Data Processing Agreement

Data Processing Agreement (for Clients subject to European Data Protection Laws, including Switzerland and United Kingdom, and/or Data Protection Laws in Australia and South Africa)

This Data Processing Agreement (“DPA“) forms part of the Master Agreement (as defined in the Product Terms) between the client, agency or reseller (the “Client” or “you”) and Yext Limited (incorporated in the United Kingdom)(“Yext”), to reflect the parties’ agreement with regard to the Processing of Personal Data (as defined herein). Where Yext, Inc. (incorporated in Delaware, US) is the Yext contracting entity, the following adjustments to this DPA, which are available here, shall apply. Capitalized terms used in this DPA and not otherwise defined have the meanings given to such terms in the Master Agreement or the Product Terms located here. To the extent that there is any conflict between this DPA, the Master Agreement, or the Product Terms, the provisions of the following documents (in order of precedence) shall prevail unless expressly agreed to otherwise: (a) this DPA, (b) the Master Agreement, and (c) the Product Terms.

In this DPA, the following terms shall have the following meanings:

“Affiliate” means that an entity that (i) controls, (ii) is controlled by, or (iii) is under common control with Yext. An entity will be deemed to control another entity if it has the power to direct or cause direction of the management or policies of such entity, whether through the ownership or voting securities, by contract, or otherwise.

“Client Personal Data” means Personal Data of, as applicable, the Client’s employees, agents, dealers, consultants, end customers, franchisees or website visitors which is provided to Yext by the Client (or the agency or reseller) or generated by Yext in the course of providing the Products to the Client (or the agency or reseller).

“Data Privacy Law” means Directive 2002/58/EC, GDPR (as defined below) and any legislation and/or regulation implementing or made pursuant to, or which amends, replaces, supplements, re-enacts or consolidates them, the Data Protection Act 2018 of the United Kingdom (“UK”), the Swiss DPA, the Protection of Personal Information Act 4 of 2013 (“POPIA”) of South Africa and all other applicable laws relating to the Processing of Personal Data and privacy that may exist in any relevant jurisdiction.

“GDPR” means in each case to the extent applicable to the Processing activities: (i) Regulation (EU) 2016/679 (“EU GDPR”); and (ii) Regulation (EU) 2016/679 as amended by any legislation arising out of the withdrawal of the UK from the European Union and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended) (“UK GDPR“);

“Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under applicable Data Privacy Law.

“Special Categories of Personal Data” shall have the meaning assigned to the terms “special categories of personal data”, “sensitive data” or “sensitive information” under applicable Data Privacy Law.

“Swiss DPA” means the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance on the Federal Data Protection Act of 14 June 1993, and any new or revised version thereof that may become effective from time to time.

“Supervisory Authority” means the competent data protection authority in the territory in which the Client is established.

“Third Country” means all countries other than those (i) within the European Economic Area (EEA) and Switzerland and (ii) countries, territories or specified sectors in respect of which an adequacy finding under applicable Data Privacy Law has been given.

The terms “Controller“, “Data Subjects“, “Processing,” (and “Process” shall be construed accordingly), “Personal Data Breach” and “Processor” shall have the meaning given to them by applicable Data Privacy Law.

