SCHE­DULE 4 to the ActiveCampaign Data Proces­sing Adden­dum Brazil SCCs

CLAUSE 1. Identification of the Parties

1. By this agreement, the Exporter and the Importer (hereinafter, “Parties”), identified below, have agreed to these standard contractual clauses (hereinafter, “Clauses”) approved by the National Data Protection Authority - ANPD, to govern the International Data Transfer described in CLAUSE 2, in accordance with the provisions of the National Legislation.

Exporter (Controller):

Name: Client, as defined in the Addendum to which these Clauses are appended

Main address: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Email address and Contact for the Data Subject: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Importer (Processor): 

Name: ActiveCampaign, LLC

Main address: 1 North Dearborn Street, Fifth Floor, Chicago, IL 60302

Email address and Contact for the Data Subject: Legal Department, legal@activecampaign.com

CLAUSE 2. Object and Scope of application

1. This agreement shall apply to International Transfers of Personal Data between Data Exporters and Data Importers, as described below.

Description of the international transfer:

Please see details set forth in Schedule 1 to the Addendum to which these Clauses are appended.

CLAUSE 3. Onward Transfers

1. The Importer may carry out an Onward Transfer of Personal Data subject to the International Data Transfer governed by these Clauses, in the cases and according to the conditions described below and the provisions of CLAUSE 18.

Identification of the third-party recipient: 

Please see details set forth in the Sub-processor Webpage.

CLAUSE 4. Designated Party

1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below, which is the Controller, shall be primarily responsible for complying with the following obligations set forth in these Clauses:
2. Responsible for publishing the document provided in CLAUSE 14: Exporter
3. Responsible for responding to requests from Data Subjects dealt with in CLAUSE 15: Exporter
4. Responsible for notifying the security incident provided in CLAUSE 16: Exporter
5. For the purposes of these Clauses, if the Designated Party pursuant to item 4.1. is the Processor, the Controller remains responsible for:
6. the compliance with the obligations provided in CLAUSES 14, 15 and 16 and other provisions established in the National Legislation, especially in case of omission or non-compliance with the obligations by the Designated Party;
7. complying with ANPD determinations; and
8. the guarantee of the Data Subjects' rights and the repairing of the damage caused.

CLAUSE 5. Purpose

1. These Clauses are presented as a mechanism which enables a safe international flow of personal data, establish minimum guarantees and valid conditions for carrying out an International Data Transfer and aim at guaranteeing the adoption of adequate safeguards for compliance with the principles, the Data Subject’s rights and the data protection regime provided in the National Legislation.

CLAUSE 6. Definitions

6.1  For the purposes of these Clauses, the definitions of article 5 of the LGPD, of the Regulation on the International Transfer of Personal Data and of other normative acts issued by the ANPD shall be considered. The Parties further agree to consider the terms and their respective meanings, as set out below:

