logo

Data Processing Addendum

PathFactory Data Processing Addendum

Last Updated: September 16, 2025

This Data Processing Addendum (“Addendum” or “DPA”) is incorporated into and forms part of the PathFactory Software-as-a-Service Terms of Service or other agreement between PathFactory Inc. or PathFactory Corp, as applicable (in either case, the “Service Provider”), and Customer for the provision and use of PathFactory’s Services (the “Agreement”). This Addendum reflects the Parties’ agreement with regard to the Processing of Personal Data.

In the event of any conflict between the Agreement and this Addendum, the terms and conditions of this Addendum shall control. Except to the extent expressly superseded or modified in this Addendum, the terms and conditions of the Agreement will apply to this Addendum and remain in full force and effect. Unless otherwise provided, a capitalized term that is not defined in this Addendum shall have the meaning given to it in the Agreement, and the words and expressions in, and the rules of interpretation of, the Agreement shall have the same meaning in this Addendum.

Definitions

  1. “California Privacy Law” means, as applicable, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and related regulations.
  2. “Canadian Privacy Laws” means applicable Canadian federal and provincial privacy laws, which may include, as applicable, Canada’s Personal Information Protection and Electronic Documents Act, SC 2000, c.5, British Columbia’s Personal Information Protection Act, SBC 2003, c 63, Alberta’s Personal Information Protection Act, SA 2003, c P-6.5 and Quebec’s Act respecting the protection of personal information in the private sector, CQLR c P-39.1.
  3. “Data Processing Particulars” means in relation to any Processing under this Addendum: the subject matter and duration of the Processing; the nature and purpose of the Processing; the type of the Personal Information being Processed; and the categories of Data Subjects.
  4. “Data Protection Impact Assessment” means an assessment of the impact of the envisaged Processing operations on the protection of Personal Information as required by Article 35 of the EU GDPR or other applicable Privacy Laws.
  5. “Data Subject” means an identified or identifiable natural person. In the context of Personal Information subject to California Privacy Law, the term also includes an identified or identifiable household.
  6. “EU GDPR” means the current Regulation (EU) 2016/679.
  7. “European Data Protection Laws” means all data protection and privacy laws and regulations of Europe, including where applicable (a) the EU GDPR; (b) the UK GDPR; and (c) the Swiss Federal Data Protection Act and its implementing regulations; in each case, as may be amended, superseded or replaced from time to time.
  8. “Personal Information” means any information that constitutes “Personal Data” under the EU GDPR, the UK GDPR, or other applicable Privacy Laws, or any information that constitutes “personal information” under Canadian Privacy Laws, California Privacy Law, or other applicable Privacy Laws, that is transferred by Customer or its permitted agents to Service Provider in performance of or pursuant to the Agreement.
  9. “Privacy Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, theft, or unauthorized access to or disclosure of Personal Information.
  10. “Privacy Laws” means any law, statute, regulation, or other legally binding restriction governing the Processing of Personal Information, which may include, as applicable, European Data Protection Laws, Canadian Privacy Laws, and US State Privacy Laws.
  11. “Process” means any operation or set of operations that is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as but not limited to collection, use, modification, retrieval, disclosure, retention, storage, deletion, or management.
  12. “Restricted Transfer” means a transfer (directly or via onward transfer) of Personal Information, that is subject to European Data Protection Laws, to a third country outside the European Economic Area (“EEA”), United Kingdom and Switzerland, which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).
  13. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  14. “Supervisory Authority” means an independent public authority tasked with the regulation, oversight and enforcement of applicable Privacy Laws, including regulatory authorities established in Canada, and supervisory authorities established by an EU Member State or the United Kingdom to monitor the application of the EU GDPR or the UK GDPR, respectively.
  15. “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under s. 119(a) of the UK Data Protection Act 2018, as updated or amended from time to time.
  16. “UK GDPR” means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) and the UK Data Protection Act 2018 (as amended).
  17. “US State Privacy Laws” means, as applicable, the California Privacy Law and other generally applicable, non-sectoral US state privacy laws (and their regulations, if any) modeled on the California Law, as they become effective, such as the Virginia Consumer Data Protection Act; Colorado Privacy Act; Connecticut Act Concerning Personal Data Privacy and Online Monitoring; Utah Consumer Privacy Act; Texas Data Privacy and Security Act; Oregon Consumer Privacy Act; Florida Digital Bill of Rights; Montana Consumer Data Privacy Act; Iowa Consumer Privacy Act; Tennessee Information Protection Act; Indiana Consumer Data Protection Act; New Jersey Privacy Act; and New Hampshire Privacy Act.

