrupt Verito's operations, and subject to Verito's security, confidentiality, and access policies.
10.3
Verito may satisfy audit requests through third-party reports, certifications, summaries, and responses to reasonable questionnaires where those materials address the subject matter of the request. Customer will bear its own audit costs and Verito's reasonable internal costs for audit support, unless an audit demonstrates a material breach of this Addendum by Verito.
11.1
To the extent Customer Personal Data includes information subject to the FTC Safeguards Rule, GLBA, IRS Publication 4557-related customer security expectations, or similar sector-specific regimes applicable to Customer, Verito will maintain safeguards reasonably designed to support Customer's compliance obligations for the Services purchased.
11.2
Unless the Covered Agreement expressly states otherwise, Verito does not act as Customer's Qualified Individual, compliance certifier, or legal advisor, and Customer remains responsible for its own written information security program, incident notifications, internal policies, and overall legal compliance.
11.3
Any references in sales, marketing, or service descriptions to frameworks, standards, guidance, or compliance support describe the nature of the Services and not an independent warranty of legal compliance.
Upon expiration or termination of the Covered Agreement, Customer may retrieve Customer Personal Data during the retrieval period stated in the Covered Agreement. If the Covered Agreement does not specify a retrieval period, Customer will have thirty (30) days after the effective date of termination to retrieve Customer Personal Data using the functionality of the Services or with Verito's commercially reasonable assistance at Customer's expense. After the retrieval period Verito may delete Customer Personal Data, subject to backup-retention cycles, legal retention requirements, and residual copies retained in the ordinary course of disaster recovery / archival systems.
The parties' liability arising out of or relating to this Addendum will be subject to the liability limitations, exclusions, disclaimers, and indemnification provisions set forth in the Covered Agreement, except to the extent prohibited by Applicable Data Protection Laws.
This Addendum is governed by, and any dispute arising out of or relating to this Addendum will be resolved pursuant to, the governing-law, venue, arbitration, forum-selection, and dispute-resolution provisions of the applicable Covered Agreement, unless Applicable Data Protection Laws require otherwise.
15.1. Incorporation Acceptance Term
This Addendum is incorporated into and forms part of each Covered Agreement and remains in effect for so long as Verito Processes Customer Personal Data under the applicable Covered Agreement. Customer accepts this Addendum by entering into a Covered Agreement, accessing or using the website or Services after this Addendum is made available, or otherwise manifesting assent to the applicable Covered Agreement or Services.
15.2. Relationship of the Parties No Third-Party Beneficiaries
The parties are independent contractors and not agents, partners, or joint venturers. This Addendum does not create any third-party beneficiary rights, except to the extent non-waivable rights arise under Applicable Data Protection Laws.
15.3. Notices
Notices, requests, consents, objections, and approvals under this Addendum must be in writing and may be delivered in the manner specified in the applicable Covered Agreement. If the Covered Agreement does not specify a notice procedure, notices under this Addendum may be given by email to the primary business contact associated with the Covered Agreement and will be deemed given upon delivery.
15.4. Entire Agreement Order of Precedence Interpretation
This Addendum, together with the applicable Covered Agreement, states the parties' entire agreement regarding the Processing of Customer Personal Data and supersedes prior or contemporaneous agreements on that subject matter. Headings are for convenience only. The words "including," "include," and similar terms are to be construed without limitation. In the event of a conflict between this Addendum and the Covered Agreement, this Addendum controls solely with respect to the Processing of Customer Personal Data.
15.5. Force Majeure
Except for Customer's obligation to pay fees owed under the Covered Agreement, neither party will be liable for delay or failure to perform obligations under this Addendum to the extent caused by a Force Majeure event, provided that the affected party uses commercially reasonable efforts to mitigate the effects of the event.
15.6. Survival
Sections 1, 2.2.3, 2.5, 2.6, 3, 5, 7, 10, 12, 13, 14, and 15 will survive expiration or termination of this Addendum for so long as applicable by their nature.
15.7. Amendments Updates
Verito may amend this Addendum from time to time by posting an updated version at the URL referenced in the applicable Covered Agreement or otherwise making the updated Addendum available through the website or Services. Unless a different effective date is stated, an amendment becomes effective upon posting provided, however, that material amendments that materially adversely affect Customer's rights under this Addendum will not apply to Customer until the earlier of (a) Customer's continued use of the Services after the effective date of the amendment, (b) Customer's entry into a new order, renewal, statement of work, or other Covered Agreement after the amendment is posted, or (c) as otherwise permitted by the applicable Covered Agreement or Applicable Data Protection Laws. Verito may update Schedules 2 and 3 in accordance with this Addendum.
15.8. Waivers and Severability
Any waiver must be in writing and signed by the waiving party's authorized representative, and no waiver will be implied from conduct. If any provision of this Addendum is held invalid, illegal, or unenforceable, that provision will be limited to the minimum extent necessary so that the remaining provisions remain in full force and effect.
| Element | Description |
|---|---|
| Subject matter | Processing of Customer Personal Data in connection with the Services described in the Covered Agreement. |
| Duration | For the term of the Covered Agreement, plus applicable retrieval, backup-retention, and deletion periods described herein. |
| Nature and purpose | Hosting, storage, backup, support, monitoring, infrastructure management, endpoint management, remote support, ticketing, security administration, disaster recovery, and related managed or professional services purchased by Customer. |
| Categories of data subjects | Customer personnel, Customer clients, Customer end users, business contacts, vendors, and other individuals whose personal data Customer submits to the Services. |
| Categories of personal data | Contact data, account data, business records, usage and device data, support records, financial and tax-related information, government identifiers, and other personal data Customer chooses to place into the Services. |
| Sensitive data | Only to the extent Customer submits sensitive personal data to the Services and the Services are designed to support such data. The scope and sensitivity of such data are determined by Customer. |
| Category | Description |
|---|---|
| Governance | Security policies, role-based responsibilities, incident-response procedures, and personnel training appropriate to the Services. |
| Access control | Authentication controls, role-based access, least-privilege principles, logging, and periodic access review practices appropriate to the Services. |
| Encryption and transmission protection | Encryption of data in transit and encryption or other protective controls for data at rest where appropriate to the Services and Verito's environment. |
| Infrastructure and endpoint security | Hardening, vulnerability management, patching, monitoring, endpoint or workload protections, malware defense, and backup controls appropriate to the Services, including but not limited to SOC 2 compliant data center facilities, and facilities that use controlled access, environmental protections (fire suppression, climate control, power redundancy). |
| Resilience and recovery | Backup, restoration, and business-continuity or disaster-recovery measures appropriate to the Services. |
| Vendor management | Risk-based review and contractual controls for relevant Subprocessors and service providers. |
| Testing and assessment | Periodic assessment of technical and organizational controls through risk assessments, internal reviews, questionnaires, or third-party evaluations as appropriate to the Services. |
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| HubSpot | CRM and marketing automation | Contact data, account data | United States |
| Apollo.io | Contact data enrichment and verification | Contact data | United States |
| Microsoft (Azure/365) | Cloud infrastructure, productivity tools | Client Data (infrastructure level) | United States |
| Summit Hosting | Physical hosting infrastructure | Client Data (physical access only) | United States |
| Kaseya (Datto RMM) | Remote monitoring and management | Technical data, device data | United States |
| Veeam - VeritSpace / Kaseya (Datto Endpoint Backup) - VeritGuard | Backup storage and disaster recovery | Client Data (encrypted) | United States |
| Crowdstrike - VeritSpace / Kaseya (Datto AV/EDR) | Endpoint detection and response | Security event data, device data | United States |
