Last Updated: October 20, 2023
Data Processing Addendum
This Data Processing Addendum (“DPA”) is a part of Simply-B2B’s Terms & Conditions, and sets forth the parties’ rights and obligations in respect of the processing of the Company in relation to the Simply-B2B Services, to the extent that the same is subject to Applicable Privacy and Data Protection Laws.
If there is any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail. If there is any conflict between the Standard Contractual Clauses and the terms of this DPA, the Standard Contractual Clauses shall prevail.
1.1 “Agreement” means subscription purchase, together with Simply-B2B’s Terms & Conditions, available at https://simply-b2b.com/terms-and-conditions, unless there is a separately negotiated agreement for Simply-B2B Services between you and Simply-B2B, then “Agreement” means that agreement.
1.2 “Applicable Privacy and Data Protection Laws” means collectively all local privacy and data protection laws, rules, and regulations that apply to the parties with regard to the processing of Personal Data in connection with the Agreement, including, only to the extent applicable and when legally effective (including those that come into effect after the “Last Updated” date above): the California Consumer Privacy Act (including as amended by the California Privacy Rights Act of 2020) (“CCPA”); the European Union’s General Data Protection Regulation (“GDPR”); and the United Kingdom’s General Data Protection Regulation (“UK GDPR”).
1.3 “Company,” “you,” and “your” mean the Simply-B2B customer that has entered into the Agreement for Simply-B2B Services.
1.4 “Company User” means a Data Subject for whom the Company initiates and administers a Simply-B2B account, Data Subjects acting on behalf of the Company to administer the Simply-B2B Service, and users of the Linkedin platform (https://linkedin.com), further referred to as “LinkedIn”) whose data is being searched, collected, and structured on Simply-B2B Services.
1.5 “Company User Data” means the Personal Data of Company Users that is submitted to Simply-B2B in connection with the Simply-B2B Services.
1.6 “Controller” means the party that controls the purposes and means of processing, and shall include ‘controller’, ‘business’, and other similar terms under Applicable Privacy and Data Protection Laws.
1.7 “Data Subject” means ‘data subject’, ‘consumer’, or similar terms under Applicable Privacy and Data Protection Laws.
1.8 “Simply-B2B Services” means the Simply-B2B-branded online platform and other services provided by Simply-B2B pursuant to subscription purchase, or other, by Company and that involves the transfer of Company User Data to Simply-B2B.
1.9 “Personal Data” means all ‘personal data’, ‘personal information’, or similar terms under Applicable Privacy and Data Protection Laws.
1.10 “Processor” means a party that processes Personal Data on behalf of another party, and shall include ‘processor’, ‘service provider’, and other similar terms under Applicable Privacy and Data Protection Laws.
1.11 “Sensitive Data” means ‘sensitive personal information’, ‘sensitive data’, ‘special categories of personal data’, and Personal Data similarly classified under Applicable Privacy and Data Protection Laws.
1.12 “Standard Contractual Clauses” means the standard contractual clauses approved pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021, populated in accordance with Section 8 of this DPA. For transfers of Personal Data subject to UK GDPR, the Standard Contractual Clauses also include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”), populated in accordance with Section 8 of this DPA.
1.13 “Simply-B2B” means, for the purpose of this DPA, Levaro Ltdd, a company registered in England with company registration number 15235673, https://simply-b2b.com/.
1.14 The terms “commercial purpose”, “personal data breach”, “process”, “sell”, “share”, and their cognates shall have the same meaning as under Applicable Privacy and Data Protection Laws.
2.1. To the extent Company User Data is subject to Applicable Privacy and Data Protection Laws, the parties agree that with respect to processing Company User Data in the provision of the Simply-B2B Services, the Company is the Controller, and Simply-B2B is a Processor.
2.2. The Company acknowledges and agrees that notwithstanding Section 2.1, Simply-B2B and its affiliates may collect and process certain data directly from Data Subjects in their capacity as users of other Simply-B2B Services. Though these Data Subjects may also be Company Users, Simply-B2B acts as a Controller for Personal Data collected or submitted outside of the Simply-B2B Services.
