MSA Appendix
Cleverbridge Solution-Specific Terms: Digital Marketing Services

Click here to download this document as a PDF. 

These Digital Marketing Services (DMS) terms apply to Client’s subscription(s) for Cleverbridge’s reseller services, and incorporate and become a part of the MSA, found either attached or at Capitalized terms not defined within the DMS Terms shall have the meaning set forth in the MSA, other Solution-Specific Terms, or corresponding subscription schedule.

1. Service Requirements

1.1 Provision of DMS. Cleverbridge shall provide to Client the DMS as agreed upon in the relevant Statement(s) of Work that
     incorporate these DMS terms. The parties can add SOWs in writing.

1.2 Separate Service Agreements. Each SOW constitutes a separate agreement on services and may be terminated by Client
       under the same conditions as the DMS terms as set forth in the MSA.

1.3 Intellectual Property License. The Intellectual Property License granted in the MSA by Client to Cleverbridge shall apply
       equally to any materials needed to perform the DMS services, including Materials provided by Client.

1.4 Expenses. Client agrees to reimburse all expenses incurred by Cleverbridge as a result of work produced for Client during the
       term of the DMA. Cleverbridge agrees to acquire written approval from Client before incurring any expenses requiring

2. Legal Compliance

2.1 Privacy. When processing Customer Information as Controller under these terms, both parties shall comply with applicable
      privacy laws including, without limitation, CAN-SPAM and GDPR.

2.2 Materials. If Client provides Materials to Cleverbridge or any third party under these terms, Client will not provide any Material
        that (i) infringes any third party’s copyright, patent, trademark, trade secret or other proprietary rights, (ii) violates any law,
        statute or regulation, (iii) constitutes defamation, trade libel, invasion of privacy or violation of any right of publicity, (iv) is
        pornographic or obscene, or (vi) contains viruses or other similar harmful programming routines.

2.3 DPA. For any DMS where Cleverbridge acts as a data processor of Client, the Data Processing Agreement (DPA), attached
        hereto as Exhibit 1 shall apply and are incorporated hereto by reference.

3. Disclaimer

3.1 Cleverbridge will not be responsible for project delays that result from any delays in receiving work product, or feedback on
      Cleverbridge work product from Client.

4. Term

4.1 These DMS terms commence on the Effective Date and remain in effect until termination (the “Term”). Either party may
       terminate these DMS terms during the Term by providing at least 60 days’ notice to the other party, but as an earliest point six
       months after the Effective Date.

Exhibit 1
Data Processing Agreement: Controller to Processor

This DPA relates to and governs the processing of Personal Data by Cleverbridge to the extent required as part of its services under the MSA or any relevant Solution-Specific Terms or Statement(s) of Work (collectively, the “Agreement”), either on behalf of or following the instructions of Client, related to its use of the Cleverbridge Digital Marketing Services. The duration of processing will be until the earliest of (i) the expiration or termination of the Agreement, or (ii) the date on which processing is no longer necessary for the purposes of either party performing its obligations under the Agreement. Terms not defined within this DPA have the meaning defined in the Agreement.

1. Subject matter; nature and purpose of processing; duration of processing; type of Personal Data and categories of data

1.1 Data subjects include client’s prospective customers, customers, resellers, referrers, business partners, and vendors who are
      natural persons; employees or contact persons of the client’s prospective customers, customers, resellers, referrers,
      subprocessors, business partners, and vendors who are natural persons; client’s employees, agents, advisors, and freelancers
      of the customer who are natural persons; and any other natural persons authorized by the client to use the Cleverbridge
      Digital Marketing Services.

1.2 Personal Data that may be processed includes the full scope of Customer Information in the Agreement. In case of
       Performance Marketing the personal data consists of data relating to the tracking of the data subjects, and of the data
       subjects’ subsequent subscription to Cleverbridge’s service. Data subjects are not directly identifiable by Cleverbridge and
       are indirectly identifiable only by reference to their IP address, cookie identification, and browser details. Cleverbridge would
       require access to additional information in order to identify data subjects.

2. Obligations of the Controller

2.1 By entering into the Agreement, including this DPA, the client instructs Cleverbridge to process the Personal Data to the
      extent required to provide the Services under the Agreement. The client will not intentionally instruct Cleverbridge to process
      Personal Data in a manner that would constitute a breach of applicable data protection laws.

2.2 The client will ensure that any instructions given to Cleverbridge comply with all laws, rules, and regulations applicable in
        relation to the Personal Data, and that the processing of Personal Data in accordance with the client’s instructions will not
        cause Cleverbridge to be in breach of this DPA, the Standard Contractual Clauses, or the applicable data protection laws.

