GetApp Data Transfer Addendum
This Data Transfer Addendum (“DTA”) is between the software or service provider referenced on an insertion order (or similar contracting document) (“Vendor”) and the respective operating entity providing Services to Vendor: G2.com, Inc., Software Advice Inc., Capterra Inc. or Nubera eBusiness S.L., as applicable (“we”, “us” or “our”). This DTA is incorporated into the General Vendor Terms, or a similar agreement regarding the Services, between the parties (“Vendor Terms”). Any capitalized term used but not defined herein has the meaning given to it in the General User Terms or General Vendor Terms.
This DTA applies only when Personal Data is transferred by us (Controller) to Vendor (Controller) to provide the Service, including in the following instances:
Service | Data Subject | Personal Data Transferred from Us to Vendor |
Reviews | Website users of the Site. | First Name + Last Name Initial |
Leads | Website users of the Site | First and Last Names, Email, Phone + Employer |
1. Scope. This DTA sets forth how Vendor will Process Personal Data (or a similar term as defined by applicable Privacy Laws) provided to Vendor by us (“Services”). The parties agree to comply with applicable data protection laws (“Privacy Laws”). Details of the transfer of Personal Data are in Appendix A. “Process” (and its cognates) is defined according to applicable Privacy Laws.
2. Obligations of Vendor. Vendor is solely responsible for, and we shall have no obligation with respect to Vendor’s own obligations regarding compliance with Privacy Laws and any Processing of Personal Data that is not authorized by this DTA. Vendor is solely responsible for complying with Privacy Laws and any unauthorized processing of Personal Data, with no obligation on our part. If additional legal requirements exist under Privacy Laws not covered by this DTA, Vendor must inform us at legal@g2.com. We are not responsible for initiating this process and may refuse to provide Personal Data, without incurring any penalties, if the requirements go beyond this DTA.
3. Use of Personal Data. Vendor will solely Process Personal Data for the purposes strictly related to the Services or as otherwise agreed to by us in writing. Vendor may not aggregate, deidentify, or anonymize Personal Data. For avoidance of doubt, Vendor shall not Process Personal Data in any manner that may constitute a “sale” of Personal Data under Privacy Laws.
4. Privacy and Security.
Vendor will implement and maintain, at its own cost and expense, commercially reasonable technical, organizational and physical security measures designed to protect the privacy and security of Personal Data it Processes, including from accidental, unauthorized or unlawful use, destruction, loss, disclosure, acquisition, alteration or access (“Privacy and Security Safeguards”). The Privacy and Security Safeguards shall, at a minimum, comply with Privacy Laws. With respect to Personal Data that is subject to CCPA: (i) we have made Personal Data available to Vendor only for the limited and specified purposes set forth within the Vendor Terms and this DTA and Vendor acknowledges and agrees that it is only authorized to use Personal Data for these limited and specific purposes; (ii) Vendor will comply with all applicable sections of the CCPA, including by providing the same level of privacy protection as required of us under CCPA; (iii) we have the right to take reasonable and appropriate steps to ensure that Vendor uses Personal Data in a manner consistent with our obligations under the CCPA; (iv) we have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data made available to Vendor, including by requiring Vendor to provide documentation that verifies that Vendor no longer retains or uses the Personal Data of Data Subjects who have submitted requests to opt-out of “sharing” or “selling” (as these terms are defined by CCPA) of Personal Data; and (v) Vendor shall notify us after Vendor makes a determination that it can no longer meet its obligations under CCPA.
5. Audits. Vendor agrees that we may take reasonable steps to audit Vendor’s compliance with this DTA, including audits related to Vendor’s use of Personal Data. We will not audit Vendor more than once in any 12-month rolling period, unless as otherwise required under Privacy Laws or if we become aware of a Personal Data Breach or violation of this DTA.
6. Cross Border Data Transfers.
We Processes Personal Data in the United States. Transfers of Personal Data from the EU or UK a jurisdiction which is not recognized by the EU or UK as having adequate data protection, or where data transfers contemplated by this DPA are not otherwise restricted under Privacy Laws, the EU SCCs and UK International Data Transfer (“UK Agreement”) apply, as applicable, and incorporated by Appendix B.
With respect to any transfer of Personal Data from the EU to the United States, we acknowledge that we participate in the EU-US Data Privacy Framework Program (“DPF”) to effectuate transfers of Personal Data that are protected by EU GDPR (“EU Personal Data”). To the extent the DPF is not available, cannot be relied upon, or does not apply to a particular transfer, such transfer will instead be governed by the EU SCCs. We and Vendor agree that each will comply with the DPF’s principles regarding notice and choice. Vendor further understands and agrees that (a) it may only Process EU Personal Data for the limited and specified purposes consistent with the consent provided by a Data Subject; (b) it will provide the level of protection to EU Personal Data as required by the DPF and it will notify us if Vendor makes a determination that it can no longer meet this obligation; and (c) if Vendor makes the determination contemplated by (b) it will cease EU Personal Data Processing activities or take other reasonable and appropriate remediation steps.