2.3. The parties agree and acknowledge that the subject matter and details of processing are set out in Annex I.
3. Terms of Processing by
3.1. Simply-B2B agrees that it will:
3.1.1. Process Company User Data only (a) for the provision of the Simply-B2B Services to Company according to the written instructions set forth in the Agreement or as otherwise instructed by Company, and (b) as permitted as a Processor under Applicable Privacy and Data Protection Laws (collectively, the “Agreed Purposes”);
3.1.2. Ensure that anyone acting on its behalf will process Company User Data according to the provisions of this DPA and applicable data protection regulations, and is bound by an appropriate obligation of confidentiality;
3.1.3. Notify the Company if Simply-B2B becomes aware of any circumstance that would prevent it from fulfilling the Company’s instructions under this DPA;
3.1.4. Notify the Company if Simply-B2B becomes aware that any applicable law or regulation prevents it from fulfilling the instructions received from the Company and its obligations under this DPA;
3.1.5. Notify the Company within the time period required by Applicable Privacy and Data Protection Laws if it determines it can no longer meet its obligations under Applicable Privacy and Data Protection Laws and allow the Company to take reasonable and appropriate steps to stop and remediate unauthorized processing of Company User Data;
3.1.6. Upon the Company’s request, provide information to reasonably enable the Company to conduct and document data protection assessments; and
3.1.7. To the extent required under Applicable Privacy and Data Protection Laws, not more than once annually, allow and cooperate with reasonable assessments by the Company or its designated assessor, to conduct an assessment of Simply-B2B’s technical and organizational measures in support of the obligations under Applicable Privacy and Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and subject to reasonable access and confidentiality restrictions. If Simply-B2B engages its own assessor, it shall provide a summary report to the Company upon request, which shall satisfy Simply-B2B’s obligations under this Section 3.1.7.
3.2. Subject to Section 3.1.1., Simply-B2B will not:
3.2.1. Sell or share the Company User Data;
3.2.2. Retain, use, or disclose the Company User Data for any purpose other than the Agreed Purposes;
3.2.3. Retain, use, or disclose the Company User Data outside of the direct business relationship between the Company and Simply-B2B; or
3.2.4. Combine Company User Data with Personal Data Simply-B2B receives from other customers.
4. Terms of Processing by Company
4.1. The company agrees that it will:
4.1.1. Collect, use, and process Company User Data in accordance with Applicable Privacy and Data Protection Laws, including obtaining any necessary consents, licenses, and approvals;
4.1.2. Have sole responsibility for the accuracy, quality, and legality of Company User Data and the means by which it was obtained; and
4.1.3. Not submit to Simply-B2B or otherwise cause Simply-B2B to Process any Sensitive Data. Without limiting Sections 4.1.1. and 4.1.2., The company acknowledges that Simply-B2B will not assess the contents of Company User Data to identify information subject to any specific legal requirements.
5. Security & Compliance
5.1. Simply-B2B shall implement reasonable technical, organizational and security measures to protect the privacy and security of the Company User Data.
5.2. Simply-B2B shall assist the Company, within reasonable timetables, by the appropriate measures and as reasonably possible (considering the nature of the processing and the information available to), in complying with its obligations under Articles 32 to 36 of the GDPR.
5.3. Any storage and/or transfer of Company User Data by the Company to any third party or platform other than Simply-B2B shall be at the sole risk and responsibility of the Company.
5.4. If Simply-B2B becomes aware of any personal data breach affecting Company User Data, Simply-B2B will, without undue delay, provide notification to the Company in accordance with applicable regulations. Simply-B2B’s notification of a personal data breach will not be deemed as an acknowledgment by Simply-B2B of any fault or liability with respect to such an incident. In the event of a personal data breach, the Company shall be obligated to take the measures required under applicable laws in connection with its Company User Data. Where requested, Simply-B2B will assist the Company with communicating with regulators regarding the personal data breach.
5.5. Upon reasonable written request, Simply-B2B will make available to the Company information necessary to demonstrate compliance with its obligations under this DPA and applicable law.
6.1. Simply-B2B is hereby generally authorized by Company to engage any sub-processor, provided that Simply-B2B shall (i) ensure in each case that the sub-processor is bound by data protection obligations that are substantially the same as, and in any event no less onerous than those contained in this DPA; and (ii) subject to the terms of the Agreement (including but not limited to any limitations on liability agreed therein), remain fully liable to Company for the performance of that sub-processor’s obligations. For a list of current sub-processors, see Annex III.
