Quickbase Data Protection Addendum

Last updated March 22, 2023

This Data Protection Addendum ("Addendum") forms part of the Terms of Service between Quickbase, Inc. ("Quickbase") and Quickbase’s Customer acting on its own behalf and as agent for each Customer Affiliate.

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms of Service.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added to and incorporated in the Terms of Service. Except where the context requires otherwise, references in this Addendum to the Terms of Service are to the Terms of Service as amended by, and including, this Addendum.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms will be construed accordingly:

1.1.1 "Customer Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

1.1.2 "Customer " has the same meaning attributed to the term in the Terms of Service and it includes any Customer Affiliates;

1.1.3 “Customer Employee Data” means any Personal Data of Customer’s employees, contractors, and other agents or representatives whose data is used with Quickbase for account maintenance and business relationship purposes.

1.1.4 "Customer Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Terms of Service, including Customer Employee Data;

1.1.5 "Contracted Processor" means Quickbase or a Subprocessor;

1.1.6 "Data Protection Laws" means all applicable laws applicable to Quickbase’s processing of personal data under the Terms of Service;

1.1.7 "Services" means the services and other activities to be supplied to or carried out by or on behalf of Quickbase for Customer pursuant to the Terms of Service;

1.1.8 "Subprocessor" means any person (including any third party, but excluding an employee of Quickbase or any of its sub-contractors) appointed by or on behalf of Quickbase to Process Personal Data on behalf of Customer in connection with the Terms of Service and shall include all parties listed at https://www.quickbase.com/data..., a successor website, or as may otherwise be agreed between the parties; and

1.2 The terms, "Commission", “Commissioner”, "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly.

2. Processing of Customer Personal Data

2.1 Quickbase shall:

2.1.1 Comply with all applicable Data Protection Laws in the processing of Customer Personal Data;

2.1.2 Process Customer Personal Data (other than Customer Employee Data) only on Customer’s documented instructions unless processing is required by Data Protection Laws to which the relevant Contracted Processor is subject, in which case Quickbase will to the extent permitted by Data Protection Laws inform Customer of that legal requirement before the relevant processing of that Personal Data;

2.1.3 As to Customer Employee Data (excluding other Customer Personal Data), Quickbase will process such data as a controller in order to (a) manage the relationship with Customer; (b) carry out Quickbase’s core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; (e) comply with Quickbase’s legal or regulatory obligation to retain Customer information; and (f) as otherwise permitted under Data Protection Laws, the Terms of Service, and Quickbase’s Privacy Policy; and;

2.1.4 Process Customer Personal Data in order to provide the Services in accordance with the Agreement. Schedule 1(Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.

2.2 Customer hereby:

2.2.1 Acknowledges that with regard to Customer Employee Data, Customer is a controller and Quickbase is a controller, not a joint controller;

2.2.2 Acknowledges that with regard to Customer Personal Data (excluding Customer Employee Data), Customer may act either as a controller or a processor and Quickbase is a processor;

2.2.3 Instructs Quickbase (and authorizes Quickbase to instruct each Subprocessor) to Process Customer Personal Data as reasonably necessary for the provision of the Services and consistent with the Terms of Service;

2.2.4 Warrants and represents that its instructions comply with all Data Protection Laws and it will inform Quickbase immediately if it becomes aware, or reasonably believes, that Customer’s instructions violate any Data Protection Laws or any rights of third parties;

2.2.5 Warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give relevant instructions on behalf of each relevant Customer Affiliate;

2.2.6 Warrants and represents that it has fully and truthfully identified to Quickbase in writing all categories of Personal Data to be processed by Quickbase (or its Subprocessors), including all special categories of such Personal Data;

2.2.7 Acknowledges that additional instructions outside the scope of the Terms of Service or this Addendum may be agreed to in writing between Customer and Quickbase, including any additional fees that may be payable by Customer to Quickbase for carrying out such additional instructions; and

2.2.8 Acknowledges that Quickbase is not responsible for (i) determining which laws or regulations are applicable to Customer’s business or (ii) whether Quickbase’s provision of the Services meets or will meet the requirements of such laws or regulations.

3. Quickbase Personnel

Quickbase shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Terms of Service, and to comply with Data Protection Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Quickbase shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, no less protective than as set forth in Schedule 2 (Technical and Organizational Security Measures).

