Data Processing Addendum

1. Background

1. ZenLeads Inc. (d/b/a Apollo.io) ("Apollo", "we", "our" or "us") entered into an Order Form and an agreement (the "Agreement") with the entity or organization named in the Agreement (“Customer", “you”, “your”, or “yours”) for the provision of our Services to you.
2. This Data Processing Addendum (the "DPA") between you and Apollo (each a "Party" and collectively the "Parties") is incorporated into and shall form part of the Agreement. Signatures of assent of the Parties to the Agreement will be deemed signature to, and acceptance and agreement of, this DPA and the Standard Contractual Clauses incorporated hereto.
3. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
4. Sections 4 through 6 apply solely where and to the extent Apollo is a Processor of Customer Personal Data. These Sections do not apply to the extent Apollo is a Controller of Personal Data, as described in Section 3.2.

2. Definitions

1. Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:
   
   
   1. "Controller" has the meaning given under the applicable Data Protection Laws that employ that term in designating between “processors” and “controllers” of personal data. Where applicable, “Controller” shall also have the same meaning as “Business” for the purposes of the CCPA.
   2. "Customer Personal Data" means Personal Data included in the Submitted Data that we Process on your behalf in connection with our provision of the Services. (For the avoidance of doubt, Customer Personal Data does not include any Personal Data as to which we act as a Controller.)
   3. "Data Privacy Framework" means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
   4. “Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded, or replaced.
   5. "Data Protection Laws" means, solely where and to the extent applicable to the Processing of Customer Personal Data under the Agreement, any applicable national or state implementing legislation regarding privacy, data protection, or data security (including, where applicable and without limitation: the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act of 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018 (the “UK GDPR”), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”)), inclusive of any U.S. state law that draws a distinction between a data “controller” and a data “processor,” and, in each case as amended, replaced or superseded from time to time and together with implementing regulations.
   6. "Data Subject" has the meaning given under the applicable Data Protection Law(s), and shall also mean a “consumer” for purposes of Data Protection Laws using that term.
   7. "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
   8. “Instructions” means your instructions to us to process the Customer Personal Data as provided under the Agreement, this DPA, through your use of the features and functionality of the Services or as otherwise mutually agreed by authorized signatories of both parties in writing.
   9. "Personal Data” has the meaning given under the applicable Data Protection Laws, and, where applicable, shall include information that is “Personal Information” for the purposes of the CCPA.
   10. "Processing" has the meaning given under the applicable Data Protection Laws, and "Process" and its cognates will be interpreted accordingly.
   11. "Processor" has the meaning given under the applicable Data Protection Laws that employ that term in designating between “processors” and “controllers” of Personal Data. Where applicable, “Processor” shall also have the same meaning as “Service Provider” for the purposes of the CCPA.
   12. "Security Incident" means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data in Apollo’s possession or otherwise under Apollo’s control.
   13. "Standard Contractual Clauses" means either or both of the following, as the context requires, along with any successor clauses thereto:
       
       
       1. The “EU SCCs”, meaning the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (located http://data.europa.eu/eli/dec_impl/2021/914/oj.) and completed as set forth herein.
       2. The “UK SCCs”, meaning the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf) and completed as set forth herein.
   14. "Subprocessor" means any Processor engaged by us who agrees to receive from us Customer Personal Data.
   15. "Supervisory Authority" shall mean the data protection supervisory authority (including any cognate terms) as defined under the applicable Data Protection Laws.
   16. “Third Party” has the meaning given in the CCPA.