6.2. Simply-B2B shall notify the Company of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Company the opportunity to object to such changes. Notice will be provided by email to the email address(es) submitted by the Company. If the Company objects to any sub-processing by Simply-B2B, the Company should immediately discontinue its use of the Simply-B2B Services.
7. Individual Rights Requests
7.1. To the extent required under Applicable Privacy and Data Protection Laws, Simply-B2B will take appropriate measures to assist the Company in complying with its obligations under Applicable Privacy and Data Protection Laws in responding to Data Subject rights requests.
7.2. Simply-B2B will notify the Company when it receives a Data Subject rights request for erasure or access to information directed toward Company User Data. The company shall provide direction to Simply-B2B regarding whether to fulfill such requests.
8. International Transfers
8.1. Standard Contractual Clauses
8.1.1. Company understands and agrees that Simply-B2B operates the Simply-B2B Service primarily from the United States and as such, Company User Data will be transferred from Company’s location and/or the applicable Data Subject’s location to Simply-B2B in the United States. Simply-B2B will ensure such transfers are made in compliance with Applicable Privacy and Data Protection Law, including by relying on the Standard Contractual Clauses (Module 2: Transfer Controller to Processor), which are hereby incorporated into this DPA, and which are deemed to be completed, populated and incorporated as follows:
- Clause 7: the optional clause is included;
- Clause 11(a): the optional clause is disregarded;
- Clause 13(a): For the competent supervisory authority, insert the Information Commissioner’s Office of UK;
- Clause 17: the governing law shall be that of the England and Wales; and
- Clause 18: any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the England and Wales.
8.1.2. Company and Simply-B2B agree that subscription purchase will constitute and have effect as signature of Annex IA and Annex II of the Standard Contractual Clauses in relation to any transfers falling within Section 8.1.1. that are required in relation to the Simply-B2B Services, and which are set out in a relevant, fully and appropriately populated version Annex I, Annex II and Annex III (below) to the Standard Contractual Clauses together (where applicable) with the UK Addendum.
8.2. Supplementary Measures. If Simply-B2B receives an order from any third party for compelled disclosure of Personal Data that has been transferred using the Standard Contractual Clauses, Simply-B2B will:
8.2.1. Use every reasonable effort to redirect the third party to request the data directly from Company;
8.2.2. Promptly notify the Company, unless prohibited by law;
8.2.3. Request a reasonable extension of time from the third party to allow the Company to evaluate the request; and
8.2.4. Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies or conflicts with the laws of the EU, Switzerland, UK or applicable EU member state law.
If, after exhausting these steps, Simply-B2B remains compelled to disclose Personal Data to a third party, Simply-B2B will disclose only the minimum necessary to satisfy the request.
8.3 Transfers from the UK. In relation to Personal Data that is protected by the UK GDPR, the UK Addendum will apply, completed as follows:
8.3.1. The EU SCCs shall also apply to transfers of such Personal Data, subject to sub-section below;
8.3.2. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above in Section 8.1.1 of this Addendum, and the option “neither party” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this Addendum.
9. Term and Termination
9.1. This DPA shall be in effect for as long as Company uses any of the Simply-B2B Services, provided however, that where Simply-B2B is obligated, according to the terms of this DPA or any Simply-B2B’s Terms & Conditions, to retain Company User Data following the termination or expiration of the Simply-B2B Services, this DPA shall continue to be in effect for as long as Simply-B2B holds such data.
9.2. Upon termination or expiration of the Agreement, and unless Simply-B2B has a lawful basis to retain such Company User Data under Simply-B2B’s Terms & Conditions, any agreement or applicable law, Simply-B2B shall enable Company, through its admin account, to delete the Company User Data. If Company does not take any action to delete, Simply-B2B will delete it when retention is no longer necessary for the purposes for which it was collected or required to be retained under applicable law.
9.3. Simply-B2B shall have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time, in order to comply with any applicable laws or regulations.
9.4. Any questions regarding this DPA or requests from Company to support the fulfilment of Data Subject rights requests should be addressed to support@Simply-B2B.com. Simply-B2B will attempt to resolve any complaints regarding the use of Company User Data in accordance with this DPA and Simply-B2B’s Terms & Conditions.
