Data Protection Agreement

This Data Protection Agreement (“DPA”) supplements the agreement for Services between Software Advice and Software Vendor, to provide additional terms for the sharing and use of Personal Data.

1. Scope, Definitions and Applicable Law. This DPA applies to Software Advice’s handling and use of personal data from Software Vendor (“Personal Data”) to allow Software Advice to deliver the applicable services. Terms used herein that are not otherwise defined, including, without limitation, “personal data,” “controller,” and “processing,” shall have the meanings set forth in applicable laws, regulations, and decisions applicable to a party to this DPA, including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and any future implementing legislation (collectively, “Applicable Law”). 

2. Roles and Restrictions. Each party to this DPA: (a) is a controller or business of Personal Data under Applicable Law; (b) will individually determine the purposes and means of its processing of Personal Data; and (c) will comply with the legal obligations applicable to it under the Applicable Law. Nothing in this DPA shall modify any restrictions applicable to either party’s rights to use or otherwise process Personal Data under the applicable terms of use and Software Advice will process Personal Data for the purposes as outlined its Privacy Policy, or as otherwise agreed by the parties with notice to any data subject. For avoidance of doubt, Software Advice and Software Vendor are not joint controllers. 

3. Protection of Personal Data. Software Advice will: (a) maintain reasonable technical and organizational security measures, in accordance with Applicable Law, to protect against, without limitation, the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of Personal Data ; and (b) treat Personal Data with strict confidence and take reasonable steps to ensure that persons who process or will process Personal Data are under a duty of confidentiality with respect to Personal Data no less restrictive than the duties set forth herein.

4. Notice and Cooperation. Software Advice will provide written notice, to the extent required by Applicable Law, to a competent regulatory authority, each impacted data subject and/or to Software Vendor, in the case of a personal data breach. ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

5. Data Subject Communications. Software Advice will provide notice, as required by Applicable Law, to the data subject outlining how Software Advice processes their Personal Data. Software Advice will be responsible for handling all requests and exercise of rights granted to the data subject under Applicable Law which Software Advice receives in respect of Software Advice’s processing of Personal Data.

6. International Transfer of Personal Data. If Personal Data originates from the European Economic Area, UK and/or Switzerland, and such Personal Data is transferred to a third country, at either party’s request, the parties will enter into the appropriate Controller to Controller cross border transfer agreement with Software Vendor, as required by applicable local law. 

7. Sale or Sharing of Personal Data. As a Business under the California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA), Software Advice shall not: (a) “Sell” or “Share” Personal Data, as defined; (b) retain, use, or disclose Personal Data for any purpose other than for the Business Purpose, including to retain, use, or disclose the Personal Data for a commercial purpose other than providing its service under the Agreement; or (c) retain, use, or disclose Personal Data outside of the direct business relationship between Software Advice and Software Vendor.

Last Updated: October 2023