Subscribe
Data Processing Addendum
Updated and Effective Date:
May 18, 2026
This Data Processing Addendum (“DPA”) is incorporated into the agreement to which this Data Processing Addendum, including Schedules, is exhibited to (the “Agreement”) and forms part of the Agreement between the parties.
WHEREAS
(A) The parties have entered into the Agreement under which SitusAMC shall provide services (which may include people based and/or software based services) to Company.
(B) The parties acknowledge that the provision of the services under the Agreement may require SitusAMC to process personal data on behalf of Company.
(C) In light of the above the parties agree to enter into this DPA to specify the terms and conditions on which such processing may take place.
NOW, THEREFORE, IT IS AGREED AS FOLLOWS:
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions.
“Affiliate” means any legal entity controlling, controlled by or under common control with the party, where "control," "controlling" and "controlled," as used in this definition, means (a) the ownership of at least fifty percent (50%) of the equity, voting or other beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to direct or cause the direction of the management and policies of such party by any means.
“Applicable Law” means all applicable federal, state and local laws, international laws, statutes, regulations, ordinances, and requirements of any governmental agency, board, commission, instrumentality or other governmental office, applicable to Company, SitusAMC, or the Deliverables, in the United States, European Union or United Kingdom, including but not limited to Data Protection Laws and the regulations promulgated thereunder.
“Company” means the party receiving Services from SitusAMC pursuant to the Agreement.
“Company Personal Data” means any Personal Data or Personal Information which is processed by SitusAMC on behalf of Company under the Agreement. Company Personal Data includes “Consumer Information” as defined in 3.1.4.
“Data Controller”, “Business”, “Data Subject”, “Consumer”, “Personal Data”, “Personal Information”, “Processing” (“Process” and “Processed” to be construed accordingly), “Data Processor”, “Processor”, “Service Provider” and “appropriate technical and organisational measures” have the meanings given to them in the Data Protection Law. For the purposes of this DPA, “Personal Data” shall include “Personal Information” and shall mean only the Personal Data that is processed in connection with the Agreement, and “Data Subject” shall include “Consumer”.
“Data Protection Law” means any and all applicable laws or regulations promulgated in the United States, the European Union, or the United Kingdom, including subsequent amendments, that: (i) relate to the confidentiality, processing, privacy, security, protection, disclosure, sharing, transfer, or trans-border data flow of Company Personal Data; (ii) relate to the privacy or interception, recording or monitoring of communications; (iii) provide rights to an individual whose Personal Data is being processed; or (iv) that triggers a duty to notify an individual whose Company Personal Data has been, or may have been, the subject of a Data Security Breach. To the extent the term “Law” and/or “Applicable Law” is defined in the Agreement, the Parties agree that Data Protection Laws shall be included in such definition. Data Protection Laws, includes, but is not limited to: (a) the EU GDPR; (b) the UK GDPR; (c) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together “CCPA”); (d) Title V of the Gramm-Leach-Bliley Act of 1999 and its promulgating regulation, Regulation P (“GLBA”); and (e) any other data protection and privacy laws which apply to the processing of Company Personal Data by SitusAMC.
“Data Security Breach” means any actual or reasonably suspected misuse, compromise, or unauthorized, accidental, or unlawful access, disclosure, acquisition, destruction, loss, or alteration of Company Personal Data that creates a material risk to the security, confidentiality, or integrity of Company Personal Data or any circumstance pursuant to which applicable Data Protection Laws require either notification to be given to affected parties or other activity in response to such circumstance. A “Data Security Breach” does not include good faith acquisitions by employees or agents for legitimate purposes, provided the information is not misused or further disclosed without authorization, or unsuccessful access attempts that do not result in unauthorized access to or acquisition of data.
“Data Security Standards” means the controls that the parties maintain as part of its information security policies and procedures, as made available at https://www.situsamc.com/data-security-standards.
“EU GDPR” means the General Data Protection Regulation ((EU) 2016/679).
“EU SCCs” means module 2 or 3 of the standard contractual clauses (as applicable) approved pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021, which is incorporated herein by reference.
“Services” means the services and/or products to be provided by SitusAMC pursuant to and in accordance with the Agreement.
“SitusAMC” means the SitusAMC entity that is the party providing Services to Company pursuant to the Agreement.
“Standard Contractual Clauses” means the EU SCCs including the UK Addendum.
“Third Country” means a country which the EU Commission or the UK Government (as applicable) has not designated as a country that provides adequate protections in respect of Personal Data.