5. Subprocessing

5.1 Customer authorizes Quickbase to appoint (and permits each Subprocessor to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Terms of Service.

5.2 Quickbase may continue to use those Subprocessors already engaged by Quickbase as at the date of this Addendum, subject to Quickbase in each case as soon as practicable meeting the obligations set out in section 5.4.

5.3 Quickbase shall make available a list of Subprocessors pursuant to Section 1.1.8 above. Quickbase shall provide a mechanism by which Controller may register to be notified by email of any modifications to the Subprocessor List (“Notification”). Should Controller object on reasonable grounds to the use of a specific Subprocessor and inform Quickbase of such objection in writing (by email to [email protected]) within 15 days of such Notification, Quickbase will at its option (i) within a commercially reasonable timeframe find a replacement Subprocessor; or (ii) allow Controller to terminate the Terms of Service and receive a pro-rata refund of fees paid thereunder.

5.4 With respect to each Subprocessor, Quickbase agrees to the following:

5.4.1 Before the Subprocessor first Processes Customer Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Terms of Service;

5.4.2 Ensure that the arrangement between Quickbase, and such Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum; and

5.4.3 Provide for Customer review of the form of agreement for such written contract, as Customer may request up to once per year.

5.5 Quickbase shall ensure that each Subprocessor performs the relevant obligations herein, as they apply to processing of Customer Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Quickbase.

6. Data Subject Rights

6.1 Quickbase will provide reasonable assistance to Customer to respond to requests to exercise Data Subject rights under the Data Protection Laws. Such reasonable assistance will include implementing appropriate technical and organizational measures.Additional measures may be at the expense of the Customer.

6.2 Quickbase will:

6.2.1 Promptly notify Customer if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

6.2.2 Ensure that the Contracted Processor does not respond to that request except on the documented instructions of Customer or the relevant Customer Affiliate or as required by Data Protection Laws to which the Contracted Processor is subject, in which case Quickbase will, to the extent permitted by Data Protection Laws, inform Customer of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1 Quickbase will notify Customer without undue delay upon Quickbase becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Such notification will at a minimum:

7.1.1 Describe the nature of the Personal Data Breach, the location of the records breached;

7.1.2 Communicate the name and contact details of Quickbase’s data protection officer or other relevant contact from whom more information may be obtained;

7.1.3 Describe the likely consequences of the Personal Data Breach; and

7.1.4 Describe the measures taken or proposed to be taken to address the Personal Data Breach.

7.2 Quickbase will provide reasonable assistance to Customer if Customer is required under Data Protection Laws to notify a regulatory authority of any data subjects impacted by a Personal Data Breach. Prior to making reference to Quickbase (whether or not by name), in any notice to a regulatory authority or any other public or private breach notice, Customer agrees to consult with Quickbase in good faith to consider any clarifications or corrections related to the notice.

8. Data Protection Impact Assessment and Prior Consultation

Quickbase will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by any Data Protection Law in each case solely in relation to processing of Customer Personal Data by, and taking into account the nature of the processing and information available to, the Contracted Processors.

9. Deletion or return of Customer Personal Data

9.1 Subject to sections 9.2 and 9.3 following the date of cessation of any Services involving the processing of Customer Personal Data (the "Cessation Date"), Quickbase will promptly delete, anonymize, and procure the deletion or anonymization of all copies of Customer Personal Data. Nothing herein shall restrict Quickbase’s ability to retain metadata and aggregate data beyond the Term of the Terms of Service.

9.2 At any time prior to the Cessation Date, Customer may access and download a complete copy of all records, including Customer Personal Data. Should Customer require access to records following the Cessation Date, such request must be made (i) in writing, and (ii) must be received within thirty (30) days of the Cessation Date.

9.3 Each Contracted Processor may retain Customer Personal Data to the extent required by Data Protection Laws and for such period as required by Data Protection Laws, provided that Quickbase shall ensure the confidentiality of all such Customer Personal Data. In addition, Quickbase may maintain back-up tapes or other back-up media made in the ordinary course of business for up to seven (7) months from the date of Cessation.

9.4 Upon request, Quickbase will provide written certification to Customer that it has fully complied with this section 9 within 200 days of the Cessation Date.