3. Data Processing

1. When We Act as a Processor. To the extent that we Process Customer Personal Data solely to provide you with Services, such as to Process your Customer Personal Data in order to (i) match it to and provide you with Output Data, (ii) provide emailing, prospecting, recording, meeting, calendar or other similar Services to you, or (iii) provide enhanced Services with artificial intelligence capabilities, we are acting as a Processor and you are acting as a Controller. When we act as a Processor, we will only Process Customer Personal Data in accordance with your Instructions, and we will notify you in the unlikely event that Data Protection Law requires us to process Customer Personal Data other than pursuant to the Instructions (unless prohibited from doing so by applicable law). As a Processor, to the extent required by Data Protection Laws, we:
   
   
   1. acknowledge that Customer Personal Data is disclosed only for the limited and specified business purposes set forth under the Agreement (“Business Purposes”) and will not retain, use, or disclose Customer Personal Data outside of the direct business relationship between you and us, or for any purpose (including any commercial purpose) other than the Business Purposes or as otherwise permitted by Data Protection Law;
   2. will not “sell” any Customer Personal Data “share” Customer Personal Data or Process any Customer Personal Data for purposes of targeted advertising, as such terms are defined in Data Protection Laws;
   3. will comply with any applicable restrictions under the CCPA on combining Customer Personal Data with other data; and
   4. will provide the same level of protection for the Customer Personal Data subject to the CCPA as is required of Customer under the CCPA and comply with all applicable provisions of the CCPA. We will notify you in the event we determine that we can no longer comply with our obligations under the CCPA.
2. When We Each Act as Controllers. We are each independent Controllers, and (for CCPA purposes), each a Business as to Personal Data included in Output Data and Account Information when such Output Data or Account Information, as the case may be, is in our respective possession. For the avoidance of doubt, this means that Apollo is an independent Controller of all Personal Data in its Contributor Database, including Personal Data that has been enriched and/or verified by Submitted Data or otherwise contributed by you as set forth in Section 6(b)(iii) of the Agreement. You are an independent Controller when you provide such Personal Data to us. For the avoidance of doubt, Apollo is also the Controller of any Personal Data included in the Service Metadata.
3. Required Notices and Consents. You shall have sole responsibility and liability for the means by which you acquire Customer Personal Data and provide such data to us. In particular, where required by Data Protection Laws, you will ensure that you have provided/will provide all necessary notices and have obtained/will obtain all necessary consents for the Processing of Customer Personal Data as contemplated in the Agreement.

4. Subprocessors

1. Authorized Subprocessors. You agree that we may use the Subprocessors listed at https://trust.apollo.io/ to Process Customer Personal Data.
2. Adding New Subprocessors. We shall notify you of any changes concerning the addition of a new Subprocessor at least thirty (30) days before the new Subprocessor commences its Processing of Customer Personal Data (the “Notice”). We will provide Notice by either (a) posting such Subprocessors at the following webpage: https://www.apollo.io/company/privacy-center or https://trust.apollo.io/, or (b) sending an email to the last known email address we have on file. If you object to a new Subprocessor on reasonable grounds related to the protection of Customer Personal Data, then without prejudice to any right to terminate the Agreement, the Parties shall attempt to negotiate a resolution in good faith. If the Parties cannot agree on a resolution within 30 days of your objection to a new Subprocessor, then you may terminate the Agreement immediately upon written notice to us and you shall be entitled to a refund of any prepaid fees for services unused as of the effective date of termination. This termination right and refund is your sole and exclusive remedy if you object to any new Subprocessor. If you do not object within thirty (30) days of receipt of the Notice, you are deemed to have accepted the new Subprocessor.
3. Subprocessor Agreements. We will enter into a written agreement with each Subprocessor that imposes substantially similar data protection obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on us where we are acting as a Processor under this DPA.
4. Liability of Subprocessors. We will be liable to you for the acts and omissions of any Subprocessor as if they were our acts and omissions.