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
“UK Addendum” means the UK Information Commissioner’s international data transfer addendum to the EU SCCs issued under section 119A of the Data Protection Act 2018 and which entered into force on 21 March 2022, which is incorporated herein by reference.
1.2 Interpretation. The parties agree that: (a) unless the context requires otherwise: (i) “including” (and any of its derivative forms) means including but not limited to; (ii) “may” means has the right, but not the obligation to do something and “may not” means does not have the right to do something; (iii) “will” and “shall” are expressions of command, not merely expressions of future intent or expectation; (iv) “written” or “in writing” includes email, unless otherwise stated; (v) use of the singular imports the plural and vice versa; and (vi) use of a specific gender imports the other gender(s); (b) a reference to a statute or statutory provision: (i) is a reference to it as amended, extended or re-enacted from time to time; and (ii) shall include all subordinate legislation made from time to time under that statute or statutory provision; and (c) the captions and headings used in the DPA are used for convenience only and are not to be given any legal effect.
2. SCOPE, STATUS OF THE PARTIES AND TERM
2.1 This DPA shall apply to the parties whenever Company Personal Data is processed by SitusAMC pursuant to the Agreement.
2.2 In respect of the processing of Company Personal Data under this DPA, Company may act as a Business/Data Controller or a Service Provider/Data Processor in respect to Company Personal Data, and, in either case, SitusAMC acts as a Service Provider/Data Processor on behalf of Company.
2.3 Details of the applicable processing activities (including categories of personal data and data subjects) are described in Schedule 1 to this DPA.
3. COMPANY’S OBLIGATIONS
3.1 Company warrants, represents and undertakes to SitusAMC that:
3.1.1 it will comply at all times with the Data Protection Law;
3.1.2 all necessary consents and notices are in place to enable the lawful transfer (including international transfers) of Company Personal Data to SitusAMC and/or to allow SitusAMC to access Company Personal Data for the duration of the required processing (including without limitation, lawful grounds for processing);
3.1.3 it shall disclose Company Personal Data to SitusAMC solely for:
(a) the business purpose(s) identified in Schedule 1; and
(b) SitusAMC to perform its obligations under the Agreement; and
3.1.4 because its use of the Services may allow it to access highly confidential information, including loan data, non-public personal information, as defined in Title V of the Gramm-Leach-Bliley Act of 1999 and its promulgating regulation, Regulation P (“NPPI”), and other, highly sensitive information relating to its own customers (collectively, the “Consumer Information”), it shall:
(a) only access, disclose, and use the Consumer Information it receives from the Services in strict compliance with all applicable Data Protection Laws, the Taxpayer First Act of 2019, and all Export Control Laws;
(b) take all commercially reasonable steps necessary to safeguard and prevent the unauthorized disclosure of Consumer Information to any third party;
(c) not disclose or make available such Consumer Information to any third party (including Company’s employees who have no need for such information) for any reason whatsoever, except as expressly permitted herein or as required by law;
(d) not use such Consumer Information for any kind of marketing or solicitation of any kind (including but not limited to sending unsolicited email, facsimile transmissions, or spam, even if the person to whom Company intends to send unsolicited email or spam has communicated with Company in the past); and
(e) notify SitusAMC promptly (in any event within twenty-four (24) hours after the event) if Company becomes aware of: (i) any copying, disclosure, alteration, destruction, or use of Consumer Information that is inconsistent with this Agreement; or (ii) any Data Security Breach to Company’s systems or operations, or any other material risk, that could result in disclosure of Consumer Information.
