SERVICETITAN, INC.
Data Protection Addendum
Last Updated: June 26, 2024
This Data Protection Addendum (“Addendum”) forms part of and is incorporated by reference into the Agreement (defined below) between the ServiceTitan entity that is a party to the Agreement (“Service Provider”) and the customer entity that is a party to the Agreement (“Customer”), each a “Party”, and collectively the “Parties.” Service Provider and Customer have agreed to the terms of this Addendum. The terms of this Addendum shall take effect as of the effective date of the Agreement.
NOW THEREFORE, in consideration of the mutual obligations and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
1. Definitions. For purposes of this DPA:
a. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to this DPA, where “control” refers to direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
b. “Agreement” means the applicable subscription or services agreements between Service Provider and Customer pursuant to which Customer has purchased, subscribed to, or signed up to receive services from Service Provider, and any statements of work, exhibits, schedules, work orders, addenda or amendments thereto, as well as the applicable online Service Provider Terms of Use and any other agreement that incorporates this Addendum by reference.
c. “Data Protection Laws” means all applicable laws and regulations in the United States and Canada relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and together with its regulations (“CCPA”), the Colorado Privacy Act and related regulations (“CPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and other federal and state United States laws; and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), Quebec’s Act to Modernise Legislative Provisions As Regards the Protection of Personal Information (“Law 25”), and other federal and provincial Canadian laws, in each case to the extent applicable to Processing of Personal Data carried out pursuant to this DPA.
d. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and is deemed to also refer to “consumer” as defined in Data Protection Laws.
e. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and analogous terms, as defined by applicable Data Protection Laws, that Service Provider Processes in relation to the Agreement.
f. “Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
g. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
h. “Services” means the services that Service Provider performs on behalf of Customer pursuant to the Agreement.
i. “Subprocessor” means any third party that Service Provider engages to Process Personal Data.
j. The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.”
2. Roles of the Parties; Scope and Purposes of Processing.
a. This DPA applies to all Personal Data that Service Provider Processes to provide Services to Customer pursuant to the Agreement.
b. To the extent that Customer is the Controller of Personal Data, Service Provider is its Processor. To the extent that Customer is a Processor of Personal Data, Service Provider is its Subprocessor.
c. Service Provider will Process Personal Data solely (i) in compliance with Data Protection Laws; (ii) on Customer’s behalf; and (iii) to provide the Services to Customer under the Agreement for the business purposes set forth in the Agreement and as set forth in this DPA, unless required otherwise to comply with Data Protection Laws (in which case, Service Provider shall provide prior notice to Customer of such legal requirement, unless such law prohibits this disclosure).
d. Customer retains the right to take reasonable and appropriate steps to (i) ensure that Service Provider Processes Personal Data in a manner consistent with Data Protection Laws, and (ii) upon notice, stop and remediate unauthorized Processing of Personal Data.
e. Customer is responsible for providing any notices, obtaining any consents or authorizations, and otherwise satisfying its own compliance obligations with respect to the Processing of Personal Data under this DPA. Customer will not instruct Service Provider to Process Personal Data in a violation of Data Protection Laws or any third party’s legal, contractual, or other rights.
3. Personal Data Processing Requirements. Service Provider will:
a. Not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Service Provider, or for any purpose (including any commercial purpose) not set forth in this DPA or the Agreement.
b. Not “sell” or “share” any Personal Data, or use Personal Data for purposes of “targeted advertising,” as such terms are defined in Data Protection Laws.
c. Comply with any applicable restrictions under the CCPA on combining Personal Data with personal data that Service Provider receives from, or on behalf of, another person or persons, or that Service Provider collects from any interaction between it and any individual.
d. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
e. Provide Customer with reasonable assistance by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising Data Subjects’ rights as set forth in Data Protection Laws, taking into account the nature of the Processing.
f. Promptly notify Customer if Service Provider determines that it can no longer meet its obligations under Data Protection Laws or if it believes that Customer’s instructions violate Data Protection Laws, and Service Provider is not deemed to be in breach of this DPA if it declines to Process Personal Data in a way that Service Provider reasonably and in good faith believes would cause Service Provider to violate Data Protection Laws.
4. Data Security. Service Provider will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data that are no less restrictive than those in Exhibit B. Service Provider will provide the level of protection for Personal Data as is required under Data Protection Laws.
5. Security Breach. Service Provider will notify Customer of a Security Breach without undue delay, and in no event later than seventy-two (72) hours. Service Provider will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations.