You agree that you are a Controller in relation to the Client Personal Data (or in the case of an agency or reseller, your clients will be regarded as the Controller of the Client Personal Data). You agree that any Client Personal Data provided to Yext in connection with the Products will be Processed by you in accordance with applicable Data Privacy Law. Yext shall have no responsibility for the accuracy, quality, and legality of any Client Personal Data provided to Yext and the means by which such Client Personal Data was acquired before it was provided to Yext.
You acknowledge that Yext (or in the case of an agency or reseller, the agency or reseller, as applicable) requires certain Personal Data notably to set up and manage the Client account and relationship and comply with its regulatory obligations. Yext (or the agency or reseller, as applicable) will Process such Personal Data as Controller.
When Processing Client Personal Data in the context of providing Listings, Reviews or other Products such as Events, Search, Knowledge Tags and Pages (including in respect of any cookies or similar technologies which form part of the Product functionality for analytics purposes such as Conversion Tracking), Yext will act as the Processor (or in the case of an agency or reseller, the agency or reseller will be the Processor and Yext will be the sub-processor).
Where Yext is a Processor (or sub-processor), the provisions set out in Clauses 5-16 below shall apply in respect of the Processing of Client Personal Data. You and Yext agree that, in addition to Clauses 5-16, you and Yext shall comply with any additional country specific provision to the extent that the Data Privacy Law of a country specified in Schedule 3 applies to the Processing of Client Personal Data.
Yext will only Process the Client Personal Data in accordance with the documented instructions as established in, or given pursuant to, this DPA and the Master Agreement (including the Product Terms), and including with respect to transfers of Client Personal Data to Third Countries, and will not Process any Client Personal Data for any other purpose unless required to by law in which case, where legally permitted, Yext shall inform you of such legal requirement before Processing. You acknowledge that as part of the Processing instructions, Yext may aggregate, anonymise, extract and combine or otherwise deidentify information resulting from the Client Personal Data or your use of the Products for product improvement and development and other purposes consistent with Yext’s Privacy Policy. This right to use aggregated or anonymised data will survive termination of this DPA and the Master Agreement.
Where you are an agency or a reseller, you will ensure that your agreement with your clients contains the appropriate provisions to permit you to Process their Client Personal Data and to ensure that they have provided the appropriate authorisation to allow you to subcontract the Processing of Client Personal Data to Yext and other sub-processors on terms substantially similar to those in this DPA. If the Client uses Listings/Events or Review Response, it authorises Yext to share Client Personal Data, which may be included by the Client (or the agency or reseller) in connection with those Products, with third party Publishers as part of the Product functionality. Furthermore, if the Client uses Search, Knowledge Tags, Pages or Review Generation, it authorises Yext to display Client Personal Data, which may be included by the Client (or the agency or reseller) in connection with those Products, on the Client’s own app(s), properties or website(s) as part of the Product functionality.
The subject-matter of the data Processing is the provision of the Products and the Processing will be carried out until the date that Yext ceases to provide the Products to you. Your obligations and rights are as set out in the Master Agreement. Schedule 1 of this DPA sets out the nature and purpose of the Processing, the types of Personal Data Yext Processes and the categories of Data Subjects whose Personal Data is Processed.
Yext will implement appropriate technical and organizational security measures (including ensuring that Yext personnel who are authorized to Process the Client Personal Data have committed themselves to appropriate confidentiality obligations) to ensure a level of security appropriate to the risks that are presented by the Processing of Client Personal Data including those measures contained in applicable Data Privacy Law. Details of these measures are set out in Schedule 2.
In case of a Personal Data Breach which may affect Client Personal Data, Yext will notify the relevant Controller (in accordance with the email address we have on file) (or in the case of a reseller or agency, notify the reseller or agency) without undue delay after becoming aware of such Personal Data breach.
Yext will provide such information and assistance as may reasonably be required (and within timescales reasonably specified) to allow the Controller to comply with its obligations under applicable Data Privacy Law, including assistance to: (i) comply with the Controller’s security obligations (ii) discharge obligations to respond to requests for exercising Data Subjects’ rights; and, (iii) to perform any data protection impact assessment and review any Processing operations to ensure that they are performed in accordance with the data protection impact assessment and to consult with the relevant Supervisory Authority (where applicable). Yext’s assistance pursuant to (iii) of this provision shall be provided at the Controller’s own cost and expense. Controller can request such assistance by privacy@yext.com. Yext shall notify the Controller about any request received directly from Data Subjects.
Yext shall audit the security of the computers and computing environment that it uses in Processing Client Personal Data. This audit: (a) will be performed at least annually; (b) may be performed by independent third party security professionals at Yext’s selection and expense; (c) will be performed according to the SOC2 standard; and (d) will result in the generation of an audit report (“Report“), which will be Yext’s Confidential Information. At your written request, Yext shall provide you with a confidential copy of the Report so that you can reasonably verify Yext’s compliance with the security obligations under this DPA.
If you desire to change this instruction regarding exercising the audit right or the provision of information in order to demonstrate compliance with Article 28 of the GDPR then you have (at your cost and expense) the right to change this instruction, which shall be requested in writing, provided that Yext shall have no obligation to provide Confidential Information. Yext shall also cooperate with any audits conducted by any regulatory agency that has authority over the Client as needed to comply with applicable law.
Yext will notify the Controller immediately (or in the case of a reseller or agency, notify the reseller or agency) if, in Yext’s opinion, it considers that an instruction from you under Clause 12 is in breach of any applicable Data Privacy Law and Yext shall be entitled but not obliged to suspend execution of the instructions concerned, until such instructions are confirmed in writing.
After termination of the Master Agreement, Yext will, at your written request, delete or return all Client Personal Data, unless otherwise provided by law.
You acknowledge and agree that Yext may retain appropriate Affiliates and other suitable third parties as sub-processors (all together “Sub-Processors”) in connection with the Processing of Client Personal Data, having imposed on such Sub-Processors in a written agreement, data protection obligations which are no less protective that those which are imposed on Yext under this DPA. Yext will be liable to you for performance of such obligations by the Sub-Processors. A list of Sub-Processors is available at https://www.yext.com/terms/subprocessors/ as well as a mechanism that you agree to subscribe to in order to receive advance notifications of new Sub-Processors. You may object to Yext’s use of a new Sub-Processor by notifying Yext in writing within ten (10) days after receipt of a notification in accordance with the mechanism set out in the preceding sentence. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor’s non-compliance with applicable Data Privacy Law. If, in Yext’s reasonable opinion, such objections are legitimate, Yext shall refrain from using such Sub-Processor in the context of the Processing of Client Personal Data. In such cases, Yext shall use reasonable efforts to (i) make available to you a change in Yext’s Products or (ii) recommend a change to your configuration or use of the Products to avoid the Processing of Client Personal Data by the objected-to Sub-Processor. If Yext is unable to make available such change within a reasonable period of time, you may, by providing written notice to Yext, terminate the Products which cannot be provided by Yext without the use of the objected-to Sub-Processor. Yext will refund you any prepaid fees covering the remainder of the term of such Products following the effective date of termination with respect to such terminated Product.
You acknowledge that as part of the Products, the Client Personal Data will be stored in or accessed from the UK, and any Third Country in which Yext’s Sub-Processors maintain facilities. Whereas transfers to the UK are covered by the EU Commission’s adequacy decision of 28 June 2021 in favour of the UK, Yext will ensure adequate protection or appropriate safeguards for any onward transfers to Sub-Processors in any Third Country (for example, Yext, Inc. in the US) in accordance with applicable Data Privacy Law.

