# Data Processing Addendum | Capterra > Capterra Data Processing Addendum explains data processing responsibilities under vendor terms. Source: https://www.capterra.com/legal/data-processing-addendum --- Welcome to Capterra At Capterra, we believe that software makes the world a better place. Why? Because software can help every organization become a more efficient, effective version of itself. [- Cookie Policy](https://www.capterra.com/legal/cookie-policy/)[- Privacy Policy](https://www.capterra.com/legal/privacy-policy/)[- Pay-Per-Lead (PPL) Service Description](https://www.capterra.com/legal/ppl-service-description/)[- Pay-Per-Click (PPC) Service Description](https://www.capterra.com/legal/ppc-service-description/)[- Profile Guidelines](https://www.capterra.com/legal/listing-guidelines/)[- Content Compliance Policy](https://www.capterra.com/legal/content-policy/)[- Community Guidelines](https://www.capterra.com/legal/community-guidelines/)[- General Vendor Terms](https://www.capterra.com/legal/general-vendor-terms/)[- GENERAL USER TERMS](https://www.capterra.com/legal/terms-of-use/)[- Data Transfer Addendum](https://www.capterra.com/legal/data-transfer-addendum/)[- Data Processing Addendum](https://www.capterra.com/legal/data-processing-addendum/)[- Free Stuff Addendum](https://www.capterra.com/legal/free-stuff-addendum/)[- GetApp Community Guidelines - FAQs](https://www.capterra.com/legal/reviews-faq_getapp-au/)[- Community Guidelines](https://www.capterra.com/legal/community-guidelines_getapp-au/)[- Legal Notice](https://www.capterra.com/legal/legal-mentions_getapp-gb/)[- GetApp GENERAL VENDOR TERMS](https://www.capterra.com/legal/general-vendor-terms_getapp-ca-en/)[- GetApp Community Guidelines - FAQs](https://www.capterra.com/legal/reviews-faq_getapp-nz/)[- GetApp Privacy Policy](https://www.capterra.com/legal/privacy-policy_getapp-au/) # Data Processing Addendum This Data Processing Addendum (“DPA”) is between the software or service provider referenced on an insertion order (or similar contracting document) (“Vendor”) and the respective operating entity providing Services to Vendor: [G2.com](http://g2.com/), Inc., Software Advice Inc., Capterra Inc. or Nubera eBusiness S.L., as applicable (“we”, “us” or “our”). This DPA is incorporated into the General Vendor Terms, or a similar agreement regarding the Services, between the parties (“Vendor Terms”). Any capitalized term used but not defined herein has the meaning given to it in the General User Terms or General Vendor Terms.  This DPA applies only when Personal Data is transferred by Vendor (Controller) to us (Processor) for the following purposes (if applicable):   **Purpose** **Data Subject** **Personal Data Transferred from Vendor to Us** Reviews Collection Program  Vendor’s clients First Name + Email **1\. Scope.** This DPA sets forth how we will Process Personal Data (or a similar term as defined by applicable Privacy Laws) provided by Vendor under the Vendor Terms. The parties agree to comply with applicable data protection laws (“Privacy Laws”). Details of the Processing are in Appendix A. “Process” (and its cognates) is defined according to applicable Privacy Laws.  **2\. Obligations of Vendor.** Vendor is solely responsible for (a) providing notice or obtaining consent from a person to whom Personal Data relates (“Data Subject”) as required by Privacy Laws; (b) supplying only the minimum necessary Personal Data for us to fulfill our obligations; (c) ensuring the accuracy and completeness of Personal Data and making updates, including handling Personal Data deletion requests; (d) any unauthorized Processing  outside the  control of us or a Subprocessor; (e) ensuring Personal Data does not contain Special Categories or Sensitive Personal Data (as defined by Privacy Laws); (f) managing third-party controller communications; and (g) reviewing our data security information to meet  legal obligations. Vendor must not request us to Process Personal Data in violation of Privacy Laws. If we believe an instruction violates Privacy Laws, we may refuse to Process without any penalties. For any legal requirements not covered by this DPA, Vendor must notify us at [legal@g2.com](mailto:legal@g2.com). We are not responsible for initiating this process and may refuse, without incurring any penalties, to Process Personal Data if the requirements exceed this DPA.  **3\. Use Of Personal Data.