10. Audit rights

10.1 Subject to Section 10.2 below, upon Customer request up to once per year, Quickbase will make available to Customer evidence that Quickbase is in compliance with this Addendum. Quickbase and Customer agree that such demonstration of compliance by Quickbase is the preferred mechanism for meeting the audits required by applicable Data Protection Laws. Quickbase uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Personal Data. Such audits are performed regularly at Quickbase’s expense by independent third-party security professionals at Quickbase’s selection and result in the generation of a confidential audit report (“Audit Report”). Upon Customer’s written request no more than once per year, and subject to reasonable confidentiality controls, Quickbase will make available to Customer a copy of Quickbase’s most recent Audit Report. Customer agrees that any audit rights granted by applicable Data Protection Laws will be satisfied by these Audit Reports. To the extent that Quickbase’s provision of an Audit Report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with Quickbase that: (a) ensures the use of an independent third party; (b) provides written notice to Quickbase in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at Quickbase’s then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.

10.2 Nothing in this Section shall limit Customer’s Audit Rights under executed EU Standard Contractual Clauses, or the Terms of Service.

11. International Provisions

11.1 Cross border transfers of Customer Personal Data shall be subject to the transfer mechanisms provided in Schedule 3 (Cross Border Data Transfer Mechanisms).

11.2 The processing of Customer Personal Data to which the laws of specific jurisdictions may apply shall be made subject to the additional provisions in Schedule 4 (Jurisdiction Specific Terms).

12. General Terms

12.1 Governing law and jurisdiction: The parties to this Addendum hereby submit to the choice of law and jurisdiction stipulated in the Terms of Service.

12.2 Nothing in this Addendum reduces Quickbase’s obligations under the Terms of Service in relation to the protection of Personal Data, or permits Quickbase to Process (or permit the processing of) Personal Data in a manner which is prohibited by the Terms of Service. In the event of any conflict or inconsistency between this Addendum and the applicable Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

12.3 Liability: For the sake of clarity and insofar as permissible by applicable law, this Addendum will be governed by the limitation of liability provision set forth in the Terms of Service.

12.4 Order of precedence: Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Terms of Service and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum will prevail.

12.5 Changes in Data Protection Laws, etc.: After the execution of this Addendum, either party may notify the other of additional requirements which the party reasonably considers to be necessary to address the changes to an applicable Data Protection Law.Quickbase, at its option, may: (i) offer alternative language or (ii) consider Customer’s amendment and negotiate in good faith with a view to agreeing and incorporating such language into this Addendum as soon as is reasonably practicable.

12.6 Severability: Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Schedule 1: Details of Processing

Nature and Purpose of the Processing.

Quickbase will process personal data as necessary to provide the Services under the Agreement. Quickbase does not sell Customer’s Personal Data or Customer end users’ Personal Data and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.

Customer Personal Data. Quickbase will process Customer Personal Data as a processor in accordance with Customer’s instructions pursuant to this Addendum.

Customer Employee Data. Quickbase will process Customer Employee Data as a controller in accordance with the provisions of this Addendum.

Processing Activities

Quickbase will process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services.

Duration of the Processing

The period for which personal data will be retained and the criteria used to determine that period is as permitted by the Terms of Service and this Addendum.

Categories of Data Subjects

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s Users by Customer to use the Services

Categories of Personal Data

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • ID data
  • Professional life data
  • Personal life data (including Health data)
  • Connection data
  • Localization data

The Obligations and Rights of Customer and Customer Affiliates

The obligations and rights of Customer and Customer Affiliates are set out in the Terms of Service and this Addendum.

Sensitive Data or Special Categories of Data

Customer Personal Data. Sensitive Data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the Service. Customer is responsible for ensuring that appropriate Data Subject authorizations and suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s end users to transmit or process, any Sensitive Data via the Services.

Customer Employee Data. No Sensitive Data may be included in the Customer Employee Data.

Schedule 2: Technical and Organizational Security Measures

Where applicable, this Schedule 2 will serve as Annex II to the EU Standard Contractual Clauses.

Quickbase uses, as far as reasonably possible and practical, strong encryption for the transport and storage of personal data (transport encryption and data-at-rest encryption). Strong encryption requires that

(a) transport encryption is used for which it is ensured that the encryption protocols employed are state-of-the-art and provide effective protection against active and passive attacks with resources known to be available to the public authorities of the third country;

(b) the encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and to be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them;

(c) the strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved;

(d) the encryption algorithm is flawlessly implemented by properly maintained software.