9.5. In the event of inconsistency with the terms of this DPA and any other agreement between the parties, the terms of this DPA shall prevail.
Annex I: Details of the Processing
A. List of Parties
|Data Exporter is the Company identified in the associated Agreement.
|128 City Road, London EC1V 2NX
|Contact person’s name, position and contact details:
|_, CEO, email@example.com
|Activities relevant to the data transferred under these Clauses:
|In accordance with the Simply-B2Bs’s Terms & Conditions, associated Agreement agreed upon between Data Exporter and Data Importer.
|Signature and date:
|The parties agree that subscription purchase constitutes signature of this Annex I. The date is according to the date of purchase.
B. Description of Transfer
|The subject matter of the data processing under this DPA is Company User Data.
|The data subjects are Company Users.
|Nature of the processing:
|Simply-B2B processes Company User Data to provide the Simply-B2B Services, including the provision of streamline services for marketing on the LinkedIn social network, which requires the processing of personal data of LinkedIn registered users by the Processor on behalf of the Controller
|The duration of the processing is equal to the duration of Company’s use of the Simply-B2B Services and associated agreement.
C. Purpose of processing and Personal data categories
|Category of personal data
|To allow Controller to prepare and conduct LinkedIn marketing activities
|Profile photo, name, occupation, company, url, inbox messages, date and time of the message
|To allow Controller to find people from its LinkedIn connections
|Profile link, profile picture, full name, status (contact / new contact / ex-contact / connection sent) type of connection (1st / 2nd / 3rd / group connections), occupation, tags, connected since, campaign assigned, filter words from profile
|To allow Controller to automate interactions with LinkedIn contacts
|Inbox messages, connection status (contact / new contact / connect requested), message status (email required / no interaction / awaiting reply / replied) name of message recipient, date and time when the message was sent
|To allow Controller to find people on LinkedIn
|Profile picture, name, occupation, company, url, post engagement, post author
|To allow Controller to track the status of its connection requests on LinkedIn
|Profile picture, name, occupation, tags, actions
|To allow Controller to sort its LinkedIn connections
|Name, campaign affiliation, tags, actions to be done
|To allow Controller to integrate third-party tools
|LinkedIn Controller data from and a third-party tool: name, event, campaign, tags, target url, history, time delta, test
|To allow Controller to import its LinkedIn contacts and blacklists to Processor’s platform
|Contact id, first name, last name, profile link, job title, company name, email, phone, address, image link, tags, contact status, conversation status, object urn, public identifier, profile link public identifier, message thread link, invited at, connected at
|To allow Controller to analyse whether a LinkedIn contact responded to its message positively
|Conversation status (success / failure)
|To allow Controller to export LinkedIn publicly available data found via Processor’s platform
|First Name, Last Name, Campaign Name, Profile Url, Occupation, Current Company, Email, Phone, Country, Website, Twitter, Business Email, Last Step Execution, Status, Lead Tags, Lead Conversation, Is Connection Accepted Detected
|To allow the Controller to analyse the efficiency of its social/marketing activities on LinkedIn
|Day-by-day (periodical) statistics, total statistics, communication statistics, campaign statistics, task statistics based on personal data listed above
D. Competent Supervisory Authority
UK’s Information Commissioner’s Office
Annex II: Technical and Organizational Measures to Ensure the Security of the Data
Simply-B2B maintains internal Information Security and Privacy Policies. These policies include standards for information security management as required by the EU’s General Data Protection Regulation (GDPR) and other privacy or data security laws, regulations, or standards. The following spotlight controls demonstrate Simply-B2B’s information security framework:
- Monitoring of API endpoints;
- Limitation and management of access rights to personal data;
- SSH protocol for accessing LinkedIn login data;
- Database encryption at-rest;
- VPN for accessing servers;
- Secure (https://) connection;
- Compliance with password protection and management, access control policies;
- Usage of antivirus software and firewalls;
- Employees are aware of and trained on their respective data protection responsibilities;
- Regular back-ups of the data processed.
Annex III: Sub-Processors
The Controller has provided a general authorization for use of sub-processors per Section 6.1 of the DPA. The Sub-processors currently engaged by Processor and authorized by Controller are:
|Amazon Web Services, Inc
|Cloud infrastructure hosting and data warehouse provider