SCHEDULE 1

DATA PROCESSING INFORMATION

Yext’s Products assist companies in managing their public digital information.

Note that Search can also be used as part of an internal-facing company search functionality. Where Client uses Search in this manner, it is referred to as “Workplace Solutions” in this DPA.

Data subjects

The Client Personal Data transferred concern the following categories of Data Subjects:

If Client uses Listings (part of the Listings Product or of the Starter, Professional and Ultimate packages) and/or Events and decides to provide such information in Listings and/or Events, and depending on the respective use by the Client, Client’s employees, agents, dealers, consultants, or franchisees, as applicable.

If Client uses Review Monitoring (part of the Reviews Product or of the Professional and Ultimate packages), individuals who submitted reviews online on applicable Publisher Sites.

If Client uses Review Generation (part of the Reviews Product or of the Ultimate package), individuals who submit reviews to Client.

If Client subscribes to Pages, the visitors of Client’s webpages which are based on Pages.

If Client subscribes to Pages and decides to provide such information in Pages, and depending on the respective use by the Client, Client’s employees, agents, dealers, consultants, or franchisees, as applicable.

If Client subscribes to Knowledge Tags, the visitors of Client’s webpages which use Knowledge Tags.

If Client subscribes to Search, the visitors of Client’s webpages who use Search.

If Client subscribes to Search and decides to provide such information in Search, and depending on the respective use by the Client, Client’s employees, agents, dealers, consultants, or franchisees, as applicable.

If Client subscribes to Workplace Solutions, and decides to provide such information in Workplace Solutions, and depending on the respective use by the Client, Client’s employees, agents, dealers, consultants, or franchisees, as applicable.

If Client decides to use Conversion Tracking, which Client does so voluntarily, website visitors to the Listing content and/or Events content on applicable Publisher Sites.

If Client decides to use Conversion Tracking, which Client does so voluntarily, website visitors to Pages, Knowledge Tags and/or Search.

Types of Personal Data

The Client Personal Data transferred concern the following types of Personal Data:

Product	Types of Personal Data Processed by Yext on behalf of Client
Product	Name, contact details, bio and/or title of, as applicable, Client’s employees, agents, dealers, consultants, or franchisees	Name or alias of person who submitted or responded* to a review online on applicable Publisher Site and content of such review	Name and email or mobile number of person submitting a review to Client and content of such review	Technical information concerning the website visitor such as IP address**	Usage information about the website visit (the referral URL, the content viewed and the content interacted with)
Listings/Events	Yes, but only if provided by Client
Review Monitoring		Yes
Review Response		Yes*
Review Generation			Yes
Pages***				Yes	Yes***
Knowledge Tags***				Yes	Yes***
Search****	Yes, but only if provided by Client			Yes	Yes****
Workplace Solutions****	Yes, but only if provided by Client*****			Yes	Yes****
Conversion Tracking******					Yes

*As part of Review Response, Client can choose to respond via a generic, non-personal email alias.

**IP address is not made available to Client’s users.

***Pages and Knowledge Tags can be deployed with a pixel the purpose of which is to provide aggregated analytics to the Client. Pages also include a Cloudflare cookie (__cf_bm) which should be considered necessary to detect and protect against bad bots.

****Search or Workplace Solutions can be deployed with a session cookie and a click tracking pixel the purpose of which are to provide session analytics to the Client. Search can also be deployed with an optional Q&A functionality so that a visitor can submit his/her name and email to be contacted by the Client.