Further measures of pseudonymization and encryption of personal data

  • Pseudonymization, where possible;
  • Encryption at rest and encryption in transit;
  • Encryption key kept in the EU or with a trusted third party;
  • Limited timespan for using personal data “in the clear” (i.e., in identifiable form)

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

  • Confidentiality arrangements;
  • Information security policies and procedures;
  • Backup procedures;
  • Remote storage;
  • Mirroring of hard disks (e.g., RAID technology);
  • Uninterruptible power supply;
  • Anti-virus/firewall protection, security patch management;
  • Intrusion prevention, monitoring and detection;
  • Availability controls to protect personal data against accidental destruction or loss

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Business continuity plan;
  • Disaster recovery procedure;
  • Incident response plan

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

  • Internal and external audit program, audit reports and documentation;
  • Testing of back up processes and business continuity procedures;
  • Risk evaluation and system monitoring on a regular basis;
  • Vulnerability and penetration testing on a regular basis

Measures for user identification and authorization

  • Internal policies and procedures;
  • User authentication controls, including secure methods of assigning selecting and storing access credentials and blocking access after a reasonable number of failed authentication access;
  • Restricting access to certain users;
  • Access granted based on a need-to-know, supported by protocols for access authorization, establishment, modification and termination of access rights;
  • Logging and reporting systems;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects);
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access personal data without authorization;
  • Reports of access;
  • Access procedure;
  • Change procedure

Measures for the protection of data during transmission

  • Encryption in transit;
  • Pseudonymization, where possible;
  • Transport security;
  • Network segregation;
  • Logging;
  • Electronic signatures

Measures for the protection of data during storage

  • Encryption at rest;
  • Access controls;
  • Logical separation of databases and logical segmentation of Customer personal data from data of other vendor customers;
  • “Internal client” concept / limitation of use;
  • Segregation of functions (production/testing);
  • Procedures for storage, amendment, deletion, transmission of data for different purposes

Measures for ensuring physical security of locations at which personal data are processed

  • Establishing security areas, restriction of access paths;
  • Establishing access authorizations for employees and third parties with a need-to-know;
  • Access control system (ID reader, magnetic card, chip card);
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);
  • Security staff, janitors;
  • Surveillance facilities, video/CCTV monitor, alarm system;
  • Securing decentralized processing equipment and personal computers

Measures for ensuring events logging

  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password when warranted);
  • Automatic blocking (e.g., password or timeout);
  • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
  • Encryption and pseudonymization

Measures for ensuring system configuration, including default configuration

  • Up-to-date baseline configuration documentation and settings

Measures for internal IT and IT security governance and management

  • Information security policies and procedures;
  • Incident response plan;
  • Regular internal and external audit:
  • Review and supervision of information security program

Measures for certification/assurance of processes and products

  • NIST SP800-53, NIST CSF
  • SOC1 – Type II; SOC2 – Type II
  • HIPAA Security Rule
  • DFARS

Measures for ensuring data minimization

  • Documentation regarding which data categories need to be processed;
  • Ensure that the minimum amount of data is processed to fulfill the purpose of the processing

Measures for ensuring limited data retention

  • Records retention schedule;
  • Data retention policy;
  • Personal data is deleted or irreversibly anonymized after expiration of the retention period

Measures for ensuring accountability

  • Internal policies and procedures;
  • Privacy by design and by default;
  • Records of data processing activities;
  • Privacy Impact Assessments, where required;
  • Adequate agreements with third parties;
  • Criteria for selecting the sub-processors;
  • Vendor onboarding process and vetting;
  • Monitoring of contract performance;
  • GDPR and InfoSec training program;

Measures for allowing data portability and ensuring erasure

  • Personal data is made available to export in an electronically portable format using industry standards;
  • Reduction methods are used, where necessary;
  • Secure disposal of information stored on magnetic and non-magnetic media that prevents potential recovery of the information
Schedule 3: Cross Border Data Transfer Mechanisms

Definitions

Argentina Standard Contractual Clauses” means the Standard Contractual Clauses approved by the Agency for Access to Information of Argentina pursuant to Rule No. 60-E/2016.