5. Data Security, Audits, and Security Notifications; Deletion and Retention

1. Apollo Security Obligations. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in Exhibit 2.
2. Demonstrating Compliance. Upon your reasonable request, we will make available all information reasonably necessary to demonstrate our compliance with our obligations under Data Protection Law(s).
3. Security Incident Notification. If we become aware of a Security Incident we will (a) notify you of the Security Incident without undue delay (and in any event within 72 hours), (b) investigate the Security Incident and provide you (and any law enforcement or regulatory official, as required by Data Protection Law) with reasonable assistance as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
4. Apollo Employees and Personnel. We will treat the Customer Personal Data as confidential and shall ensure that any employees or other personnel who are subject to a binding duty of confidentiality with respect to the Customer Personal Data (both during the term of their employment or engagement and thereafter).
5. Audits. We will, upon your reasonable request and where and to the extent so required by Data Protection Law, allow for, cooperate with, and contribute to assessments and audits (including inspections, of our compliance with the applicable Data Protection Law, conducted by you (or a third party on your behalf and mandated by you) provided (a) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (b) are conducted only during business hours; and (c) are conducted in a manner that causes minimal disruption to Apollo’s operations and business.
6. Remediation Right. Where and to the extent such a right is explicitly provided under the CCPA, you retain the right, upon reasonable notice to us, to take reasonable and appropriate steps to (a) ensure that we are using Customer Personal Data we collected pursuant to the Agreement in a manner consistent with your obligations under CCPA, and (b) stop and remediate unauthorized use of Customer Personal Data.
7. Deletion of data. Subject to Section 5.8 below, we will, at your election within 90 (ninety) days of the date of termination of the Agreement:
   
   
   1. delete all Customer Personal Data Processed by us or any Subprocessors; or
   2. return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified to us by you.
8. Retention. We and our Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws; provided that we ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

6. Access Requests and Assistance with Compliance

1. Government Disclosure. We will notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
2. Assistance Generally. Solely to the extent and in the manner required under Data Protection Laws, we will provide reasonable assistance to you for your compliance with such laws, including, without limitation, as set forth in Sections 6.3 and 6.4.
3. Data Subject Rights. To the extent required under Data Protection Laws, and taking into account the nature of the Processing, we will use reasonable endeavors to assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising Data Subject rights laid down in Data Protection Laws.
4. Data Protection Impact Assessments; Prior Consultations. To the extent required under Data Protection Laws: (a) we will provide you with reasonably requested information regarding our Services to enable you to carry out data protection impact assessments (including any similar assessments under Data Protection Laws) or prior consultations with any Supervisory Authority, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to us; and (b) we shall provide reasonable assistance to you in the cooperation or consultation with a Supervisory Authority as it relates to the Processing of Customer Personal Data hereunder.

7. Controller Obligations

1. In the course of acting as a Controller (and/or Third Party), such Party shall:
   
   
   1. Limit its use of Personal Data received from the other Party to the limited and specific purposes set forth in the Agreement or any applicable Order Form, and (without limitation of the foregoing) to purposes that it reasonably believes an average consumer would reasonably expect.
   2. Comply with its own obligations under Data Protection Laws applicable to it as a Controller, including (without limitation) as to any Data Subject rights to deletion, access, and “opt-out” of “sale” or “sharing” of Personal Data (as such terms are defined in Data Protection Laws).
   3. Notify the other Party about all valid opt-out, deletion, or other data subject requests, as and to the extent required by Data Protection Laws. You shall cooperate and comply with any such notification made by Apollo to you with respect to Output Data in a timely manner. Without limitation of the foregoing, Apollo may make opt-out and deletion information available in the activity log of your account or via a database available on https://www.apollo.io/privacy or another secure webpage, and (to the extent you continue to hold any Output Data) you agree to apply all such opt-out or deletion requests to any Output Data you continue to hold in a timely manner.
   4. As to any Personal Data received from the other Party, implement and maintain reasonable security procedures, as appropriate to the level of sensitivity and confidentiality applicable to such Personal Data.
   5. Upon request, provide the other Party with reasonable assurances, in writing, as may be necessary to permit the other Party to ensure that it has employed Personal Data subject to the Agreement as contemplated by the Agreement.
   6. For Personal Data subject to the CCPA, provide the same level of protection to the Personal Data as the Party providing the Personal Data is required to provide under the CCPA, and notify the other Party if it determines that it is no longer able to comply with its CCPA obligations.
2. Solely where and to the extent the CCPA applies to such Processing, the Party providing the Personal Data retains the right, upon reasonable notice, to (a) take reasonable and appropriate steps to ensure that the other Party uses Personal Data consistent with the CCPA, and (b) stop and remediate any unauthorized Processing of Personal Data made available to the other Party.