*****Photos of individuals (but without facial scans) may be provided as part of Workplace Solutions.

******Conversion Tracking is optional functionality within Listings or Events content on Publisher Sites or within Pages, Knowledge Tags or Search which provides aggregated insight into whether visitors to Yext properties go on to visit other websites specified by the Client. It includes a persistent cookie the purpose of which is to provide aggregated analytics to the Client.

Note that all aforementioned cookies and pixels may be integrated by Client into the Client’s consent management platform.

Special Categories of Personal Data and/or sensitive Personal Data

The Client Personal Data transferred concern the following Special Categories of Personal Data:

None.

Yext does not intentionally collect or Process any Special Categories of Personal Data (for instance, no biometric data, no data concerning health and no data concerning trade union membership) in the provision of its Products and services. Client agrees not to provide Special Categories of Personal Data to Yext at any time.

Furthermore, Client agrees not to provide sensitive Personal Data such as credit card numbers, employee disciplinary records, individual bank account details, salary data and social security numbers. Client agrees not to provide sensitive Personal Data to Yext at any time.

Processing operations

The Client Personal Data transferred will be subject to the following basic Processing activities:

Collecting, disclosing through transmission and dissemination, hosting, maintenance, organizing, storing and support.

SCHEDULE 2

TECHNICAL AND ORGANISATIONAL MEASURES

Access control of Processing areas

Yext implements suitable measures in order to prevent unauthorized persons from gaining access to the data Processing equipment used to Process the Client Personal Data. This is accomplished notably by:

Access control system
Card access
Issue of keys
Door locking
Surveillance facilities – CCTV monitor
Alarm system
Security guard presence, during business hours, and extra hours for certain facilities

Access control to data Processing systems

Yext implements suitable measures to prevent its data Processing systems from being used by unauthorized persons. This is accomplished notably by:

Password procedures (incl. minimum length, change of password)
Access to IT systems subject to approval from HR management and IT system administrators
Review of access controls to ensure permissions are altered for movers & leavers

Access control to use specific areas of data Processing systems

Yext ensures that the persons entitled to use its data Processing systems are only able to access the Client Personal Data within scope and to the extent covered by their respective access permission (authorization) and that the Client Personal Data cannot be read, copied or modified or removed without authorization. This is accomplished notably by:

Differentiated access rights
Access rights defined according to duties
Automated log of user access for certain IT systems

Yext will, in respect of any Client Personal Data it Processes, comply with the Australian Privacy Principles (APPs) set out in Schedule 1 to the Privacy Act 1988 (Cth) (“Privacy Act”). Nothing in this DPA excludes, restricts, or modifies any obligations that a party has under the Privacy Act.

Yext implements suitable measures to prevent the Client Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer of Client Personal Data by means of data transmission facilities is envisaged. This is accomplished notably by:

Use of a wholly-owned private network for all data transfers within Yext
Encryption using a VPN for remote access, transport and communication of data
Prohibition of unencrypted USBs and CD Rom

Instructional control

Yext ensures that Client Personal Data may only be Processed in accordance with the documented instructions as established in this DPA and the Master Agreement (including the Product Terms). This is accomplished by:

Unambiguous wording of contractual instructions

Availability control

Yext implements suitable measures to ensure that Client Personal Data are protected from accidental destruction or loss. This is accomplished notably by:

Backup procedures
Uninterruptible power supply (UPS)
Remote storage
Anti-virus/firewall systems

Separation of Processing for different purposes

Yext implements suitable measures to ensure that Client Personal Data that are intended for different purposes can be Processed separately. This is accomplished notably by:

Segregation of business IT systems
Segregation of IT testing and production environments

SCHEDULE 3

COUNTRY-SPECIFIC TERMS

AUSTRALIA

Yext will, in respect of any Client Personal Data it Processes, comply with the Australian Privacy Principles (APPs) set out in Schedule 1 to the Privacy Act 1988 (Cth) (“Privacy Act”). Nothing in this DPA excludes, restricts, or modifies any obligations that a party has under the Privacy Act.

If Yext notifies the relevant Controller (or reseller or agency) pursuant to Clause 9, Yext will thereafter provide such assistance and information to the relevant Controller, reseller or agency as may be reasonably required by that Controller, reseller or agency to comply with their obligations under Part IIIC of the Privacy Act. Each party must in a timely manner, provide all reasonable assistance required by the other party to allow that other party to comply with its regulatory obligations under the Privacy Act (if any), (including in relation to obligations related to eligible data breaches under Part IIIC) and cooperate in good faith with the other party in relation to the content of, and who will issue, any notices required to be issued under the Privacy Act in relation to an eligible data breach.

Where applicable, you will ensure that you have:

provided the appropriate notifications where required in respect of the collection of any Client Personal Data; and
complied with your obligations under the Spam Act 2003 (Cth), including having obtained appropriate consents to permit you to request Yext to Process Client Personal Data accordingly.