4. SITUSAMC’S OBLIGATIONS
4.1 Where SitusAMC processes Company Personal Data under or in connection with the performance of its obligations under the Agreement, SitusAMC shall:
4.1.1 comply at all times with the Data Protection Law;
4.1.2 process the Company Personal Data only in accordance with that Agreement, including this Data Processing Agreement, and with other mutually agreed and documented instructions of Company (including in relation to any international transfer of Company Personal Data made in accordance with Section 6 of this DPA), unless applicable Data Protection Law requires SitusAMC to otherwise process such Company Personal Data;
4.1.3 implement appropriate technical and organizational measures (TOMs), which shall be those TOMs set out in Schedule 2 of this DPA, incorporating the Data Security Standards. SitusAMC shall be permitted to update its TOMs and Data Security Standards from time to time, provided that such updates do not adversely affect the level of security provided by SitusAMC in respect of the Company Personal Data. SitusAMC shall make any updated TOMs or Data Security Standards available to Company, including by posting the updated version on its website. Company acknowledges and agrees that SitusAMC’s TOMs and Data Security Standards are appropriate and sufficient, taking into account the nature and scope of the Company Personal Data and processing activities under this DPA and that they meet the requirements of the Data Protection Law;
4.1.4 ensure SitusAMC personnel authorized to process Company Personal Data are subject to appropriate confidentiality obligations;
4.1.5 taking into account the nature of the processing and the information available to SitusAMC, reasonably assist Company to fulfil Company’s obligations under Data Protection Law:
(a) to respond to Data Subjects’ requests exercising their rights, including promptly notifying Company of any such requests it receives; and
(b) with respect to security, data protection impact assessments, Data Security Breach notifications and consultations with data protection supervisory authorities;
4.1.6 save as required by applicable law, at Company’s option (provided in writing), either delete or return Company Personal Data in SitusAMC’s possession to Company within a reasonable period of time following expiry or termination of the Agreement;
4.1.7 notify Company without undue delay after becoming aware of any Data Security Breach that creates a material risk to the protection of Company Personal Data; and
4.1.8 make available to Company, or an auditor mandated by Company, written information reasonably necessary to assess or demonstrate SitusAMC’s (and its sub-processors’) compliance with the Data Protection Law with respect to the processing of Company Personal Data pursuant to this DPA, which shall be completed by written questionnaire to the extent commercially practicable. If an on- site audit or inspection is expressly required under the Data Protection Law or by the applicable Supervisory Authority with respect to the processing of Company Personal Data pursuant to this DPA, Company shall submit an advanced written request with respect thereto (unless prohibited from doing so by the Data Protection Law), and after the parties have agreed on the start date, scope and duration of, and security and confidentiality controls applicable to, such audit or inspection, SitusAMC shall allow and contribute to such audit or inspection, provided that:
(a) Company shall: (i) give SitusAMC reasonable advance written notice of such audit or inspection to be conducted; and (ii) use (and ensure that each of its mandated auditors use) commercially reasonable efforts to: (A) avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the applicable premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection; and (B) conduct the audit or inspection during normal business hours; and
(b) notwithstanding anything to the contrary: (i) SitusAMC shall only be required to grant access to physical locations or provide documentation to the extent that it controls such facilities or documentation or has the right to grant access thereto under its contracts with the relevant sub-processor (which SitusAMC shall use commercially reasonable efforts to facilitate); (ii) in no event shall SitusAMC be contractually required to permit any audit or other activity that may compromise, jeopardize or otherwise adversely impact the security, confidentiality, operability or integrity of services that SitusAMC provides to other customers or disclose any internal accounting or financial information or trade secrets of SitusAMC; (iii) such audit/assessment shall not be permitted more than annually unless there is a Data Security Breach or in the event that the audit is at the direction of the applicable Supervisory Authority or other regulatory authority.
4.2 SitusAMC shall be entitled to charge Company, at SitusAMC’s then-current rate card for any SitusAMC effort or costs incurred in complying with the requirements of Sections 4.1.5 to 4.1.8 (inclusive), except in respect of audit assistance where any such audit or inspection is required due to a material breach by SitusAMC of its obligations under this DPA or such audit reveals such a material breach.
4.3 Subject to Section 4.5, SitusAMC shall not:
4.3.1 sell Company Personal Data to any other business or third party for monetary or other valuable consideration;
4.3.2 share Company Personal Data with a third party for Cross-Context Behavioral Advertising or Targeted Advertising, as those terms are defined in Data Protection Law;
4.3.3 retain, use, or disclose Company Personal Data for a commercial purpose other than performing its obligations under the Agreement, as identified in Schedule 1, and not outside of the business relationship between Company and SitusAMC;
4.3.4 retain, use, or disclose the Company Personal Data outside of the Agreement; and
4.3.5 combine Company Personal Data received from Company with Personal Data that SitusAMC receives from, or on behalf of, another person or company, except as permitted under the Data Protection Law;
4.4 SitusAMC hereby acknowledges that it understands the prohibitions outlined in Section 4.3.
4.5 Section 4.3 shall not restrict SitusAMC’s:
4.5.1 use of sub-contractors and sub-processors in accordance with the Agreement and Section 5 of this DPA; and
4.5.2 use of the Company Personal Data to:
(a) build or improve the quality of the services it provides to Company, provided that the use does not include use of Company Personal Data to perform services on behalf of another person;
(b) prevent, detect or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity;
(c) comply with federal, state or local laws or comply with a court order or subpoena to provide information;
(d) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena or summons by federal, state or local authorities;
(e) cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate federal, state or local law;
(f) cooperate with a government agency request for emergency access to a consumer’s personal information if a natural person is at risk or danger of death or serious physical injury;
(g) exercise or defend legal claims;
(h) collect, use, retain, sell, share or disclose Company Personal Data that is deidentified or aggregated; and
(i) without prejudice to the other Sections of this DPA, collect, sell or share a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.