Data Processing and Security Responsibilities

  1. Customer and Service Provider shall each comply with all Privacy Laws that apply to it in relation to any Personal Information Processed under the Agreement (including this Addendum), as set out in the Data Processing Particulars at Annex A to this Addendum.
  2. Customer represents and warrants that it has:
    1. made and shall maintain all necessary registrations and notifications as required in order to permit Service Provider to perform its obligations and exercise its rights under this Addendum;
    2. obtained and provided, and shall continue to obtain and provide, all necessary consents and notices, and otherwise has and continues to have all necessary authority, to permit Service Provider to perform its obligations and exercise its rights in connection with the Processing of Personal Information under the Agreement (including this Addendum), and shall inform Service Provider immediately if any such consents or authority are withdrawn or can no longer be relied upon;
    3. ensured and shall continue to ensure that all Personal Information Processed by Service Provider is adequate, relevant, accurate and up-to-date, and limited to what is necessary to enable Service Provider to perform its obligations and exercise its rights under the Agreement (including this Addendum);
    4. ensured and shall continue to ensure that there are valid legal bases to enable Service Provider to Process Personal Information in the manner and for the purposes contemplated under the Agreement (including this Addendum); and
    5. Processed and will continue to Process the Personal Information in accordance with all applicable Privacy Laws.
  3. In the course of Processing Personal Information on behalf of Customer as detailed in Annex A to this Addendum, Service Provider shall:
    1. except as otherwise permitted herein, only Process Personal Information for the purpose of rendering the Services as described in Annex A and as otherwise instructed by Customer in writing from time to time or as required or permitted by applicable law;
    2. not retain, use, or disclose Personal Information outside of the direct business relationship between Service Provider and Customer within the meaning of California Privacy Law unless permitted by California Privacy Law and the rest of this Addendum;
    3. comply with any applicable restrictions under California Privacy Law on combining the Personal Information that Service Provider receives from, or on behalf of, Customer with personal information that Service Provider receives from, or on behalf of, another person or persons, or that Service Provider collects from any interaction between it and a Data Subject;
    4. otherwise comply with applicable provisions of the California Privacy Law, including by providing the Personal Information subject to it with the level of protection it requires, and promptly notify Customer if Service Provider determines that Service Provider no longer can comply with it;
    5. promptly inform Customer if, in Service Provider’s opinion, any instruction received from Customer infringes European Data Protection Laws;
    6. not transfer or disclose any Personal Information to any third party except as (i) permitted under the Agreement (including as contemplated by Clause 4 of this Addendum), (ii) otherwise authorized by the Customer in writing, or (iii) required under applicable law (in which case Clause g) below shall apply);
    7. where any transfer or disclosure of Personal Information is required by a governmental authority or applicable law, provide reasonable notice to Customer of such compelled disclosure (except where legally prohibited from providing such notice, such as on important grounds of public interest) so that Customer has an opportunity to take such steps as it desires to challenge or contest such disclosure or seek a protective order;
    8. not “sell” the Personal Information within the meaning of US State Privacy Laws, and not “share” the Personal Information within the meaning of the California Privacy Law;
    9. except to the extent legally prohibited, promptly notify Customer in writing of any enquiry or complaint received from an individual relating to the individual’s rights under Privacy Laws, and taking into account the nature of Service Provider’s Processing of Personal Information, provide reasonable assistance to enable Customer to respond to such enquiry or complaint in compliance with applicable Privacy Laws;
    10. implement reasonable physical, technical and organizational security measures appropriate to the sensitivity of the Personal Information that are designed to protect Personal Information against loss, theft, damage and unauthorized or unlawful access, use, disclosure or destruction (the “Security Measures”). The parties acknowledge and agree that the Security Measures as of the Effective Date are set out in Annex B. Service Provider shall carry out regular reviews of the Security Measures to assess their continuing appropriateness and shall not materially lower the standard of the Security Measures without the prior written approval of Customer;
    11. authorize access to Personal Information by its employees, officers, directors, contractors and agents only if (i) they need to have access to the Personal Information in connection with performing Service Provider’s rights or obligations as set out in the Agreement (including this Addendum), and (ii) they have agreed in writing, or are otherwise legally bound, to protect the confidentiality and security of Personal Information;
    12. ensure that each employee of Service Provider involved in rendering the Services is appropriately screened to confirm the suitability of the performance of their duties in connection with the Services, including the Processing of Personal Information;
    13. at Customer’s reasonable request, and taking into account the nature of the Processing and the Personal Information available to it, provide reasonable assistance to Customer as necessary for Customer to meet its obligations under Privacy Laws in connection with:
      1. obligations relating to ensuring the security and integrity of Personal Information;
      2. at Customer’s cost, obligations relating to notifications and communication of Privacy Breaches as required by Privacy Laws to the Supervisory Authority and/or any affected individuals; and
      3. at Customer’s cost, undertaking any Data Protection Impact Assessments that are required by Privacy Laws and, where necessary, consulting with the relevant Supervisory Authority in respect of any such Data Protection Impact Assessments;
    14. be permitted to generate anonymous data that is non-identifiable as to Customer or any individual and otherwise no longer constitutes “personal information”, “personal data” or equivalent terms under applicable Privacy Laws (“Anonymous Data”). For the avoidance of doubt, the Processing of Anonymous Data shall not be subject to the terms of this Addendum;
    15. taking into consideration Service Provider’s role in the Processing of Personal Information, provide the level of protection for the relevant Personal Information required by applicable Privacy Laws; and
    16. notify Customer if Service Provider determines it can no longer meet its obligations under this Addendum.