** Vendor instructs us to Process Personal Data (a) to perform its obligations under the Vendor Terms and in accordance with Appendix A, (b) as required by law and in compliance with Privacy Laws, or (c) for any other purposes permitted by Vendor in writing. We will not “share” or “sell” Personal Data (as defined by CCPA), and, to the extent that our Processing of Personal Data is subject to the CCPA, we: (i) will not Process the Personal Data for any commercial purposes other than business purposes specified in the Vendor Terms, unless expressly permitted by the CCPA; (ii) will not Process the Personal Data outside the direct business relationship between us and Vendor, unless expressly permitted by the CCPA; (iii) we will provide the Personal Data with the same level of privacy protection as required by the CCPA; (iv) we will notify Vendor if we make a determination that we can no longer meet our obligations under the CCPA; and (v) Vendor has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data by us.  **4\. Privacy and Security.** We will implement reasonable security measures to protect Personal Data, as outlined in Appendix B. Third-party certifications and audits are available upon Vendor’s written request to security@g2.com (“Safeguards”). We can update Safeguards without prior notice to or approval from Vendor, but will not materially reduce the current standards. **5\. Subprocessors.** Vendor authorizes us to engage third parties or subcontractors to Process Personal Data its behalf (“Subprocessors”). We will ensure Subprocessors agree to similar data protection obligations as outlined in this DPA. Except as stated in the Vendor Terms or this DPA, our liability for Subprocessors is limited to the extent as if we were performing the services directly, and will not exceed the amount actually recovered by us from that Subprocessor. Vendor provides us with a general authorization to engage Subprocessors.  We maintain a list of our Subprocessors at [https://legal.g2.com/subprocessors](https://legal.g2.com/subprocessors), where Vendor is required to  subscribe to notifications of new Subprocessors(“Subprocessor Notification”). If Vendor objects to a new Subprocessor, Vendor must notify us in writing at [privacy@g2.com](mailto:privacy@g2.com) within 10 business days of G2 sending a Subprocessor Notification. If an objection is made in time, we will make  reasonable efforts to avoid using  the contested Subprocessor, but if no solution is found within 30 business days, Vendor may terminate the Vendor Terms and DPA in accordance with the termination provisions of the Vendor Terms. **6\. Cooperation and Audits.** We will provide reasonable assistance to help Vendor comply with Privacy Laws regarding (a) this DPA; (b) privacy impact assessments or  (c) subject to the terms in this Section 6, audits of us as required under Privacy Laws (collectively, “Audit Obligations”); Vendor may audit us once in any  12-month rolling period, unless otherwise required by Privacy Laws. Regarding Audit Obligations, subject to the confidentiality obligations set forth in the Vendor Terms and upon Vendor’s  written request, we will provide to Vendor or, if required by Privacy Laws, Vendor’s competent regulatory authority, (a) a summary of recent third-party audits or certifications, (b) similar reports from  Subprocessors to us, or (c) other information required by Privacy Laws. In Privacy Laws mandate an onsite audit (“On-Site Audits”), Vendor and we will agree on scope, timing and duration at least 30 days in advance of any such audit. On-Site Audits will be limited to our facilities only, Vendor will cover all costs, participants must comply with confidentiality and other requirements, solely to be determined by us, and must occur during our normal business hours. Unless otherwise required by Privacy Laws, Vendor must submit its request for an On-Site Audit to us at [privacy@g2.com](mailto:privacy@g2.com) with at least 30 days written notice.  We are not required to violate Privacy Laws or other legal or contractual obligations we has to our customers or users. Vendor must inform us of any compliance issues found during the On-Site Audit within 10 business days. We may adapt the scope of an On-Site Audit to avoid risks with respect to our legal and contractual obligations to our other customers and users.  Audits under the European Union (“EU”) and United Kingdom (“UK”) Standard Contractual Clauses (“SCCs”) will follow this Section 6. **7\. Cross Border Data Transfers.** We Process Personal Data in the United States. Transfers of Personal Data from the EU or UK a jurisdiction which is not recognized by the EU or UK as having adequate data protection, or where data transfers contemplated by this DPA are not otherwise restricted under Privacy Laws, the EU SCCs and UK International Data Transfer (“UK Agreement”) apply, as incorporated by Appendix C. By signing/accepting the insertion order (or similar transacting document), both parties accept the EU SCCs and UK Agreement. For transfers of Personal Data from the EU (“EU Personal Data”) to the U.S., we participate in the EU-U.S. Data Privacy Framework Program (“DPF”) and agrees to comply with the DPF to the extent Vendor also participates in the DPF. To the extent the DPF is not available, cannot be relied upon, or does not apply to a particular transfer, such transfer will instead be governed by the EU SCCs. **8\. Personal Data Breach.