EEA” means the European Economic Area

EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.

Cross Border Data Transfer Mechanisms

Argentina Standard Contractual Clauses. Customer and Quickbase agree that the Argentina Standard Contractual Clauses will apply to personal data that is transferred via the Services from the Argentina, either directly or via onward transfer, to any country or recipient outside of Argentina that is not recognized by the competent regulatory authority as providing an adequate level of protection for personal data. For data transfers from Argentina that are subject to the Argentina Standard Contractual Clauses, the Argentina Standard Contractual Clauses will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:

  • As to the processing of Customer Personal Data (other than Customer Employee Data), the controller-to-processor Argentina Standard Contractual Clauses shall apply, and Quickbase shall be a processor and Customer a controller.
  • As to the processing of Customer Employee Data, the controller-to-processor Argentina Standard Contractual Clauses shall apply and both parties shall be controllers (and not joint controllers).
  • The ”importer” shall be Quickbase, Inc. The contact details for the importer shall be: Assistant General Counsel, [email protected].
  • The “exporter” shall be the Customer. The contact details for the exporter shall be: email address(es) designated by Customer in Customer’s account via its notification preferences or as set forth in the Terms of Service.
  • The Description of Processing in Annex A, including the importer’s role, the nature and categories of personal data to be transferred, and the period for which the personal data will be retained are set forth in Schedule 1 to this Addendum.
  • For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at https://www.quickbase.com/data-subprocessors

By entering into the Addendum, the importer and exporter are deemed to have signed these Argentina Standard Contractual Clauses incorporated herein, including Annex A, as of the effective date of the Addendum.

EU Standard Contractual Clauses. The EU Standard Contractual Clauses will apply to personal data that is transferred via the Services from the EEA, Switzerland, Guernsey, Isle of Man, or Jersey, either directly or via onward transfer, to any country or recipient outside of these jurisdictions that is not recognized by the relevant competent authority as providing an adequate level of protection for personal data. For data transfers that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:

(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where Quickbase is processing Customer Employee Data;

(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a controller of Customer Personal Data and Quickbase is processing Customer Personal Data (other than Customer Employee Data);

(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Customer Personal Data and Quickbase is processing Customer Personal Data;

(d) For each Module, where applicable:

(i) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will apply;

(ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in this Addendum;

(iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;

(iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;

(v) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;

(vi) in Annex I, Part A of the EU Standard Contractual Clauses:

  • Data Exporter: Customer
  • Contact details: The email address(es) designated by Customer in Customer’s account via its notification preferences or as set forth in the Terms of Service.
  • Data Exporter Role: The Data Exporter’s role is set forth in Schedule 1 (either controller or processor) of this Addendum.
  • Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.
  • Data Importer: Quickbase Inc.
  • Contact details: Quickbase General Counsel, [email protected].
  • Data Importer Role: The Data Importer’s role is set forth in Schedule 1 of this Addendum.
  • Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;

(vii) in Annex I, Part B of the EU Standard Contractual Clauses:

  • The categories of data subjects are set forth in Schedule 1 of this Addendum.
  • The Sensitive Data transferred is set forth in Schedule 1 of this Addendum.
  • The frequency of the transfer is a continuous basis for the duration of the Terms of Service.
  • The nature of the processing is set forth in Schedule 1 of this Addendum.
  • The purpose of the processing is set forth in Schedule 1 of this Addendum.
  • The period for which the personal data will be retained is set forth in Schedule 1 of this Addendum.
  • For transfers to sub-processors, the subject matter and nature of the processing is set forth at https://www.quickbase.com/data-subprocessors; The duration of processing by sub-processors will be the duration of the Terms of Service.

(viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority; and

(ix) Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses.

UK International Data Transfer Agreement. Customer and Quickbase agree that the UK International Data Transfer Agreement will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:

(a) In Table 1 of the UK International Data Transfer Agreement, Customer's and Quickbase's details and key contact information are set forth in the Terms of Service;

(b) In Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules, and selected clauses, which the UK International Data Transfer Agreement is appended to, are set forth above in this Schedule 3;

c) In Table 3 of the UK International Data Transfer Agreement:

  • (i) The list of Parties is set forth in the Terms of Service.
  • (ii) The description of the transfer is set forth in Schedule 1 (Details of the Processing).
  • (iii) Annex II is located in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
  • (iv) The list of sub-processors is available at https://www.quickbase.com/data-subprocessors; and

(d) In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.

Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this Addendum, the Terms of Service, or the Quickbase Privacy Policy, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.

Schedule 4: Jurisdiction Specific Terms

Argentina

  • The definition of “Data Protection Laws” includes Law No. 25,326 of Protection of Personal Data of Argentina.

Australia

  • The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
  • The definition of “personal data” includes “Personal Information” as defined under Data Protection Laws.
  • The definition of “Sensitive Data” includes “Sensitive Information” as defined under Data Protection Laws.

Brazil

  • The definition of “Data Protection Laws” includes the Lei Geral de Proteção de Dados (General Personal Data Protection Act).
  • The definition of “Personal Data Breach” includes a Personal Data Breach that may result in any relevant risk or damage to data subjects.
  • The definition of “processor” includes “operator” as defined under Data Protection Laws.

Canada

  • The definition of “Data Protection Laws” includes the Federal Personal Information Protection and Electronic Documents Act.
  • Quickbase’s sub-processors, as set forth in this Addendum, are third parties under Data Protection Laws, with whom Quickbase has entered into a written contract that includes terms substantially similar to this Addendum. Quickbase has conducted appropriate due diligence on its sub-processors.
  • Quickbase will implement technical and organizational measures as set forth in Schedule 3 of this Addendum.

European Economic Area (EEA)

  • The definition of “Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).
  • When Quickbase engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
  • (a) require any appointed sub-processor to protect the Customer Personal Data to the standard required by Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
  • require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses.

Israel

  • The definition of “Data Protection Laws” includes the Protection of Privacy Law.
  • The definition of “controller” includes “Database Owner” as defined under Data Protection Laws.
  • The definition of “processor” includes “Holder” as defined under Data Protection Laws.
  • Quickbase will require that any personnel authorized to process Customer Personal Data comply with the principle of data secrecy and have been duly instructed about Data Protection Laws. Such personnel sign confidentiality agreements with Quickbase in accordance with this Addendum.

Japan

  • The definition of “Data Protection Laws” includes the Act on the Protection of Personal Information (“APPI”).
  • The definition of “personal data” includes information about a specific individual applicable under Section 2(1) of the APPI, which Customer entrusts to Quickbase during Quickbase’s provision of the Services to Customer.
  • Quickbase agrees it has and will maintain a privacy program conforming to the standards prescribed by rules of the Personal Information Protection Commission concerning the handling of personal data pursuant to the provisions of Chapter 4 of the APPI. Accordingly:
    • Quickbase will (i) process personal data as necessary to provide the Services to Customer in accordance with the Agreement and as set forth in Schedule 1 (Details of the Processing) of this Addendum and (ii) not process personal data for any other without Customer’s consent;
    • Quickbase will implement and maintain measures appropriate and necessary to prevent unauthorized disclosure and loss of personal data and for the secure management of personal data in accordance with the APPI as set forth in Schedule 3 of this Addendum;
    • Quickbase will notify Customer for (i) a failure to comply with the purpose of use limitations of this Schedule 4 or (ii) Quickbase’s discovery of a Personal Data Breach impacting Customer Data, in either case, in accordance with this Addendum. Quickbase will provide reasonable assistance to Customer in the event that Customer is required to notify a regulatory authority or any data subjects impacted by a Personal Data Breach;
    • Quickbase will ensure that any of its employees who have access to personal data (i) have executed employee agreements requiring them to keep such personal data confidential and (ii) who violate confidentiality will be subject to disciplinary action and possible termination; (iii) carry out appropriate employee supervision and training for the secure management of personal data; and (iv) limit the number of authorized personnel, including Quickbase’s employees, who have access to personal data and control such access such that it is only permitted for the time period necessary for the Purpose of Use;
    • Quickbase will promptly notify Customer of any third party request and not respond to such Third Party Request without Customer’s prior consent, except as legally required to do so or to confirm that such third party request relates to Customer. To the extent Customer does not have the ability to resolve a third party request from a data subject through the self-service features made available via the Services, then, upon Customer’s request, Quickbase will provide reasonable cooperation and support to assist Customer in resolving such third party request from a data subject;
    • Unless prohibited by applicable law or regulation, Quickbase will promptly notify Customer of any third party request that requires Quickbase to disclose personal data on order or disposition of any governmental authority or court of law;
    • Customer agrees that Quickbase is not a “third party” as the term is used in the APPI provisions that restrict the provision of personal data to third parties. As such, the requirement to obtain data subject consent in advance for domestic transfers within Japan do not apply.

