This Data Processing Addendum (“DPA”) is entered into by and between ServiceTitan, Inc., and its Affiliates (“Customer”), and the vendor identified in the Agreement (“Vendor”) (each a “Party”; collectively the “Parties”) in connection with any agreements, order forms, statements of work, and similar documents between the Parties (collectively, the “Agreement”). This DPA is incorporated into and forms part of the Agreement, takes precedence over the Agreement to the extent of any conflict. Any data protection addendum that may already exist between the Parties as of the date of the Agreement is replaced by this DPA in its entirety. Capitalized terms not defined herein are defined as in Data Protection Laws. 

Customer and Vendor agree as follows:

1. Definitions. For purposes of this DPA:

a. “Data Protection Laws” means all applicable laws, regulations, and other legally-binding requirements in the United States and Canada relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and together with its regulations (“CCPA”), the Colorado Privacy Act and related regulations (“CPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and other federal and state United States laws; and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), Quebec’s Act to Modernise Legislative Provisions As Regards the Protection of Personal Information (“Law 25”), and other federal and provincial Canadian laws. 

b. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and is deemed to also refer to “consumer” as defined in Data Protection Laws.

c. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and analogous terms, as defined by applicable Data Protection Laws, that Vendor Processes in relation to the Agreement. 

d. “Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

e. “Security Breach” means any suspected or confirmed accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

f. “Services” means the services that Vendor performs on behalf of Customer pursuant to the Agreement.

g. “Subprocessor” means any third party that Vendor engages to Process Personal Data. 

h. The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.” 

2. Roles of the Parties; Scope and Purposes of Processing. 

a. This DPA applies to all Personal Data that Vendor Processes in relation to the Agreement.

b. To the extent that Customer is the Controller of Personal Data, Vendor is its Processor. To the extent that Customer is a Processor of Personal Data, Vendor is its Subprocessor.

c. Vendor will Process Personal Data solely (i) in compliance with Data Protection Laws; (ii) on Customer’s behalf; and (iii) to fulfill its obligations to Customer under the Agreement, including this DPA. For the avoidance of doubt, Vendor will Process Personal Data solely to provide the Services to Customer and for the business purposes enumerated in the Agreement. 

d. Customer retains the right to take reasonable and appropriate steps to (i) ensure that Vendor Processes Personal Data in a manner consistent with Data Protection Laws, and (ii) upon notice, stop and remediate unauthorized Processing of Personal Data, including any use of Personal Data not authorized in this DPA.

3. Personal Data Processing Requirements. Vendor will: 

a. Not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Vendor, or for any purpose (including any commercial purpose) not set forth in this DPA.

b. Not “sell” or “share” any Personal Data, or use Personal Data for purposes of “targeted advertising,” as such terms are defined in Data Protection Laws.

c. Comply with any applicable restrictions under Data Protection Laws on combining Personal Data with personal data that Vendor receives from, or on behalf of, another person or persons, or that Vendor collects from any interaction between it and any individual.

d. Not otherwise engage in any Processing of Personal Data that is prohibited or not permitted by Processors under Data Protection Laws.

e. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 

f. Provide Customer with reasonable assistance and cooperation for the fulfilment of Customer’s obligations under Data Protection Laws, including but not limited to Customer’s obligation to (i) respond to requests by Data Subjects (or their lawful representatives) to exercise their rights under Data Protection Laws with regard to their Personal Data; (ii) perform any required data protection impact assessment of Processing or proposed Processing of Personal Data; and (iii) fulfill Customer’s other obligations under Data Protection Laws. Vendor will promptly, and in any event within five (5) days, notify Customer of any Data Subject or government requests regarding Vendor’s Processing of Personal Data on Customer’s behalf, and will await written instructions from Customer on how, if at all, to assist in responding.  

g. Promptly, and in any event within five (5) days, notify Customer if Vendor determines that (i) it can no longer meet its obligations under this DPA or Data Protection Laws; (ii) it has breached this DPA, and shall cooperate to remediate such breach; or (iii) in Vendor’s opinion, an instruction from Customer infringes Data Protection Laws.