Audit Rights

Service Provider shall provide, and Customer agrees to accept, Service Provider’s most current third-party certifications as may be relevant and available in respect of the Services. Service Provider shall provide Customer (or its representatives) with access to reasonably requested information as necessary to demonstrate Service Provider’s compliance with this Addendum. Without limiting the foregoing, Customer has the right, upon providing reasonable notice to Service Provider, to take reasonable and appropriate steps to ensure that Service Provider uses the Personal Information in a manner consistent with the Customer’s obligations under Privacy Laws and to stop and remediate any use of Personal Information by Service Provider that is in violation of this Addendum.

Sub-processing

  1. Subject to Clause 6, Customer acknowledges and agrees that Service Provider will use sub-processors (including Service Provider affiliates) to Process Personal Information. Service Provider shall enter into a written agreement with each such sub-processor that imposes obligations on the sub-processor that are substantially similar to those imposed on Service Provider under this Addendum. Service Provider shall only retain sub-processors that Service Provider can reasonably expect to appropriately protect the privacy, confidentiality and security of the Personal Information. Service Provider shall be liable for any acts or omissions of its sub-processors in breach of this DPA, to the same extent that Service Provider would be liable if the acts or omissions were those of the Service Provider itself.
  2. Service Provider shall maintain a current list of sub-processors for the Services on its website at https://www.pathfactory.com/sub-processors/ (the “Sub-Processor List”) with a mechanism to subscribe to notifications of any updates to the Sub-Processor List, including the appointment or removal of Sub-Processors. Service Provider shall provide notification to the email used by Customer to subscribe to the Sub-Processor List prior to authorizing any new sub-processor(s) to process Personal Information in connection with the provision of the Services. Customer shall have fifteen (15) days following notice to object to such appointment or change on the basis of reasonable data privacy or security grounds, by providing detailed reasons in writing to privacy@pathfactory.com. If Service Provider does not receive such an objection within the fifteen (15) day objection period, Customer will be deemed to have given consent to the appointment of or change to the sub-processor.
  3. In the event Customer objects in writing to the proposed appointment in accordance with subclause 4.2, Service Provider will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Information by the objected-to new sub-processor without unreasonably burdening Service Provider. If Service Provider is unable to make available such change within sixty (60) days, either party may terminate without penalty those Services that cannot be provided by Service Provider without the use of the objected-to new sub-processor by providing written notice to the other party.

Privacy Breach Notification

Service Provider shall notify Customer in writing without undue delay upon Service Provider becoming aware of a Privacy Breach. Service Provider shall take such measures and actions it deems appropriate and reasonable to remedy or mitigate the effects of the Privacy Breach to the extent within Service Provider’s control and shall keep Customer informed of material developments in connection with the Privacy Breach.