4.6 SitusAMC shall grant Company the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Company Personal Data by SitusAMC or any of its sub-processors.
4.7 SitusAMC shall promptly notify Company if it determines it can no longer meet its obligations under the Data Protection Law.
4.8 SitusAMC may engage third-party artificial intelligence systems, platforms, or tools (“AI Systems”) in connection with the processing of Company Personal Data, provided that: (a) the providers of such AI Systems shall be treated as sub-processors for the purposes of this DPA and Section 5 hereof; (b) SitusAMC shall ensure that appropriate written agreements are in place with each such AI System provider imposing data protection obligations no less protective than those set out in this DPA, including restrictions on the use, retention, and disclosure of Company Personal Data; (c) SitusAMC shall implement and maintain appropriate technical and organizational measures to ensure that any Company Personal Data processed through or by AI Systems is subject to safeguards consistent with the requirements of the Data Protection Law, including measures to prevent unauthorized access, use, or disclosure; (d) SitusAMC shall conduct and maintain reasonable due diligence and ongoing oversight of each AI System provider’s data protection practices; and (e) SitusAMC shall remain liable to Company for the acts and omissions of AI System providers in accordance with Section 5.2.2. For the avoidance of doubt, Company Personal Data processed through AI Systems shall not be used to train, improve, or develop any AI System or model for the benefit of any third party.
5. SUB-PROCESSORS
5.1 SitusAMC shall be generally permitted to engage sub-processors to process Company Personal Data solely as necessary in order for SitusAMC to comply with its obligations under the Agreement. Company may request a then current list of SitusAMC’s sub-processors on reasonable notice from time to time.
5.2 SitusAMC shall, in relation to all of its sub-processors processing Company Personal Data:
5.2.1 ensure that, to the extent required by the Data Protection Law, equivalent requirements to those set out in this DPA are imposed on the sub-processors through a written agreement;
5.2.2 remain liable to Company for the performance of the sub-processor’s obligations; and
5.2.3 notify Company of any change or addition to such sub-processors in order to provide Company with the opportunity to object (which must be within 14 days and on reasonable grounds relating to security concerns or breach of the Data Protection Law in respect of the use of such sub-processor). If Company objects to a sub-processor in accordance with this Section 5.2.3, SitusAMC will make commercially reasonable efforts to provide Company with the same level of service described in the Agreement, without using the sub-processor to process the Company Personal Data. If SitusAMC’s efforts are not successful within a reasonable time, Company shall have the right to terminate the applicable service(s) under the Agreement to which the processing relates immediately on written notice to SitusAMC and without consequence (other than payment of any outstanding fees due for such service(s)).
5.3 Notwithstanding Section 5.2.3, where SitusAMC engages an AI System provider as a sub-processor pursuant to Section 4.8 and is subject to confidentiality obligations with respect to the identity of such provider, SitusAMC may satisfy its notification obligations under Section 5.2.3 by providing Company with a description of such provider by category, function, and nature of processing performed, in lieu of disclosing the provider’s identity. Company’s right to object under Section 5.2.3 shall apply with equal force to providers so identified. Upon Company’s reasonable written request, SitusAMC shall provide such additional information regarding the provider's data protection practices and safeguards as SitusAMC is permitted to disclose, and shall certify in writing that each such provider is bound by written data processing terms no less protective than those set out in this DPA.
6. INTERNATIONAL TRANSFERS
6.1 Onward Transfers by SitusAMC. SitusAMC may transfer Company Personal Data to any country or territory (including Third Countries) provided that SitusAMC ensures that any Company Personal Data that is subject to such transfers is provided an adequate level of protection, including the use of:
6.1.1 appropriate technical and organizational measures; and
6.1.2 appropriate safeguards or derogations under the Data Protection Law,
and that, in any event, such transfer is effected in compliance with the applicable Data Protection Law.
6.2 International Transfers between the parties. In respect of any transfers of Company Personal Data by Company from the European Economic Area or UK to SitusAMC in a Third Country, the parties agree that the Standard Contractual Clauses shall apply, which are deemed executed by the parties on execution of this DPA, as follows:
6.2.1 EU SCCs Clause 7: This optional clause shall not apply.
6.2.2 EU SCCs Clause 9: Option 2 shall apply subject to the provisions of Section 5 (Sub-processors) of this DPA.
6.2.3 EU SCCs Clause 11(a): The optional paragraph shall not apply.
6.2.4 EU SCCs Clause 17: Option 1 shall apply and the governing law shall be the law of the Member State where the Company Personal Data originated.