4. Deidentified Information. In the event that either Party discloses pseudonymized, anonymized, or de-identified information (collectively, “Deidentified Information”) to the other Party, the receiving Party warrants that it: (a) has implemented technical safeguards that prohibit reidentification of the Data Subject about whom the information may pertain; (b) has implemented business processes that specifically prohibit reidentification of the information; (c) has implemented business processes to prevent inadvertent release of Deidentified Information; and (d) will make no attempt to reidentify the information. 

5. Data Security. Vendor represents that it has implemented appropriate administrative, technical, physical, and organizational measures to protect Personal Data that are no less robust than those in Exhibit A, including without limitation measures reasonably designed to prevent a Security Breach and preserve the confidentiality and security of Personal Data. Vendor will provide the level of protection for Personal Data as is required under Data Protection Laws applicable to Customer.

6. Security Breach. Vendor will notify Customer of any Security Breach promptly, and in any event within forty-eight (48) hours after becoming aware of such Security Breach. Vendor will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations. Vendor shall provide timely updates and information relating to the Security Breach as it becomes known or as is reasonably requested by Customer. Such information shall include the nature of the Security Breach, the categories and number of Data Subjects affected, the categories and amount of Personal Data affected, the likely consequences of the Security Breach, and the measures taken or proposed to be taken to address the Security Incident and mitigate possible adverse effects.

7. Subprocessors. 

a. Customer acknowledges and agrees that Vendor may use Subprocessors to Process Personal Data in accordance with this DPA and Data Protection Laws, including with regard to any applicable laws governing international data transfers and required safeguards thereto. Where Vendor sub-contracts any of its rights or obligations concerning Personal Data to a Subprocessor, Vendor will: (i) take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Protection Laws; and (ii) enter into a written agreement with each Subprocessor requiring it to comply with obligations at least as restrictive as those imposed on Vendor under this DPA.

b. Vendor will maintain an up-to-date list of its Subprocessors which shall be furnished to Customer upon request, and Vendor will provide Customer with reasonable written notice of any new Subprocessor added to the list prior to transferring or making available Personal Data to the new Subprocessor. If Customer reasonably objects to a new Subprocessor, Vendor will not transfer or make available Personal Data to the new Subprocessor and will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to Subprocessor without unreasonably burdening Customer. Customer may, in its sole discretion, terminate the Agreement at any time and by providing written notice to Vendor in the event that it objects to a subcontractor and Vendor is unable to change the Services to satisfy Customer.

8. Audits. Vendor will make available to Customer all information necessary to demonstrate compliance with this DPA and Data Protection Laws, including by responding to information security and audit questionnaires; and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, provided that, except in the case of a Security Breach, for which there is no frequency limitation, such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent Vendor’s personnel are required to cooperate therewith, during Vendor’s normal business hours. Vendor will, at its own cost, remediate any noncompliance with this DPA or Data Protection Laws identified during an audit.

9. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Protection Laws, Vendor will, at the choice of Customer, return to Customer and/or securely destroy all Personal Data within no less than thirty (30) days of (a) Customer’s written request or (b) termination of the Agreement. Except to the extent prohibited by Data Protection Laws, Vendor will inform Customer if it is not able to return or delete Personal Data. 

10. Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Vendor or its Subprocessors Process Personal Data.

Exhibit A: Security Measures

Vendor’s Information Security Program includes specific security requirements for its personnel and all Subprocessors or agents who have access to Personal Data (“Data Personnel”). Vendor’s security requirements cover the following areas:

1. Information Security Policies and Standards. Vendor will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data. 

2. Physical Security. Vendor will maintain commercially reasonable security systems at all Vendor sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.

3. Organizational Security. Vendor will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.

4. Network Security. Vendor maintains commercially reasonable information security policies and procedures addressing network security.

5. Access Control. Vendor agrees that: (1) only authorized Vendor staff can grant, modify, or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.

6. Virus and Malware Controls. Vendor protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.

7. Personnel. Vendor has implemented and maintains a security awareness program to train employees about their security obligations.  Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.

8. Business Continuity. Vendor implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Vendor also adjusts its Information Security Program in light of new laws and circumstances, including as Vendor’s business and Processing change.