1. Processing agents: the controller and the processor;
2. ANPD: National Data Protection Authority;
3. Clauses: the standard contractual clauses approved by the ANPD, which are part of SECTIONS I, II and III;
4. Related Contract: contractual instrument signed between the Parties or, at least, between one of them and a third party, including a Third Party Controller, which has a common purpose, link or dependency relationship with the contract that governs the International Data Transfer;
5. Controller: Party or third party (“Third Controller”) responsible for decisions regarding the processing of Personal Data;
6. Personal Data: information related to an identified or identifiable natural person;
7. Sensitive Personal Data: personal data on racial or ethnic origin, religious belief, political opinion, affiliation to trade unions or to a religious, philosophical or political organization, data regarding health or sexual life, genetic or biometric data, whenever related to a natural person;
8. deletion: exclusion of data or dataset from a database, regardless of the procedure used;
9. Exporter: processing agent, located in the national territory or in a foreign country, who transfers personal data to the Importer;
10. Importer: processing agent, located in a foreign country, who receives personal data from the Exporter;
11. National Legislation: set of Brazilian constitutional, legal and regulatory provisions regarding the protection of Personal Data, including the LGPD, the International Data Transfer Regulation and other normative acts issued by the ANPD;
12. Arbitration Law: Law No. 9,307, of September 23, 1996;
13. LGPD: General Data Protection Law (Brazilian Federal Law No. 13,709, of August 14, 2018);
14. Security Measures: technical and administrative measures able to protect Personal Data from unauthorized access and from accidental or unlawful events of destruction, loss, alteration, communication or dissemination;
15. Research Body: body or entity of the government bodies or associated entities or a non-profit private legal entity legally established under Brazilian laws, having their headquarter and jurisdiction in the Brazilian territory, which includes basic or applied research of historical, scientific, technological or statistical nature in its institutional mission or in its corporate or statutory purposes;
16. Processor: Party or third party, including a Sub-processor, which processes Personal Data on behalf of the Controller;
17. Designated Party: Party or a Third Party Controller, under the terms of CLAUSE 4, designated to fulfill specific obligations regarding transparency, Data Subjects’ rights and notifying security incidents;
18. Parties: Exporter and Importer;
19. Access Request: request for mandatory compliance, by force of law, regulation or determination of public authority, to grant access to the Personal Data subject to the International Data Transfer governed by these Clauses;
20. Sub-processor: processing agent hired by the Importer, with no link with the Exporter, to process Personal Data after an International Data Transfer;
21. Third Party Controller: Personal Data Controller who authorizes and provides written instructions for the carrying out of the International Data Transfer between Processors governed by these Clauses, on his behalf, pursuant to Clause 4 (“Option B”);
22. Data Subject: natural person to whom the Personal Data which are subject to the International Data Transfer governed by these Clauses relate;
23. Transfer: processing modality through which a processing agent transmits, shares or provides access to Personal Data to another processing agent;
24. International Data Transfer: transfer of Personal Data to a foreign country or to an international organization which Brazil is a member of; and
25. Onward Transfer: transfer of Personal Data, within the same country or to another country, by an Importer to a third party, including a Sub- processor, provided that it does not constitute an Access Request.

CLAUSE 7. Applicable legislation and ANPD supervision

7.1.  The International Data Transfer subject to these Clauses shall subject to the National Legislation and to the supervision of the ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as appropriate, as well as the power to limit, suspend or prohibit the international transfers arising from this agreement or a Related Agreement.

CLAUSE 8. Interpretation

8.1. Any application of these Clauses shall occur in accordance with the following terms:

1. these Clauses shall always be interpreted more favorably to the Data Subject and in accordance with the provisions of the National Legislation;
2. in case of doubt about the meaning of any term in these Clauses, the meaning which is most in line with the National Legislation shall apply;
3. no item in these Clauses, including a Related Agreement and the provisions set forth in SECTION IV, shall be interpreted as limiting or excluding the liability of any of the Parties in relation to obligations set forth in the National Legislation; and
4. provisions of SECTIONS I and II shall prevail in case of conflict of interpretation with additional clauses and other provisions set forth in SECTIONS III and IV of this agreement or in Related Agreements.

CLAUSE 9. Docking Clause

1. By mutual agreement between the Parties, it shall be possible for a processing agent to adhere to these Clauses, either as a Data Exporter or as a Data Importer, by completing and signing a written document, which shall form part of this contract.
2. On and after the Accession Date, the adhering party shall have the same rights and obligations as the originating Parties, depending on the assumed role of a Data Exporter or a Data Importer, and according to the corresponding category of processing agent.

CLAUSE 10. General obligations of the Parties

10.1. The Parties undertake to adopt and, when necessary, demonstrate the implementation of effective measures capable of demonstrating observance of and compliance with the provisions of these Clauses and the National Legislation, as well as with the effectiveness of such measures and, in particular:

1. use the Personal Data only for the specific purposes described in CLAUSE 2, with no possibility of subsequent processing incompatible with such purposes, subject to the limitations, guarantees and safeguards provided for in these Clauses;
2. guarantee the compatibility of the processing with the purposes informed to the Data Subject, according to the processing activity context;
3. limit the processing activity to the minimum required for the accomplishment of its purposes, encompassing pertinent, proportional and non-excessive data in relation to the Personal Data processing purposes;
4. guarantee to the Data Subjects, subject to the provisions of CLAUSE 4:

(d.1.)  clear, accurate and easily accessible information on the processing activities and the respective processing agents, complying with trade and industrial secrets;

(d.2.)  facilitated and free of charge consultation on the form and duration of the processing, as well as on the integrity of their Personal Data; and

(d.3.)  accuracy, clarity, relevance and updating of the Personal Data, according to the necessity and for compliance with the purpose of their processing;

1. use appropriate technical and administrative measures to prevent the occurrence of damage due to the processing of Personal Data and able to protect the Personal Data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;
2. not to process Personal Data for unlawful or abusive discriminatory purposes;
3. ensure that any person acting under their authority, including sub- processors or any agent who collaborates with them, whether for reward or free of charge, only processes data in compliance with their instructions and with the provisions of these Clauses;
4. keep record of the Personal Data processing operations object of the International Data Transfer governed by these Clauses, and submit the relevant documentation to the ANPD, when requested.

CLAUSE 11. Sensitive personal data

11.1.  In case the international transfer of personal data involves sensitive data, the Parties shall apply additional safeguards, including specific Security Measures which are proportional to the risks of the processing activity, to the specific nature of the data and to the interests, rights and guarantees to be protected, as described in SECTION III.

CLAUSE 12. Data on children and adolescents

12.1.  In case the International Transfer governed by these Clauses involves Personal Data concerning children and adolescents, the Parties shall implement measures to ensure that the processing is carried out in their best interest, under the terms of the National Legislation and relevant instruments of international law.

CLAUSE 13. Legal use of data

13.1. The Exporter guarantees that the Personal Data have been collected, processed and transferred to the Importer in accordance with the National Legislation.

CLAUSE 14. Transparency

1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear and accurate language on the conduction of the International Data Transfer, including at least information on:
2. the form, duration and specific purpose of the international transfer;
3. the destination country of the transferred data;
4. the Designated Party's identification and contact details;
5. the shared use of data by the Parties and its purpose;
6. the responsibilities of the agents who shall conduct the processing;
7. the Data Subject's rights and the means for exercising them, including an easily accessible channel made available to respond to their requests, and the right to file a petition against the Exporter and the Importer before the ANPD; and
8. Onward Transfers, including those relating to recipients and to the purpose of such transfer.
9. The document referred to in item 14.1. shall be made available on a specific website page or integrated, in a distinguishable and easily accessible format, to the Privacy Policy or equivalent document.
10. Upon request, the Parties shall make a free of charge copy of these Clauses available to the Data Subject, complying with trade and industrial secrets.
11. All information made available to Data Subjects, under the terms of these Clauses, shall be written in Portuguese.

CLAUSE 15. Data subject’s rights

1. The Data Subject shall have the right to obtain from the Designated Party, as regards the Personal Data subject to the International Data Transfer governed by these Clauses, at any time, and upon request, under the terms of the National Legislation:
2. confirmation of the existence of processing;
3. access to data;
4. correction of incomplete, inaccurate or outdated data;
5. anonymization, blocking or deletion of data which are unnecessary, excessive or processed in noncompliance with these Clauses and with the provisions of the National Legislation;
6. portability of data to another service or product provider, upon express request, in accordance with ANPD regulations, complying with trade and industrial secrets;
7. deletion of Personal Data processed under the Data Subject’s consent, except for the events provided in CLAUSE 20;
8. information on public and private organizations with which the Parties have shared data;
9. information on the possibility of not providing consent and on the consequences of the denial;
10. revocation of consent through a free of charge and facilitated procedure, remaining ratified the processing activities carried out before the request for elimination;
11. review of decisions made solely based on automated processing of Personal Data which affects the Data Subject’s interests; and
12. information on the criteria and procedures adopted for the automated decision.
13. Data Subject may oppose to the processing based on one of the events of waiver of consent, in case of noncompliance with the provisions of these Clauses or National Legislation.
14. The deadline for responding the requests provided in this Clause and in item 14.3. is 15 (fifteen) calendar days, except for events in which a different period is established in specific regulations of the ANPD.
15. In case the Data Subject's request is directed to the Party not designated as responsible for the obligations set forth in this Clause or in item 14.3., the referred Party shall:
16. inform the Data Subject of the service channel made available by the Designated Party; or
17. forward the request to the Designated Party as early as possible, to enable the response within the period provided in item 15.3.
18. The Parties shall immediately inform the Data Processing Agents with whom they have shared data with the correction, deletion, anonymization or blocking of the data, for them to follow the same procedure.
19. The Parties shall promote mutual assistance to respond to the Data Subjects’ requests.