** If we are negligent and materially compromise or cause accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Vendor’s Personal Data or other event impacting Vendor’s Personal Data that triggers an obligation for us to notify Vendor under Privacy Laws related to security breach notification (collectively, a “Personal Data Breach”), We will notify Vendor without delay of our confirmation of such Personal Data Breach at the Vendor’s email address set forth on the insertion order (or similar transacting document) (if available). We will share the following information as it becomes available to us: (a) a brief description of the Personal Data Breach, including its date, (b) details of the impacted Personal Data, (c) actions we are taking to investigate and mitigate, (d) contact information for further inquiries, and (e) any other information required under Privacy Laws.  If Privacy Laws require notifying third parties, we will reimburse Vendor for reasonable costs directly related to the notification and any required credit monitoring (“Notification Costs”), excluding legal fees or related costs incurred by Vendor. We will cooperate with Vendor’s reasonable investigation, as required by Privacy Laws. If Privacy Laws require notifying third parties, we will reimburse Vendor for reasonable costs directly incurred by Vendor for this legally required notification and any legally required credit monitoring (“Notification Costs”). Notification Costs shall not include any legal fees or related costs incurred by Vendor. **9\. Information Management.** After completing the Services, we will delete the Personal Data, unless retention is required by law or otherwise infeasible, in which case we will retain the Personal Data only as necessary and may process it solely for the purpose of preventing return or deletion. **10\. Indemnification.** Vendor agrees that Vendor will reimburse, indemnify and hold us harmless for all costs incurred in responding to or mitigating any losses suffered by us, including, but not limited to, any losses relating to a third-party claim brought against us regarding the Processing of Personal Data where such Processing is consistent with Vendor’s Processing instructions, the Vendor Terms and/or this DPA.  **11\. Limitation of Liability.** Except as otherwise explicitly stated in this DPA, our sole liability and Vendor sole remedy for our breach of this DPA will not exceed the fees paid by Vendor to us under the insertion order (or similar transacting document) giving rise to the claim in the 12 months preceding the claim. In no circumstances will we be liable for any special, indirect, incidental, consequential, or punitive damages, including lost profits incurred by Vendor.  **12\. Interpretation and Updates.** We will update this DPA periodically, without notice to Vendor, in material compliance with Privacy Laws and without materially lessening the protections set forth herein. The following order of precedence applies in the event of a conflict with respect to the Processing of Personal Data: (a) UK Agreement, (b) this DPA, (c) Vendor Terms, and (d) Privacy Laws. **13\. Term.** This DPA begins on the Effective Date and remains in force until the Vendor Terms terminates, or until we stop Processing Personal Data on behalf of Vendor. **APPENDIX A** **DESCRIPTION OF PROCESSING** **Parties** Exporter & Controller: Vendor Vendor information is as set forth in the insertion order (or similar transacting document) Importer & Processor: G2.com, Inc. 100 South Wacker Drive, Suite 600, Chicago, IL 60606 **Categories of Data Subjects Whose Personal Data is Transferred & Categories of Personal Data Transferred** Reviews Collection Program (if applicable) Data Subject: Vendor’s customers Personal Data: First name and email **Sensitive Data Transferred** Vendor will not transfer Sensitive Data to us. **Frequency of the Transfer** Continuous. **Nature of the Processing** To provide the Services. **Purpose of Processing, Data Transfer and Further Processing** To provide the Services. **Duration of Processing** As set forth in Section 13. **Subprocessor Transfers** As set forth in Section 5. **APPENDIX B** **TECHNICAL AND ORGANIZATIONAL MEASURES** We have implemented the following technical and organizational measures for the protection of the security, confidentiality and integrity of Personal Data: **Access Control: Preventing Unauthorized Product Access** _Outsourced processing_: We host our Services with outsourced cloud infrastructure providers. We maintain