6. Subprocessors.
a. Customer acknowledges and agrees that Service Provider may use Subprocessors to Process Personal Data on Service Provider’s behalf in accordance with this DPA and Data Protection Laws, including with regard to any applicable laws governing international data transfers and required safeguards thereto. Customer specifically authorizes Service Provider’s use of the Subrpocessors identified within the ServiceTitan security portal at https://security.servicetitan.com/ (the “ServiceTitan Security Portal”). Service Provider will enter into a written agreement with each Subprocessor requiring it to comply with obligations at least as restrictive as those in this DPA.
b. Service Provider will provide Customer with reasonable notice (email or other electronic notice acceptable) of any new Subprocessor added to the list (each a “Subprocessor Notice”). Customer must register for a ServiceTitan Security Portal account and sign up for email notifications (and otherwise follow ServiceTitan’s instructions from time to time to initiate or maintain notifications) as a prerequisite to receive such Subprocessor Notices. Customer has fifteen (15) calendar days from the date of such notice to make an objection on reasonable grounds relating to the protection of the Personal Data, in which case Service Provider shall have the right to cure the objection through one of the following options (to be selected at Service Provider’s sole discretion): (i) Service Provider will cancel its plans to use the Subprocessor with regard to Personal Data or will offer an alternative to provide the Services without such Subprocessor; (ii) Service Provider will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Subprocessor with regard to Personal Data; or (iii) Service Provider may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such Subprocessor with regard to Personal Data, subject to a mutual agreement of the parties to adjust the remuneration for the Services considering the reduced scope of the Services.
c. Objections to a Subprocessor shall be submitted to Service Provider by following the directions set forth in the notice. If none of the above options are reasonably available and the objection has not been resolved to the reasonable mutual satisfaction of the Parties within thirty (30) days after Service Provider’s receipt of Customer’s objection, Customer shall have the right to terminate the relevant Processing. Service Provider may replace a Subprocessor if the reason for the change is beyond Service Provider’s reasonable control. In such instance, Service Provider shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to Section 6(b) above.
7. Audits. Service Provider will make available to Customer all information necessary to demonstrate compliance with this DPA, and may satisfy this obligation by undergoing, and providing to Customer a report reflecting, an annual audit of Service Provider’s policies and technical and organizational measures by a qualified, independent auditor using an appropriate and accepted control standard or framework, such as a SOC-2, Type 2 Report. If Customer has a reasonable objection that the information provided is not sufficient to demonstrate Service Provider’s compliance with this DPA, Service Provider will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. The Parties agree that such audits and inspections will be conducted with at least fourteen (14) days’ prior written notice to Service Provider and not more than once in any 12 month period, unless required by a data protection authority or in connection with a Security Breach within Service Provider’s system or that of a Subprocessor that involves Personal Data. In no case will Customer have any right to access by any means whatsoever the information or personal data of a third party or that is otherwise subject to a confidentiality obligation owed to a third party; information or systems that would, in Service Provider’s discretion, compromise Service Provider’s security; or any trade secrets or proprietary business information.
8. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Protection Laws, Service Provider will, at Customer’s written request, return to Customer and/or securely destroy all Personal Data.
9. Deidentified Information. Customer acknowledges and agrees that Service Provider may, as permitted by Data Protection Laws, and without limiting any data rights provisions set forth in each Agreement, collect, use and process aggregated, de-identified, and other non-identifiable data derived from the Services to improve its operations, enhance the features, functions, and performance of the Services, for benchmarking, reporting across Service Provider’s customer base, to develop industry reports, to develop general statements regarding the performance and capabilities of Service Provider’s products and services across Service Provider’s customer base, and to create new products and services offerings, provided such data is not Personal Data.
10. Miscellaneous.
a. Notwithstanding anything to the contrary in any Agreement or this DPA, the liability of each Party under this DPA is subject to the exclusions and limitations of liability set out in the applicable Agreement.
b. Any claims against Service Provider under this DPA may only be brought by the Customer entity that is a party to the applicable Agreement against the Service Provider entity that is a party to the applicable Agreement.
c. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the applicable Agreement, and subject to the dispute resolution provisions, if any, set forth in the applicable Agreement, in each case unless required otherwise by Data Protection Laws.
11. Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Service Provider or its Subprocessors Process Personal Data.
Exhibit B: Security Measures
Service Provider’s Information Security Program includes specific security requirements for its personnel and all Subprocessors or agents who have access to Personal Data (“Data Personnel”). Service Provider’s security requirements cover the following areas:
1. Information Security Policies and Standards. Vendor will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
2. Physical Security. Service Provider will maintain, or cause to be maintained, commercially reasonable security systems at all Service Provider sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security. Service Provider will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
4. Network Security. Service Provider maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control. Service Provider agrees that: (1) only authorized Service Provider staff can grant, modify, or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. Service Provider protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
7. Personnel. Service Provider has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
8. Business Continuity. Service Provider implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Service Provider also adjusts its Information Security Program in light of new laws and circumstances, including as Service Provider’s business and Processing change.