Skip to content

Data Processing Addendum

Data Processing Addendum

Effective November 17, 2025

DOCUMENT METADATA

Effective Date

November 17, 2025

Jurisdiction

Suffolk County, Massachusetts

Governing Law

Commonwealth of Massachusetts

Parties

GrowthFactor, Inc. & Customer

§ 01§ 02§ 03§ 04§ 05§ 06§ 07§ 08§ 09§ 10§ 11

§ 01

Definitions

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement and/or any applicable SOWs, Terms of Service, or Order Forms (together, the "Agreement") between GrowthFactor, Inc., a Delaware Corporation ("GrowthFactor") and the customer entity that has executed the Agreement ("Customer"). This DPA is an addendum to, and forms part of, the Agreement. It shall be effective and legally binding as of the date the Agreement is executed.

This DPA sets out the terms that apply when Personal Information is Processed by GrowthFactor under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Information are Processed.

KEY DEFINITION — CONTROLLER

"Controller" shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.

KEY DEFINITION — CUSTOMER PERSONAL INFORMATION

"Customer Personal Information" means electronic data and information submitted by or for Customer to GrowthFactor, in connection with the performance of the Services under the Agreement containing Personal Information.

KEY DEFINITION — DATA PROTECTION LAWS

"Data Protection Laws and Regulations" means all applicable federal and state laws and regulations binding on a Party with respect to the Party's processing, protection, or privacy of the Personal Information, including the CCPA, the Connecticut Data Privacy Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any corresponding or equivalent United States state or federal laws or regulations.

"Consumer" means an identified natural person as defined by applicable Data Protection Laws and Regulations. "Business Purpose," "Processing," "Personal Information," "Sell," "Service Provider," "Share," and "Subcontractor" shall have the same meaning as those terms in the CCPA or other Data Protection Laws and Regulations.

§ 02

Purpose

This DPA sets out the terms that apply when Personal Information is Processed by GrowthFactor under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Information are Processed.

§ 03

Processing of Customer Personal Information

§ 03.1

Roles of the Parties

Roles of the Parties

The Parties acknowledge and agree that with regard to the Processing of Customer Personal Information as is necessary for providing the Services, Customer is the Controller, GrowthFactor is the Service Provider.

§ 03.2

Data Minimization

Customer shall endeavor to, and shall train its personnel to, exercise all possible care in minimizing GrowthFactor's access to or Processing of any Customer Personal Information to the extent solely and strictly necessary for the performance of the Services.

§ 03.3

Customer's Processing of Customer Personal Information

Customer, as Controller, shall:

  1. Be responsible for ensuring that it has complied, and will continue to comply, with all applicable Data Protection Laws and Regulations
  2. Ensure it has, and will continue to have, the right to process, transfer, and/or provide access to, the Customer Personal Information to GrowthFactor for Processing in accordance with the terms of the Agreement and this DPA
  3. Have sole responsibility for the accuracy, quality, and legality of Customer Personal Information and the means by which Customer acquired Customer Personal Information

Customer specifically acknowledges that its use of the Services will not violate the rights of any Consumer that has opted-out from sales or other disclosures of Personal Information, to the extent applicable under the CCPA.

§ 03.4

GrowthFactor's Processing of Customer Personal Information

GrowthFactor shall treat Customer Personal Information as Confidential Information and shall Process Customer Personal Information on behalf of Customer as is necessary for providing the Services and only in accordance with Customer's documented instructions as set out in this DPA. Any Processing required outside of the scope of these instructions will require prior written agreement between the Parties.

The Parties acknowledge and agree that GrowthFactor's Processing of Customer Personal Information is as a Service Provider for a Business Purpose (i.e., performing services on behalf of Customer).

§ 03.5

Data Protection Impact Assessments

Upon Customer's request and if required by applicable Data Protection Laws and Regulations, GrowthFactor shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer's obligation to carry out a data protection impact assessment related to Customer's use of the Services.

§ 04

Details of Data Processing

§ 04.1

Subject Matter

The subject matter of the Processing under this DPA is the Customer Personal Information.

§ 04.2

Frequency and Duration

Notwithstanding expiration or termination of the Agreement, GrowthFactor will Process the Customer Personal Information continuously and until deletion of all Customer Personal Information as described in this DPA.

§ 04.3

Nature of the Processing

GrowthFactor will perform Processing as needed for the Business Purposes, and to comply with Customer's Processing instructions as provided in accordance with the Agreement and this DPA.

The Parties acknowledge and agree that the processing of Personal Information by GrowthFactor under this DPA may include the use of automated tools and technologies, including Artificial Intelligence, for purposes that are consistent with the legitimate Business Purposes outlined in the Agreement, such as data analysis, optimization, and service enhancement.

§ 04.4

Retention Period

The period for which Customer Personal Information will be retained and the criteria used to determine that period is determined by Customer during the term of the Agreement via Customer's use and configuration of the Service. Upon termination or expiration of the Agreement, Customer may retrieve or delete Customer Personal Information as described in the Agreement.

§ 04.5

Categories of Consumers

The categories of Consumers to which Customer Personal Information relate are determined and controlled by Customer in its sole discretion, and may include, but are not limited to: employees or contact persons of Customer or Customer's business partners, and end customers of Customer.