Mexico

  • The definition of “Data Protection Laws” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations.

Singapore

The definition of “Data Protection Laws” includes the Personal Data Protection Act 2012 (“PDPA”).

Quickbase will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Schedule 3 of this Addendum and complying with the terms of the Terms of Service.

Switzerland

  • The definition of “Data Protection Laws” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).
  • When Quickbase engages a sub-processor, it will:
    • require any appointed sub-processor to protect the Customer Personal Data to the standard required by Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
    • require any appointed sub-processor to (i) agree in writing to only process personal data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses.
  • To the extent that personal data transfers from Switzerland are subject to the EU Standard Contractual Clauses, the following amendments will apply to the EU Standard Contractual Clauses:
    • references to “EU Member State” and “Member State” will be interpreted to include Switzerland, and
    • insofar as the transfer or onward transfers are subject to the FADP:
      • references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
      • the “competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
      • in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
      • in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.

United Kingdom (UK)

  • References in this Addendum to “GDPR” will be deemed references to the corresponding laws and regulations of the United Kingdom, including, without limitation, the UK GDPR and Data Protection Act 2018.
  • When Quickbase engages a sub-processor, it will:
    • require any appointed sub-processor to protect the Customer Personal Data to the standard required by Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
    • require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the UK International Data Transfer Agreement.
  • Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
  • Customer acknowledges that Quickbase, as a controller, may be required under Data Protection Laws to notify a regulatory authority of Personal Data Breaches involving Customer Usage Data. If a regulatory authority requires Quickbase to notify impacted data subjects with whom Quickbase does not have a direct relationship (e.g., Customer’s end users), Quickbase will notify Customer of this requirement. Customer will provide reasonable assistance to Quickbase to notify the impacted data subjects.

United States of America

  • US State Privacy Laws” mean all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.
  • The definition of “Data Protection Laws” includes US State Privacy Laws.
  • The following terms apply where Quickbase processes personal data subject to the CCPA:
    • The term “personal information”, as used herein, will have the meaning provided in the CCPA;
    • Quickbase is a service provider when processing Customer Personal Data. Quickbase will process any personal information contained in Customer Personal Data only for the business purposes set forth in the Agreement, including the purpose of processing and processing activities set forth in this Addendum. As a service provider, Quickbase will not sell or share Customer Personal Data or retain, use, or disclose Customer Personal Data (i) for any other purpose, including retaining, using, or disclosing Customer Personal Data for a commercial purpose outside the scope the Terms of Service, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between Customer and Quickbase;
    • Quickbase will (i) comply with obligations applicable to it as a service provider under the CCPA and (ii) provide personal information with the same level of privacy protection as is required by the CCPA. Customer is responsible for ensuring that it has complied, and will continue to comply, with the requirements of the CCPA in its use of the Services and its own processing of personal information;
    • Customer will have the right to take reasonable and appropriate steps to help ensure that Quickbase uses personal information in a manner consistent with Customer’s obligations under the CCPA;
    • Quickbase will notify Customer if it makes a determination that it can no longer meet its obligations as a service provider under the CCPA;
    • Upon notice, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of personal information;
    • Quickbase will provide reasonable additional and timely assistance to assist Customer in complying with its obligations with respect to consumer requests as set forth in the Agreement;
    • For any sub-processor used by Quickbase to process personal information subject to the CCPA, Quickbase will ensure that Quickbase’s agreement with such sub-processor complies with the CCPA, including, without limitation, the contractual requirements for service providers and contractors;
    • Quickbase will not combine Customer Personal Data that it receives from, or on behalf of, Customer, with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, unless such combination is required to perform any business purpose as permitted by the CCPA, including any regulations thereto, or by regulations adopted by the California Privacy Protection Agency; and
    • Quickbase certifies that it understands and will comply with its obligations under the CCPA.
  • Quickbase acknowledges and confirms that it does not receive Customer Personal Data as consideration for any Services provided to Customer.