6.2.5 EU SCCs Clause 18(b): The applicable forum shall be the courts of the Member State where the Company Personal Data originated.
6.2.6 EU SCCs Annex I: The details for this annex are set out in Schedule 1 of this DPA, with the Supervisory Authority of the Member State where the Company Personal Data originated being the competent authority and SitusAMC as importer and Company as exporter.
6.2.7 EU SCCs Annex II: The details for this annex are set out in Schedule 2 of this DPA.
6.2.8 EU SCCs Annex III: The details for this annex are set out in Schedule 1 of this DPA.
6.2.9 UK Addendum Table 1 – Start Date is the Agreement effective date and rest of details set out in Schedule 1 of this DPA.
6.2.10 UK Addendum Tables 2 and 3 – Refer to the EU SCCs as incorporated herein with start date is the Agreement effective date.
6.2.11 UK Addendum Table 4 – Either party.
7. LIABILITY
7.1 Each party’s liability under this DPA shall be governed by the liability provisions (including limitations and exclusions of liability) set out in the Agreement to which the Company Personal Data in connection with which such liability arose relates.
8. GENERAL
8.1 Terms defined in this DPA shall apply solely to the DPA. Capitalized terms used in this Data Processing Addendum but not defined herein will have the meanings assigned to such terms in the Agreement.
8.2 Unless expressly amended by the provisions of this DPA, the terms of the Agreement shall not be affected hereby.
8.3 Conflict. Notwithstanding Section 8.2 above, in the event of a conflict or inconsistency between the provisions of this DPA and the Agreement, then to the extent that the conflict or inconsistency relates to the processing of Company Personal Data, the provisions of this DPA shall take precedence and in all other circumstances the provisions of the Agreement shall take precedence.
8.4 SCCs and Governing Law. Without prejudice to the governing law and jurisdictions of the Standard Contractual Clauses, this DPA and the relationship of the parties under it shall be governed and construed in all respects solely and exclusively by the substantive laws of the state of New York and applicable U.S. federal laws without regard to conflict of laws principles.
8.5 Survival. Any term or condition of this DPA which expressly or by implication is required for the interpretation of this DPA or necessary for the full observation and performance by each party of all rights and obligations arising prior to the date of expiration shall survive the expiration or termination of this DPA.
8.6 Third Party Rights. Without prejudice to the rights of data subject under Data Protection Law and the Standard Contractual Clauses, this DPA is entered into solely by and between SitusAMC and Company and will not be deemed to create any rights in any third parties (whether under applicable law (which the parties hereby exclude to the fullest extent permitted) or otherwise).
8.7 Versioning and Updates. This DPA reflects the current version as of the effective date indicated above. SitusAMC may update this DPA from time to time, and unless the Agreement expressly states otherwise, the most current version shall govern the parties’ obligations hereunder. Prior and archived versions of these Data Security Standards are accessible via the links in the Revision History below.
SCHEDULE 1
PERSONAL DATA AND PROCESSING ACTIVITY
The parties agree that, as applicable, the following personal data processing activities shall apply. Additional or amended processing activities may be specified in the Agreement.
Subject matter of the processing
The subject matter of the processing under the Agreement is Company Personal Data collected by SitusAMC on behalf of, or submitted to SitusAMC by, Company or a third party on Company’s behalf for the purposes described in the Agreement (“Services”).
Duration of the processing
The term of the Agreement to which the processing of Company Personal Datarelates, plus any period of retention specified in the Agreement or required by applicable law.
Nature and purpose of the processing
The nature of processing is the collection, processing and storage of Company Personal Data as is necessary to provide the Services and to comply with the Agreement.
The purpose of the processing is: to provide the Services; to create reporting for Company; to perform back up, analysis and accounting activities as necessary to deliver, administer, maintain or improve the Services.
Type of personal data processed
Types of Company Personal Data may include:
- Identifiers such as a name, postal address, unique personal identifier, email address, accountname, social security number, driver’s license number, passport number, or other similar identifiers
- Biometric information
- Characteristics of protected classifications
- Bank account number, credit card number,debit card number, or any other financial information
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Internet or other electronic network activity information
- Professional or employment-related information
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
Categories of data subjects
Data subjects may include:
- Company’s employees
- Company’s clients
Obligations and rights of Company
The obligations and rights of Company are set out in the Agreement and this DPA.
SCHEDULE 2
TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
REVISION HISTORY:
Fill out the below form to stay informed of further updates to our Data Processing Addendum.