§ 04.6

Categories of Personal Information

The types of Customer Personal Information are determined and controlled by Customer in its sole discretion, and may include, but are not limited to: identification and contact data (name, phone number, email address, mailing address).

§ 05

Rights of Consumers

§ 05.1

Consumer Request

GrowthFactor shall promptly notify Customer if GrowthFactor receives a request from a Consumer to exercise the Consumer's rights, including to access, correct, obtain a portable copy, or delete Personal Information as allowed by the CCPA or applicable Data Protection Laws and Regulations (each such request being a "Consumer Request").

Taking into account the nature of the Processing, GrowthFactor shall assist Customer by appropriate technical and organizational measures for the fulfilment of Customer's obligation to respond to a Consumer Request under CCPA or Data Protection Laws and Regulations. In addition, if requested by Customer, GrowthFactor shall assist Customer in responding to such Consumer Request.

§ 05.2

GrowthFactor Personnel Confidentiality

GrowthFactor shall ensure that its personnel engaged in the Processing of Customer Personal Information are informed of the confidential nature of the Customer Personal Information, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.

§ 06

Use of Subcontractors

§ 06.1

Subcontractor Engagement

Customer acknowledges and agrees that: (i) GrowthFactor's Affiliates may be retained as subcontractors; and (ii) GrowthFactor and GrowthFactor's Affiliates may engage third-party subcontractors in connection with the provision of the Services.

GrowthFactor has entered into a written agreement with each subcontractor containing data protection obligations that comply with the CCPA and are not less protective than those in this Agreement with respect to the protection of Customer Personal Information to the extent applicable to the nature of the Services provided by such subcontractors.

§ 06.2

Liability

GrowthFactor shall be liable for its subcontractors to the same extent GrowthFactor would be liable if performing the services of each subcontractor directly under the terms of this DPA.

§ 07

Security Controls for the Protection of Customer Personal Information

§ 07.1

Technical and Organizational Measures

GrowthFactor shall maintain reasonable and appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Information), confidentiality and integrity of Customer Personal Information.

§ 07.2

Personnel

GrowthFactor shall take all reasonable steps to ensure the reliability of any GrowthFactor Personnel who may have access to, or are authorized to process, Customer Personal Information. GrowthFactor shall ensure that such GrowthFactor Personnel are bound by appropriate contractual confidentiality, data protection, and data security obligations in accordance with applicable Data Protection Laws and Regulations and this DPA.

§ 07.3

Compliance Monitoring

Upon Customer's reasonable request, GrowthFactor shall make available to Customer all information in GrowthFactor's possession necessary to demonstrate GrowthFactor's compliance with its obligations under this DPA and applicable Data Protection Laws and Regulations.

Customer may monitor GrowthFactor's compliance with this DPA through reviews, audits, or regular assessments to be conducted in the form of a written questionnaire once per year.

§ 08

Security Commitment

Security Commitment

GrowthFactor is committed to maintaining the highest standards of data security. Our technical and organizational measures are designed to protect Customer Personal Information against unauthorized access, alteration, disclosure, or destruction. We continuously review and improve our security practices.

§ 09

CCPA Specific Provisions

CCPA Compliance

The following provisions apply to Customer Personal Information that is subject to the CCPA, or to any other Customer Personal Information to the extent required by other Data Protection Laws and Regulations.

GrowthFactor shall not:

  • Sell or Share Customer Personal Information except to perform the Business Purposes specified in this DPA and the Agreement
  • Combine Customer Personal Information received from or on behalf of Customer with Personal Information received from or on behalf of another person or persons, or collected from its own interaction with a Consumer, except to perform the specified Business Purposes
  • Retain, use, or disclose Customer Personal Information for any purpose, including any commercial purpose, other than the Business Purposes specified in this DPA, the Agreement, or as otherwise permitted by the CCPA or outside of the direct business relationship between Customer and GrowthFactor

Upon determination by GrowthFactor that it can no longer comply with CCPA or any Data Protection Laws and Regulations, GrowthFactor shall notify Customer without undue delay.

GrowthFactor certifies that it understands the restrictions set forth in this DPA and the CCPA and shall comply with these restrictions. Upon notice, Customer reserves the right to take reasonable and appropriate steps to stop and remediate GrowthFactor's unauthorized use of Customer Personal Information.

§ 10

Customer Personal Information Incident Management and Notification

Data Breach Notification

GrowthFactor shall notify Customer without undue delay after becoming aware of a confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information (a "Customer Personal Information Incident").

To assist Customer in relation to any personal data breach notifications Customer is required to make under the applicable Data Protection Laws and Regulations, GrowthFactor shall include in the notification such information about the Customer Personal Information Incident as is required by such Data Protection Laws and Regulations, to the extent that such information is reasonably available to GrowthFactor.

GrowthFactor shall take all reasonable and necessary steps to remediate the cause of such Customer Personal Information Incident, to preclude further Customer Personal Information Incidents. Where and insofar as GrowthFactor cannot provide all the information relevant to a Customer Personal Information Incident at the same time, it may provide such information in phases without undue further delay.

§ 11

General Provisions

Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.

Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. This DPA will automatically terminate on the termination or expiry of the Agreement.

View the Terms of Service