Supplemental Terms & Conditions (Contacts Feature)
Last updated: November 25, 2021
If the Contacts feature is included among the License Features ordered by Licensee, the following terms shall apply:
1. Business Information Terms and Conditions.
1.2 Terms of Existing Agreement. In the event Similarweb and Licensee have an existing valid agreement for the provision of Similarweb services and/or products (an “Existing Agreement”), and the Contacts Feature is being added to the License features under the Existing Agreement, then, notwithstanding anything to the contrary in such Existing Agreement, the following terms and conditions shall apply: (a) any representations, warranties and/or other provisions provided by Similarweb under the Existing Agreement with respect to Personal Data are of no further force and effect; and (b) SIMILARWEB’S MAXIMUM AGGREGATE LIABILITY UNDER, ARISING OUT OF OR RELATING TO THE CONTACTS FEATURE SHALL NOT EXCEED THE TOTAL AMOUNT OF LICENSE FEES PAID BY LICENSEE TO SIMILARWEB DURING THE TWELVE (12) MONTHS PRECEDING THE DATE THE LIABILITY FIRST ARISES; ANY SUCH LIABILITY ARISING OUT OF OR RELATING TO THE CONTACTS FEATURE SHALL BE CUMULATIVE WITH ANY OTHER LIABILITIES OF SIMILARWEB UNDER THE EXISTING AGREEMENT FOR PURPOSES OF DETERMINING SIMILARWEB’S MAXIMUM LIABILITY.
- Canada (commercial organizations)
- Faroe Islands
- Isle of Man
- New Zealand
- United Kingdom
- United States
DATA PROCESSING agreement (“DPA”)
This DPA forms part of the Purchase Order/Service Order Terms & Conditions (“Terms & Conditions”) entered into between Similarweb and Licensee.
“DP Laws” means any applicable data protection and privacy laws relating to the protection of individuals with regards to the processing of personal data, including but not limited to (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR“); (ii) the GDPR as transposed into the national laws of the United Kingdom (“UK GDPR“); (iii) Directive 2002/58/EC (“ePrivacy Directive“); (iv) the UK Data Protection Act 2018; and (v) any corresponding or equivalent national laws or regulations including any amendment, supplement, update, modification to or re-enactment of such laws;
“controller“, “data subject“, “personal data“, “personal data breach“, “process/processing“, “sub-processor” and “supervisory authority” shall have the same meaning as in the DP Laws;
“Legal Process” means any criminal, civil, or administrative subpoena, mandatory request, warrant or court order issued by a Public Body, including but not limited to subpoenas, warrants and orders authorized under local, regional, state, national and/or federal laws or regulations or any other laws applicable to Licensee in any Restricted Country;
“Public Body” means any local, regional, state, national or federal law enforcement authority, regulator, government department, agency or court in any Restricted Country;
“Restricted Country” means any country (i) which is not a member of the European Economic Area; or (ii) which has not been approved by the European Commission or the UK Government pursuant to Article 45 of the GDPR or the UK GDPR (as applicable), as ensuring an adequate level of data protection in relation to personal data;
“Restricted Transfer” means a transfer of personal data between the Parties which in the absence of the SCCs, would be unlawful under DP Laws; and
“SCCs” means either module 1 of the Standard Contractual Clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“) or the Standard Contractual Clauses (controllers) set out in Decision 2004/915/EC; as amended or replaced from time to time, pursuant to Article 46 of the GDPR (“UK SCCs”).
2. The Parties acknowledge that each will be a separate and distinct independent controller in relation to the personal data which they process and the Parties shall each comply with their respective obligations under the DP Laws in respect of their processing of personal data.
3. Licensee acknowledges, confirms and represents that it shall (i) process the personal data solely in accordance with the Terms & Conditions, for the purposes set out in Annex 1 (“Purpose”) and in accordance with DP Laws; (ii) where applicable, provide necessary fair processing notices and obtain relevant permissions as required by DP Laws; (iii) have a lawful basis to process personal data for the Purpose; and (iv) implement appropriate technical and organisational security measures in relation to processing the personal data, which shall ensure a level of security appropriate to the risk and at a minimum shall include all the measures set out in Annex 2 of this DPA.
4. Data Processing
4.1 Licensee shall
- notify Similarweb as soon as reasonably practicable upon becoming aware of a personal data breach, not refer to Similarweb in any notification of such breach to a supervisory authority or third party unless required to do so by applicable EU or UK laws, and, where reasonably practicable, provide a copy of any proposed notification and consider in good faith any comments made by Similarweb before notifying the personal data breach to any third parties;
- in the event of a personal data breach, take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effect;
- where applicable, designate a representative located in the EU (“EU Representative“) and/or the UK (“UK Representative“) and make available the EU Representative’s and the UK Representative’s contact details to Similarweb, in accordance with DP Laws;
5. Where Licensee engages sub-processors in an arrangement that involves a Restricted Transfer, Licensee shall ensure that an adequate safeguard is in place between the Licensee and the sub-processor to protect the transferred personal data in compliance with DP Laws. Licensee shall make available evidence of such safeguard to Similarweb on reasonable request.