CLAUSE 16. Security Incident Reporting

1.  In the event of a security incident which may entail significant risk or damage to the Data Subjects, the Designated Party shall notify both the ANPD and the Data Subjects, as provided in National Legislation.
2. The notification provided in item 16.1. shall be sent as soon as reasonably feasible, as defined in specific regulations of the ANPD, and shall mention, complying with the regulations and guidelines issued by the ANPD, at least:
3. the description of the nature of the affected Personal Data;
4. information on the Data Subjects involved;
5. indication of the technical and security measures taken for data protection, complying with trade and industrial secrets;
6. the risks related to the incident;
7. the reasons for the delay, in case communication has not been immediate; and
8. the measures which have been or shall be implemented to reverse or mitigate the effects of the damage.
9. The Importer shall keep a record of security incidents under the terms of the National Legislation.

CLAUSE 17. Liability and damages compensation

1. The Party which, when performing Personal Data processing activities, causes patrimonial, moral, individual or collective damage, for violating the provisions of these Clauses and of the National Legislation, shall compensate for it.
2. Data Subject may claim for compensation for damage caused by any of the Parties as a result of a breach of these Clauses.
3.  The defense of Data Subjects' interests and rights may be claimed in court, individually or collectively, in accordance with the provisions in relevant legislation regarding the instruments of individual and collective protection.
4. The Party acting as Operator shall be jointly and severally liable for damages caused by the processing activities when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, except for the provisions in item 17.6.
5. Controllers directly involved in the processing activities which resulted in damages to the Data Subject shall be jointly and severally liable for these damages, except for the provisions in item
6. Parties shall not be held liable if they have proven that:
7. they have not carried out the processing of Personal Data attributed to them;
8. although they did carry out the processing of Personal Data attributed to them, there was no violation of these Clauses; or
9. the damage results from the sole fault of the Data Subject or of a third party which is not a recipient of the Onward Transfer or not subcontracted by the Parties.
10. Under the terms of the National Legislation, the judge may reverse the burden of proof in favor of the Data Subject whenever, in the judge’s opinion, the allegation is credible, there is an economic disadvantage for the purposes of producing evidence or when the production of evidence by the Data Subject is overly burdensome.
11. Judicial proceedings for compensation for collective damages which intend to establish liability under the terms of this Clause may be collectively conducted in court, with due regard for the provisions in relevant legislation.
12. The Party which pays compensation for the damage to the Data Subject shall be entitled to claim back from the other liable parties to the extent of their participation in the damaging event.

 CLAUSE 18. Safeguards for Onward Transfer

1. The Importer shall only carry out Onward Transfers of Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, in accordance with the terms and conditions described in CLAUSE 3.
2. In any case, the Importer:
3. shall ensure that the purpose of the Onward Transfer is compatible with the specific purposes described in CLAUSE 2;
4. shall guarantee, by means of a written contractual instrument, that the safeguards provided in these Clauses shall be ensured by the third party recipient of the Onward Transfer; and
5. for the purposes of these Clauses, and regarding the Personal Data transferred, shall be considered responsible for any eventual irregularities committed by the third party recipient of the Onward Transfer.
6. The Onward Transfer shall also be carried out based on another valid modality of International Data Transfer provided in National Legislation.