European Data Transfers

  1. Restricted Transfers. Customer acknowledges and agrees that in the course of providing the Services to Customer, Service Provider may transfer Personal Information that is subject to EU GDPR, UK GDPR or the Swiss Federal Data Protection Act to countries outside of the European Economic Area, the United Kingdom or Switzerland, respectively. Subject to Clause 4 of this Addendum, Service Provider shall ensure that any such transfers to countries that do not ensure an adequate level of data protection within the meaning of EU GDPR, UK GDPR or the Swiss Federal Data Protection Act are subject to the Standard Contractual Clauses as more fully described in Clause 6.2 below.
  2. Standard Contractual Clauses. With respect to the transfer of Personal Information which is a Restricted Transfer, the parties agree that the Standard Contractual Clauses (including Annex I and II) shall be incorporated by reference where applicable and form part of this DPA. Each party is deemed to have executed the Standard Contractual Clauses by executing this DPA. With respect to the Standard Contractual Clauses, the following shall apply:
    1. In relation to transfers of Personal Information subject to the EU GDPR:
      1. Module Two shall apply where Customer is the “data controller” of Personal Information and Module Three shall apply where Customer is the “data processor” of Personal Information;
      2. The optional Clause 7 shall apply and Affiliate(s) of both Customer and Service Provider may accede to the Standard Contractual Clauses under the same terms and conditions, where applicable;
      3. For the purposes of Clause 9, option 2 (“general authorization”) is selected, and the process and time period for prior notice of sub-processor changes shall be as set out in Sub-clause 4.2 of this DPA;
      4. In Clause 11, the optional language shall not apply;
      5. In Clause 17, option 1 shall apply and the Standard Contractual Clauses shall be governed by Irish law;
      6. In Clause 18(b), disputes shall be resolved before the courts of Ireland;
      7. Annex I shall be deemed completed with the information set out in Annex A, Data Processing Description, to this DPA; and
      8. Annex II shall be deemed completed with the information set out in Annex B, Security Measures, to this DPA.
    2. In relation to transfers of Personal Information subject to the UK GDPR, the Standard Contractual Clauses as implemented under Clause 6.2(a) above shall apply with the following modifications:
      1. The Standard Contractual Clauses shall be modified and interpreted in accordance with Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of the DPA;
      2. Tables 1-3 in Part 1 of the UK Addendum shall be deemed completed with the relevant information set out in Annex A and B to the DPA, respectively;
      3. Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”; and
      4. Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
    3. In relation to transfers of Personal Information protected by the Swiss Data Protection Act, the Standard Contractual Clauses, as implemented under Clause 6.2(a) above shall apply with the following modifications:
      1. References to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein;
      2. References to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” and/or “Swiss law” (as applicable);
      3. References to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”;
      4. the Standard Contractual Clauses shall be governed by the laws of Switzerland; and disputes shall be resolved before the competent Swiss courts.
  3. Where the Standard Contractual Clauses apply pursuant to Clause 6.1 of this DPA, this section sets out the parties’ interpretations of their respective obligations under specific provisions of the Clauses, as identified below. Where a party complies with the interpretations set out below, such party shall be deemed, by the other party, to have complied with its commitments under the Standard Contractual Clauses:
    1. where Customer is itself a processor of Personal Information acting on behalf of a third party controller and Service Provider would otherwise be required to interact directly with such third party controller (including notifying or obtaining authorizations from such third party controller), Service Provider may interact solely with Customer and Customer shall be responsible for forwarding any necessary notifications to and obtaining any necessary authorizations from such third party controller;
    2. the certification of deletion described in Clause 16(d) of the Standard Contractual Clauses shall be provided by Service Provider to Customer upon Customer’s written request;
    3. for the purposes of Clause 15(1)(a) the Standard Contractual Clauses, Service Provider shall notify Customer, not the relevant data subject(s), in case of government access requests and Customer shall be solely responsible for notifying the relevant data subjects as necessary; and
    4. taking into account the nature of the processing, Customer agrees that it is unlikely that Service Provider would become aware of processing any inaccurate or outdated Personal Information. To the extent Service Provider becomes aware of such inaccurate or outdated Personal Information, Service Provider will inform Customer in accordance with Clause 8.4 of the Standard Contractual Clauses.
  4. Alternative Transfer Mechanism. If and to the extent that a court of competent jurisdiction or a supervisory authority order (for any cause or reason whatsoever) that the measures described in this DPA cannot be relied upon to lawfully transfer Personal Information to Service Provider, the parties shall reasonably cooperate to agree to and take any actions that may be reasonably required to implement any additional measures or alternative transfer mechanism to enable the lawful transfer of such Personal Information. Additionally, in the event Service Provider adopts an alternative transfer mechanism, Service Provider may rely on such alternative transfer mechanism instead of the Standard Contractual Clauses described in Clause 6.1 and 6.2 (but only to the extent such alternative transfer mechanism complies with applicable European Data Protection Laws and extends to the territories to which Personal Information is transferred).