8. Data Transfers

1. Transfers Mechanism. To the extent that the Processing of Personal Data involves the transmission of such Personal Data to a country or territory outside the country from which such Personal Data was provided to the Party receiving the data (the “data importer”), the Parties will comply with any requirements under Data Protection Laws regarding such transfers. To the extent required by Data Protection Laws, the data importer shall ensure that a lawful data transfer mechanism is in place prior to engaging in any onward transfers of Personal Data from one country to another.
2. Data Privacy Framework. At the time of the execution of the Agreement, Apollo participates in and certifies compliance with the Data Privacy Framework. As required by the Data Privacy Framework, Apollo will: (a) provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (b) notify Customer if Apollo makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles (in which event Apollo will cease such processing or take other reasonable and appropriate steps to remediate). Where and to the extent that the Data Privacy Framework applies, Apollo will use the Data Privacy Framework to lawfully receive Customer Personal Data and/or Personal Data in the United States.
3. EU SCCs. To the extent legally required (for example, if the Data Privacy Framework does not cover the transfer to Apollo and/or the Data Privacy Framework is invalidated), the Parties are deemed to have entered into and signed the EU SCCs and its Annexes, which form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict. Except as described in Sections 8.4 and 8.5 below, the EU SCCs are deemed completed as follows: In the course of acting as a Controller (and/or Third Party), such Party shall:
   
   
   1. Module 1 applies to transfers of Personal Data where both Parties are independent Controllers (as described in Section 3.2 of this DPA). Module 2 of the EU SCCs applies to transfers of Customer Personal Data from Customer (the Controller) to us (the Processor).
   2. Clause 7 (the optional docking clause) is included.
   3. Clause 9 of Module 2 (Use of sub-processors): The Parties select Option 2 (General written authorization). The initial list of Subprocessors and the procedures for updating such list are set forth in Sections 4.1 and 4.2 of this DPA.
   4. Clause 11 (Redress): The optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body is not included.
   5. Clause 17 (Governing law): The Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and select the law of Ireland.
   6. Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Ireland.
   7. Annex I is completed as set forth in Exhibits 1A, 1B and 1C of this DPA. For Annex I(C), the Parties select the Irish Data Protection Commission. Annex II is completed as set forth in Exhibit 2 of this DPA. Annex III is not applicable because the Parties have chosen General Authorization under Clause 9.
4. UK SCCs. To the extent legally required, by entering into this DPA, the Parties are deemed to have entered into and signed the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables within the UK SCCs are deemed completed as follows:
   
   
   1. Table 1: The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in Exhibits 1A, 1B and IC of this DPA, as applicable.
   2. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed above, except that: (a) Clause 17 (Governing law): The Parties choose the law of England and Wales; (b) Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of England and Wales and (c) Annex 1C and Clause 13 the Parties select the UK Information Commissioner.
   3. Table 3: Annex I is set forth in Exhibits 1A, 1B and 1C of this DPA. Annex II is set forth in Exhibit 2 of this DPA. Annex III is inapplicable.
   4. Table 4: We may end this DPA as set out in Section 19 of the UK SCCs.
5. Swiss Data. For transfers of Personal Data that are subject to the Swiss Federal Act on Data Protection (“FADP”), the EU SCCs form part of this DPA as set forth above, but with the following differences to the extent required by the FADP:
   
   
   1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR, and references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of FADP revisions that eliminate this broader scope.
   2. The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
   3. The relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
   4. The EU SCCs shall be modified as follows: (a) Clause 17 (Governing law): The Parties choose the law of Switzerland; (b) Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Switzerland and (c) Annex 1C and Clause 13 the Parties select the Swiss Federal Data Protection and Information Commissioner.

9. Limitation of Liability

Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s entire liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, and any other data protection agreements or security addendum signed by the parties (“Ancillary Agreement”) in connection with the Agreement (if any), whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations on liability section in the Agreement, and any reference in such section to the liability of a party means the total aggregate liability of that party under the Agreement, this DPA and any Ancillary Agreement (if any) together.