2.3 The client remains the controller of its own Personal Data within the meaning of applicable data protection laws and will act in
        compliance with applicable data protection laws. This also includes responding to data subject requests and contacting
        Cleverbridge to respond as required by applicable data protection laws.

2.4 The client will notify Cleverbridge without undue delay of any errors, security incidents or irregularities (if any) client gains
        knowledge of in connection with the proceesing of the Personal Data by Cleverbridge.

3. Additional obligations of Cleverbridge as Processor

3.1 In addition to the obligations set out elsewhere in this DPA, Cleverbridge as Processor will process Personal Data only on
      documented instructions from the client, including with regard to transfers of Personal Data to a third country or an
      international organisation, unless required to do so by Union or Member State law to which Cleverbridge is subject; in such a
      case, Cleverbridge will inform the client of that legal requirement before processing, unless that law prohibits such
      information on important grounds of public interest;

3.2 Cleverbridge will ensure that any subprocessor authorised to process the Personal Data have committed themselves to the
        same confidentiality required under this DPA or are under an appropriate statutory obligation of confidentiality;

3.3 Cleverbridge will assist the client by appropriate technical and organisational measures in order for the clientto fulfill its
        obligation to respond to requests for exercising the data subject's rights set forth in the GDPR and for the client to ensure
        compliance with the obligations pursuant to Articles 32 to 36 of the GDPR;

4. Processing Locations and Standard Contractual Clauses

4.1 The countries where Cleverbridge will process Personal Data are: Germany, United States of America, Japan, and/or Taiwan.
      Specifically, data processing will take place at the following sites of Cleverbridge affiliates: Cleverbridge GmbH, Gereonstr.
      43-65, 50670 Cologne, Germany; Cleverbridge Inc., 350 N Clark, Suite 700, Chicago, Illinois, 60654, USA; Cleverbridge
      Financial Services GmbH
, Gereonstr. 43-65, 50670 Cologne, Germany; Cleverbridge KK, Wakamatsu Bldg. 7F, 3-3-6,
      Nihonbashi-Honcho, Chuo-ku, Tokyo 103-0023, Japan; Cleverbridge Co., Ltd., Level 4, Neihu New Century Building, 55 Zhouzi
      Street, Neihu District, Taipei, Taiwan.

4.2 The client authorizes Cleverbridge to process Personal Data in the above-listed countries, any other EU or EEA country, and
        any Third Country where the European Commission has decided that the Third Country in question ensures an adequate
        level of protection.

4.3 Cleverbridge will not transfer the Personal Data to any other Third Country unless the appriopriate safeguards and Data
        Subject’s rights enforceabilty and effective legal remedies are secured, in particular by Cleverbridge entering into the
        Standard Contractual Clauses with the subprocessor.

4.4 In the event of a change in any applicable data protection laws relating to the countries where an adequate level of data
        protection exists, the Parties will dicuss and agree on an alternative solution permitting Cleverbridge continuing to process
        the Personal Data in said countries.

5. Technical and organisational measures

5.1 Cleverbridge will maintain a record of all categories of processing activities carried out on Client’s behalf to the extent
       required to enable the client to comply with its obligations under applicable data protection laws, and require any
      subprocessors to do the same.

5.2 Cleverbridge will also take reasonable steps to ensure the reliability and obligation to confidentiality of any person authorized
        to process the Personal Data, and will implement and maintain appropriate technical and organisational data protection and
        security measures to ensure the security and accountibility of the Personal Data as required under Article 32 of the GDPR.

6. Right to Audit,

6.1 Cleverbridge will make available to Client all information necessary to demonstrate compliance with the obligations set forth
       in Article 28 of the GDPR and allow the client to resonably inspect or audit, at client’s own expense, Cleverbridge’s (and our
       Subprocessors) compliance with this DPA and applicable data protection laws. For this purpose, Cleverbridge will grant the
       client, or a designated third party, access to our business premises during Cleverbridge’s regular business hours and without
       undue delay make available all information necessary to demonstrate compliance with this DPA as resonably requested.

6.2 The client will notify Cleverbridge in writing of any such audit or inspection at least 15 business days in advance and at the
        same time provide a consise audit plan detailling the subject of such audit, the audit timeline, and any information or
        resources requested. Cleverbridge will ensure that similar provisions are included in our written contracts with
        Subprocessors. The client agrees that if Cleverbridge can provide an ISAE 3402 Type 1, (SOC1 Type 2), or similar audit report
        prepared by an independent third party auditor, the rights set forth here will only apply insofar as the subject to be audited is
        not already covered by such audit report and is required for the client to demonstrate its compliance with client’s obligations
        related to this DPA.