Return or Destruction

Upon the termination of the Agreement or at such earlier time as instructed by Customer in writing, Service Provider will dispose of (or, at Customer’s written request, return) the Personal Information, subject to Service Provider’s requirements to retain Personal Information in order to comply with its legal or regulatory obligations or as otherwise necessary in the context of any disputes or litigation. In such event, Service Provider warrants that it will continue to protect the confidentiality of the Personal Information in accordance with applicable law.

Updates to this Addendum

Service Provider may update or change any part of this DPA at any time by posting the revised terms at https://www.pathfactory.com/legal/DPA/. Service Provider will notify Customer of any changes that, in Service Provider’s discretion, materially impacts this DPA. The updated DPA will be effective as of the time of posting, or on such later date as may be specified in the updated DPA.

General

  1. The parties agree that this DPA supersedes any prior data processing addendum, exhibit or Standard Contractual Clauses that the parties may have previously entered into in connection with the Services.
  2. The liability of Service Provider under this DPA shall be subject to the exclusions and liability in the Agreement, unless required otherwise by Privacy laws.
  3. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provision set forth in the Agreement, unless otherwise required by Privacy Laws.
  4. The obligations placed upon each party under this DPA and the Standard Contractual Clauses shall survive so long as Service Provider processes Personal Information on behalf of Customer

ANNEX A DATA PROCESSING DESCRIPTION

LIST OF PARTIES

Data Exporter

  • Name: The entity set out as “Customer” in the Agreement.
  • Address: The address as set out in the Order Form for Services, which is governed by and subject to the Agreement and this DPA.
  • Contact person’s name, position and contact details: Refer to Customer signatory to the Agreement.
  • Activities relevant to the data transferred: The activities specified under “Description of tocessing and Transfer” below.
  • Role: Controller (for Module 2) or Processor (for Module 3).

Data Importer

  • Name: The entity set out as “PathFactory” in the Agreement.
  • Address: The address set out in the Order Form for Services, which is governed by and subject to the Agreement and this DPA.
  • Contact person’s name, position and contact details: Refer to PathFactory signatory to the Agreement.
  • Activities relevant to the data transferred: The Activities specified under “Description of the Processing and Transfer” below.
  • Role: Processor

DESCRIPTION OF THE PROCESSING AND TRANSFER

Subject-matter and duration of the Processing

  • The Services are intended to assist Customer with providing relevant marketing and sales related content to prospective clients and measuring the success of marketing campaigns.
  • The duration of the Processing is the Term of the Agreement, as further permitted by the Agreement or as otherwise necessary to fulfill obligations under the Agreement.

Nature and purposes of the Processing.

  • The nature of the Processing is collection and use for the purpose of performing the Services and Service Provider’s obligations under the Agreement and this DPA and further documented, reasonable instructions from Customer agreed upon by the parties.
  • Personal Information is Processed for the following purposes:
    • To analyze the consumption of content published by Customer; and
    • To provide reports to Customer regarding content consumption.

Data Categories.

  • The following types of Personal Information may be Processed:
    • Name
    • Job title
    • Contact details: company email address, phone number
    • IP address, cookies data, location data (general)
    • Engagement data, online behavioural tracking data, and website activity associated with Customer’s content
    • Inputs into the Services by visitors and audience members who interact with the Services
    • Any other Personal Information processed in the course of providing the Services
  • The parties agree that the Services are not to be used for the processing of sensitive data as described in Clause 8.7 of the Standard Contractual Clauses.

Categories of data subjects

  • The following categories of Data Subjects are involved:
    • Website visitors (including existing clients, prospects and other interested parties)
    • Customer personnel

Duration of the Processing

Until completion of processing set forth in Clause 7 of the DPA.

Sub-processor List

As set out in Clause 4 of the DPA.

Competent Supervisory Authority

Competent supervisory authority

The data exporter’s competent supervisory authority will be determined in accordance with the EU GDPR.

ANNEX B SECURITY MEASURES

PathFactory will implement and maintain a comprehensive written information security program designed to protect Customer Data from unauthorized access, use, disclosure or destruction. The security measures that PathFactory implements and maintains are set out in the PathFactory Data Security Policy located at https://www.pathfactory.com/legal/datasecuritypolicy/.