contractual relationships with vendors in order to provide the Services in accordance with this DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors. _Physical and environmental security_: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001, 27017, 17018 compliance, among other certifications. _Authentication_: We implemented a uniform password policy. Vendors who interact with the products via the user interface must authenticate before accessing non-public Vendor data. _Authorization_: Vendor data is stored in multi-tenant storage systems accessible to Vendor via only application user interfaces and application programming interfaces. Vendor is not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set. _Application Programming Interface (API) access_: Public product APIs may be accessed using an API. **Access Control: Preventing Unauthorized Product Use** We implemented industry standard access controls and detection capabilities for the internal networks that support our products. _Access_ _controls_: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules. _Intrusion detection and preventio_n: We implemented a Web Application Firewall (WAF) solution to protect hosted Vendor websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services. _Penetration_ _testing_: We maintain relationships with industry recognized penetration testing service providers for one annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. **Access Control: Limitations of Privilege & Authorization Requirements** _Product_ _access_: A subset of our employees have access to the products and to Vendor data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective Vendor support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. All such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated regularly. Employee roles are reviewed annually. _Background_ _checks_: All of our employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards. **Transmission Control** _In-transit_: We require HTTPS encryption (also referred to as SSL or TLS) on our login interfaces. Our HTTPS implementation uses industry standard algorithms and certificates. _At-rest_: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest. **Input Control** _Detection_: We have designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents. _Response and tracking_: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Vendor damage or unauthorized disclosure. _Communication_: If we become aware of unlawful access to non- data that is not ours stored within our Services, we will: 1) notify the affected Vendors of the incident; 2) provide a description of the steps we are taking to resolve the incident; and 3) provide status updates to the Vendor contact (if available), as we deem necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Vendor’s contacts in a form we select, which may include via email or telephone. **Availability Control** _Infrastructure availability_: The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services. _Fault_ _tolerance_: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Vendor data is backed up to multiple durable data stores. _Online replicas and backups_: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods. Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime. **APPENDIX C** **EU & UK GDPR** **Section 1 - EU:** For data transfers from the EU, the EU SCCs are incorporated into this DPA as follows: **EU SCC Term** **Amendment/Selected Option** **Module** Module 2 (Controller to Processor). **Clause 7 (Docking Clause)** Option is not included. **Clause 9 (Use of Sub-Processors)** Option 2 shall apply. As set forth in Appendix. **Clause 11 (Redress)** Option is not included. **Clause 13 (Supervision)** Options are included, as applicable. **Clause 17 (Governing Law)** Ireland. **Clause 18 (Choice of Forum and Jurisdiction)** Ireland. **Annex I.A (List of Parties)** As set forth in Appendix A. **Annex I.B (Description of the Transfer)** As set forth in Appendix A. **Annex I.C (Competent Supervisory Authority)** As set forth in Appendix A. **Annex II (Technical and Organisational Measures)** As set forth in Appendix B. **Section 2 - UK:** For data transfers from the UK, the UK Agreement is incorporated into this DPA as follows: **UK Addendum Term** **Amendment/Selected Option** **Table 1: Start Date** As set forth in Section 13. **Table 1: Parties** As set forth in Appendix A. **Table 2: Addendum EU SCC** As set forth in Section 1 of this Appendix C. **Table 3: Appendix Information** As set forth in Section 1 of this Appendix C. **Table 4: Ending this Addendum** Importer. **Mandatory Clauses** The Mandatory Clauses are incorporated into this Appendix C. The ‘Alternative Part 2 Mandatory Clauses’ are not selected.   Loading page...