7. Data breach notifications

7.1 Cleverbridge will promptly notify the client, if possible, if it discovers a breach of security leading to the accidental or unlawful
      destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the Personal Data transmitted, stored, or
      otherwise processed by Cleverbridge or any of its subprocessors if the incident is likely to involve a risk to the Data Subjects’
      rights and freedoms.

7.2 Cleverbridge will take reasonable steps to restore any Personal Data lost as a result of such data breach where it is the result
       of the acts or omissions of Cleverbridge or its subprocessors.

7.3 Cleverbridge will provide assistance with any of the client’s obligations under applicable data protection laws, including
       making any notifications to the Data Subjects, supervisory authorities or the public in respect of such breach as reasonably
       requested by client.

8. Rights of the Data Subjects

8.1 The client has sole responsibility to provide Data Subjects with the information required under applicable data protection laws
       when Personal Data are obtained.

8.2 The client also has sole discretion in responding to the rights asserted by the Data Subjects.

9. Cleverbridge right to engage subprocessors

9.1 Client provides a general authorization to Cleverbridge to engage subprocessors ("Subprocessors") subject to compliance
      with requirements at least as strict as the obligations of Cleverbridge set out in this DPA.

9.2 The client authorizes Cleverbridge to engage the following Subprocessors:


Nature of services


3445 Peachtree Rd NE, Atlanta, GA 30326


Email Marketing Services

Performance Horizon Group Limited, dba Partnerize

8th Floor, West One, Forth Banks, Newcastle upon Tyne, NE1 3PA


Performance Marketing Services

9.3 Cleverbridge will inform the client of any intended changes to this list of Subprocessors thirty (30) days before a new
        Subprocessor receives access to Personal Data, thereby giving the client the opportunity to object to such changes. If client
        objects, Cleverbridge will attempt to make reasonable accommodations but if the subcontractor is required for
        subprocessing , then the client’s objection will be considered an immediate termination of the Agreement and this DPA.

9.4 Cleverbridge will enter into the Standard Contractual Clauses with all Subprocessors or otherwise ensure that applicable
        safeguards for the transfer of Personal Data to Third Countries are adopted by contract.

10. Termination

10.1 Upon termination of the DPA, Cleverbridge will return to the client or destroy any files containing Personal Data and certify
         that this has been done, unless prevented from doing so by applicable laws.

10.2 The following clauses shall survive termination of this DPA: 8, 10, 11.

10.3 Termination of the DPA shall mean termination of the Agreement.

11. Miscellaneous

11.1 In case of introduction of new or change of existing applicable data protection laws, including GDPR or local, at the request of
       any party, the parties will promptly review this DPA and begin good faith negotiations to agree on any changes necessary to
       bring this DPA to line with the law.

11.2 In case of any discrepancies between this DPA and the Standard Contractual Clause, the relevant provisions of the Standard
        Contractual Clauses prevail.

12. Additional DPA Definitions

12.1 “applicable data protection laws” means any current and coming data protection legislation, rules and regulations
        applicable to the Services, including but not limited to the GDPR.

12.2 “Data Subject” shall have the same meaning as given in the applicable data protection laws, i.e., a natural person whose
          Personal Data is processed under this DPA;

12.3 “EEA” means the European Economic Area;

12.4 "GDPR" means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal
          Data and on the free movement of such data;

12.5 “Personal Data” shall have the same meaning as given in the applicable data protection laws, i.e., any information relating to
          a Data Subject;

12.6 “processing”, “processed” shall have the same meaning as given in the applicable data protection laws, including but not
          limited to collection, use, recording, organisation, structuring, adaptation, retrieval, consultation, modification, storage,
          disclosure, alignment or combination, restriction, erasure or destruction, and any other activity with respect to personal

12.7 “Standard Contractual Clauses” means the standard contractual clauses adopted by the EU Commission Decision
          2010/87/EU (repealing Decision 2002/16/EC) which can be found at

12.8 “Third Country”, “Third Countries” means any country outside of EEA.

12.9 “Controller” means the Client.

12.10 “Processor” Cleverbridge GmbH, 43-65, 50670 Cologne, Germany; Cleverbridge Inc., 350 N Clark, Suite 700, Chicago,
            Illinois, 60654, USA; Cleverbridge Financial Services GmbH, Gereonstr. 43-65, 50670 Cologne, Germany; Cleverbridge
, Wakamatsu Bldg. 7F, 3-3-6, Nihonbashi-Honcho, Chuo-ku, Tokyo 103-0023, Japan; Cleverbridge Co., Ltd., Level 4,
            Neihu New Century Building, 55 Zhouzi Street, Neihu District, Taipei, Taiwan.


Last updated November 1, 2023