6. Each party will, on request, provide all assistance, information and cooperation reasonably necessary to enable the other party to comply with DP Laws in relation to the personal data, in particular with respect to responding to requests by data subjects and/or supervisory authorities, and personal data breaches.
7. Restricted Transfers
7.1. If there are Restricted Transfers of personal data, the following terms shall apply. In each case, the data exporter is Similarweb and the data importer is the Licensee, and the description of the transfer (Annex I of the EU SCCs; Annex B of the UK SCCs) is as set out in Annex 1 to this DPA:
- With respect to Restricted Transfers subject to the EU GDPR, Module 1 of the EU SCCs shall apply and is hereby incorporated into this DPA by reference. Clause 7 and the optional language in clause 11(a) shall not apply, the supervisory authority for the purposes of clause 13(a) shall be determined by the place of establishment of the data exporter’s (or its parent company’s) representative, the governing law and choice of forum and jurisdiction shall be that of the Republic of Ireland, and the technical and organisational security measures shall be as set out in Annex 2.
- With respect to Restricted Transfers subject to the UK GDPR, the UK SCCs shall apply and are hereby incorporated into this DPA by reference. For the purpose of clause 2.8 of the UK SCCs, the Parties shall be deemed to have selected option 2.8.3.
7.2. If at any time the supervisory authority in the United Kingdom approves the EU SCCs for use under the UK GDPR, the provisions of clause 7.1(a) shall apply in place of clause 7.1(b) in respect of transfers subject to the UK GDPR subject to any modifications to the EU SCCs required by the UK GDPR (and subject to the governing law of the EU SCCs being English Law).
7.3. Licensee warrants that as of the effective date of this DPA, it has not been subject to any request for disclosure of personal data by a Public Body.
7.4. If Licensee receives a Legal Process requiring disclosure of personal data to a Public Body, Licensee shall: (i) promptly notify Similarweb, unless legally prohibited from doing so; (ii) use all reasonable efforts to redirect the Public Body issuing such Legal Process to request that personal data directly from Similarweb; and (iii) where (ii) is not possible, use all reasonable efforts to challenge the Legal Process (where there are grounds for doing so) and to minimize the amount of any personal data which Licensee is compelled to disclose.
8.1. The Parties agree that this DPA and the SCCs shall terminate automatically upon the termination of the Terms & Conditions.
8.2. Without affecting any other right or remedy available to it, Similarweb may terminate this DPA with immediate effect by giving written notice to Licensee, should Licensee fail to materially comply with its obligations set out in this DPA.
9. General Terms
9.1. Any obligation imposed on the Parties under this DPA in relation to the processing of personal data shall survive any termination or expiration of the Terms & Conditions.
9.2. Any breach of this DPA shall constitute a material breach of the Terms & Conditions.
9.3. A person who is not a party to this DPA shall have no right to enforce any term of this DPA, save to the extent set out in the relevant SCCs. The rights of the Parties to rescind or vary this DPA are not subject to the consent of any other person.
9.4. The provisions of this DPA are supplemental to the Terms & Conditions. In the event of inconsistencies between the provisions of this DPA and the Terms & Conditions, the provisions of this DPA shall prevail.
ANNEX 1: DESCRIPTION OF THE PROCESSING
Part 1: List of Parties
Data exporter(s): Similarweb (as controller)
Data importer(s): Licensee (as controller)
Part 2: Description of Transfer
1. Categories of data subjects whose personal data is transferred
Members of the public whose names and business contact information appear in various sources, including social networks, recruitment, and company websites, in connection with their affiliation with those companies and businesses.
2. Categories of personal data transferred
First name, last name, verified email; telephone number and/or mobile number, company name, job title and industry.
3. Sensitive data transferred (if applicable) and applicable restrictions or safeguards
4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Personal data is transferred on a continuous basis.
5. Nature of the processing
The personal data transferred will be subject to the following basic processing activities, in each case strictly to the extent relevant to and in accordance with the obligations of the Parties under the Terms & Conditions: (i) retrieval, consultation or use of the personal data and (ii) alignment, combination, blocking, erasure or destruction of the personal data.
6. Purpose(s) of the data transfer and further processing
The Parties shall process the personal data for the purposes of sales prospecting and as set out in Section 9 of the Terms & Conditions.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
In line with the Parties’ data retention policies.
8. The personal data transferred may be disclosed only to the following recipients or categories of recipients
Employees and sub-processors of the importer only.
Part 3: Competent Supervisory Authority(ies)
Identify the competent supervisory authority(ies) in accordance with clause 13 of the EU Controller SCCs.
The Data Protection Commission (DPC) in the Republic of Ireland.
Annex 2: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Licensee shall implement appropriate technical and organisational measures, policies and controls (“Licensee Controls“) to maintain the effective security of all Licensee computer or network systems accessing, storing, transmitting, processing or otherwise supporting the processing of personal data in accordance with this DPA (“Licensee Systems“), and to ensure that such personal data is protected from accidental, unauthorized or unlawful processing, access, disclosure, loss, alteration, damage or destruction.
At a minimum, Licensee shall ensure compliance with the requirements described at: https://mvsp.dev/mvsp.en/index.html. Licensee shall inform Similarweb in case of any material non-compliance with the requirements set out herein and will provide evidence of alternative or compensating controls implemented to protect personal data.