CLAUSE 19. Access Request Notification

1. The Importer shall notify the Exporter and the Data Subject of any Access Request related to the Personal Data transferred pursuant to these Clauses unless the law of the country where the data is processed prohibits them to do so.
2. The Importer shall implement the appropriate legal measures, including legal actions, to protect the rights of the Data Subjects whenever there is adequate legal basis to question the legality of the Access Request and, if applicable, the prohibition of issuing the notification referred to in item 19.1.
3. To comply with both the ANPD’s and the Exporter’s requests, the Importer shall keep a record of Access Requests, including date, requester, purpose of the request, type of data requested, number of requests received and legal measures implemented.

CLAUSE 20. Ending of processing and deletion of data

1. Parties shall delete the personal data subject to the International Data Transfer governed by these Clauses after the ending of their processing, being their storage authorized only for the following purposes:
2. compliance with a legal or regulatory obligation by the Controller;
3. study by a Research Body, guaranteeing, whenever possible, the anonymization of personal data;
4. transfer to a third party, upon compliance with requirements set forth in these Clauses and in the National Legislation; and
5. exclusive use of the Controller, being the access by a third party prohibited, and provided data have been anonymized.
6. For the purposes of this Clause, processing of personal data shall cease when:
7. the purpose set forth in these Clauses has been achieved;
8. Personal Data are no longer necessary or pertinent to attain the intended specific purpose set forth in these Clauses;
9. the agreed data processing period has expired, even after the termination of this contract;
10. Data Subject's request is met; and
11. demanded by the ANPD.

CLAUSE 21. Data processing security

1. Parties shall implement Security Measures which guarantee sufficient protection of confidentiality, integrity and availability of the Personal Data subject to the International Data Transfer governed by these Clauses, even after its conclusion.
2. Parties shall inform, in SECTION III, the Security Measures implemented, considering the nature of the processed information, the specific characteristics and the purpose of the processing, the technology current state and the probability and severity of the risks to the Data Subjects’ rights, especially in the case of sensitive personal data.
3. Parties shall make the necessary efforts to implement periodic evaluation and review measures to maintain the appropriate level of data security.

CLAUSE 22. Legislation of country of destination

1. Parties declare that they have assessed the legislation of the country of destination and have not identified laws or administrative practices which prevent the Importer from complying with the obligations under these Clauses.
2. In the event of a regulatory change which alters this situation, the Importer shall immediately notify the Exporter to assess the continuity of the contract.

CLAUSE 23. Non-compliance with the Clauses by the Importer

1. In the event of a breach in the safeguards and guarantees provided in these Clauses or being the Importer unable to comply with any of them, the Exporter shall be immediately notified, subject to the provisions in item 19.1.
2. Upon receipt of the communication referred to in item 23.1 or upon verification of non-compliance with these Clauses by the Importer, the Exporter shall implement the relevant measures to ensure the protection of the Data Subjects' rights and the compliance of the International Data Transfer with the National Legislation and these Clauses, and may, as appropriate:
3. suspend the International Data Transfer;
4. request the return of Personal Data, their transfer to a third party, or their deletion; and
5. terminate the contract.

CLAUSE 24. Choice of forum and jurisdiction

1. Brazilian legislation applies to these Clauses and any controversy between the Parties arising from these Clauses shall be resolved before the competent courts in Brazil, observing, if applicable, the forum chosen by the Parties in Section IV.
2. Data Subjects may file lawsuits against the Exporter or the Importer, as they choose, before the competent courts in Brazil, including those in their place of habitual residence.
3. By mutual agreement, Parties may use arbitration to resolve conflicts arising from these Clauses, provided that the procedure is carried out in Brazil and in accordance with the provisions of the Arbitration Law.

In addition to the security measures set forth in Section 6 of the Addendum, the Importer will implement technical and organizational security measures intended to secure the processing of Personal Information and to preserve the security, availability, integrity and confidentiality of Personal Information (“Security Measures”), in accordance with its obligations under Applicable Law including, as applicable:

1. the pseudonymization and encryption of Personal Information (including during transmission);
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing Personal Information; and
5. the ability to allow data portability and ensure erasure of Personal Information (including by sub-processors).

The Exporter acknowledges that the Importer is regularly audited by independent third party auditors for SOC 2 Type 2 compliance. The most recent certification is available upon request of the Exporter in accordance with Section 7 of the Addendum.

Where these Clauses apply pursuant to Section 5 of the Addendum, then this Annex forms part of these Clauses and sets out the Parties' interpretations of their respective obligations under specific provisions within these Clauses, as identified below. Where a Party complies with the interpretations set out in this Annex, that Party shall be deemed by the other Party to have complied with its commitments under these Clauses.

Nothing in the interpretations below is intended to vary or modify these Clauses or conflict with either Party's rights or responsibilities under these Clauses and, in the event of any conflict between the interpretations below and these Clauses, these Clauses shall prevail to the extent of such conflict. Notwithstanding this, the Parties expressly agree that any claims brought under these Clauses shall be exclusively governed by the limitations on liability set out in the Agreement. For the avoidance of any doubt, in no event shall any Party limit its liability with respect to any Data Subject’s rights under these Clauses.

Clause 3: Onward Transfers to Sub-processors 

For the avoidance of any doubt, the Exporter acknowledges and expressly agrees to the Importer’s engagement of Sub-processors as third-party recipients in accordance with Section 4 of the Addendum. Such authorization is conditional on the Importer’s compliance with the following requirements:

1. the Importer must restrict the Sub-processor’s access to Personal Data only to what is strictly necessary to perform its subcontracted data processing services to the Importer (which shall be consistent with the instructions issued to the Importer by the Exporter); and
2. the Importer will prohibit the Sub-processor from processing the Personal Data for any other purpose.

Clause 14: Obligations of the Exporter regarding non-disclosure requirements

The Exporter agrees that the terms of these Clauses, as executed, constitute the Importer's confidential information and may not be disclosed by the Exporter to any third party without the Importer's prior agreement (other than to a Data Subject pursuant to item 14.3, with the exception of any business secrets or other confidential information, including the measures described in Section III and Personal Data, as consistent with the Parties’ obligations in item 14.3).

Clause 17: Liability and damages compensation

Any claims brought under these Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement in effect as of the date of execution of these Clauses or other written or electronic agreement for the Exporter’s use and purchase of the Importer’s products and services. In no event shall any Party limit its liability with respect to any Data Subjects’ rights under these Clauses.

Clauses 20: Obligations of the Importer regarding the deletion of data

Without limiting its rights to store personal data for the authorized purposes set out in item 20.1, the Importer will fulfil its obligations pursuant to Clause 20 by complying with Section 9 of the Addendum.

Clauses 21 and 22: Obligations of the Exporter and the Importer regarding data processing security and legislation of country of destination

The Parties acknowledge that it is the responsibility of the Exporter to verify whether:

1. the safeguards employed by the Importer are sufficient to meet its obligations under Applicable Law, including with respect to the provision of adequate safeguards necessary to secure the International Data Transfer and Onward Transfers through these Clauses; and
2. the legislation of the country of destination, including any laws and administrative practices, prevents the Importer from complying with the obligations under these Clauses.

The Importer will fulfil its obligations pursuant to Clause 22 by using commercially reasonable efforts to inform the Exporter if the Importer makes a determination that it can no longer meet its obligations under these Clauses. Notwithstanding the foregoing, the Exporter acknowledges and agrees that such notification by the Importer will neither constitute a general obligation on the part of the Importer to monitor or interpret the laws applicable to the Exporter nor legal advice to the Exporter.

Clause 23: Suspension of the International Data Transfer and termination

1. If the Exporter intends to suspend the International Data Transfer and/or terminate the contract pursuant to item 23.2, it shall endeavour to provide notice to the Importer and provide the Importer with a reasonable period of time to cure the non-compliance (“Cure Period”).
2. If after the Cure Period, the Importer has not or cannot cure the non-compliance then the Exporter may suspend or terminate the International Data Transfer immediately. The Exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to Data Subjects or their Personal Data.