7. Personal Data Breach. In the event of any accidental, unauthorized or unlawful use, destruction, loss, disclosure, acquisition, alteration or access of Personal Data (“Personal Data Breach”), Vendor will notify us at security@g2.com within the timeline required under Privacy Laws. Vendor will provide the following information to us, as this information becomes available to Vendor: (a) a brief description of the Personal Data Breach, including the date of the Personal Data Breach; (b) a description of the Personal Data that has been, or is reasonably believed by Vendor to have been, impacted by the Personal Data Breach; (c) a description of what Vendor is doing to investigate the Personal Data Breach, to mitigate potential harm caused by the Personal Data Breach and to protect against another similar Personal Data Breach; (d) contact information that we can use to get more information from Vendor about the Personal Data Breach; and (e) any other information that Vendor is required to provide to us about the Personal Data Breach under Privacy Laws. Vendor will cooperate with us in our reasonable investigation of the Personal Data Breach, including as required by Privacy Laws, and will reimburse us for all reasonable costs incurred by us in its investigation and response to the breach, including any notification costs.
8. Data Subject Rights. We and Vendor will reasonably assist each other in fulfilling their respective obligations to respond to requests from Data Subjects exercising their rights under Privacy Laws (collectively, “Data Subject Request”). Vendor will submit Data Subject Requests to privacy@g2.com.
9. Information Management. Vendor will, upon the termination of the Services, either securely delete or securely return any Personal Data to us, unless retention of Personal Data is required by applicable law or is otherwise infeasible, in which case Vendor will continue to retain the Personal Data subject to the requirements of this DTA and may only Process such Personal Data for the purposes that make return or deletion infeasible.
10. Indemnification. Vendor agrees that Vendor will reimburse, indemnify and hold us harmless for all costs incurred in responding to or mitigating any losses suffered by us, including, but not limited to, any losses relating to a third-party claim brought against us regarding the Processing of Personal Data that is Processed by Vendor in a manner that is inconsistent with the Vendor Terms and/or this DTA.
11. Limitation of Liability. Except as otherwise explicitly stated in this DTA, our sole liability and Vendor’s sole remedy for our breach of this DTA will not exceed the fees paid by Vendor to us under the insertion order (or similar transacting document) giving rise to the claim in the 12 months preceding the claim. In no circumstances will we be liable for any special, indirect, incidental, consequential, or punitive damages, including lost profits incurred by Vendor.
12. Interpretation and Updates. We will update this DTA periodically, without notice to Vendor, in material compliance with Privacy Laws and without materially lessening the protections set forth herein. The following order of precedence applies in the event of a conflict with respect to the Processing of Personal Data: (a) UK Agreement, (b) this DTA, (c) Vendor Terms, and (d) Privacy Laws.
13. Term. This DTA begins on the Effective Date and remains in force until the Vendor Terms terminate, or until we stop Processing Personal Data that is subject to this DTA.
APPENDIX A
DESCRIPTION OF PROCESSING
Parties | Data Exporter & Controller: G2.com, Inc.100 South Wacker Drive, Suite 600, Chicago IL, 60606 Data Importer & Controller: Vendor Vendor information is set forth on the insertion order (or similar transacting document) “Controller” means the natural or legal person that determines and means of the Processing of Personal Data and/or “controller,” “business” or similar term as defined by Privacy Laws. |
Categories of Data Subjects Whose Personal Data is Transferred & Categories of Personal Data Transferred | Reviews Data Subject: Users of the Site Personal Data: First name + last name initial Leads Data Subject: Users of the Site. Personal Data: First and last names, email, phone + employer |
Sensitive Data Transferred | No sensitive data is anticipated to be transferred. |
Frequency of the Transfer | Continuous. |
Nature of the Processing | To provide the Services. |
Purpose of the Data Transfer and Further Processing | To provide the Services. |
Duration of Processing | As set forth in Section 13. |
APPENDIX B
EU & UK GDPR
Section 1 - EU: For data transfers from the EU, the EU SCCs are incorporated into this DTA as follows:
EU SCC Term | Amendment/Selected Option |
Module | Module 1 (Controller to Controller). |
Clause 7 (Docking Clause) | Option is not included. |
Clause 11 (Redress) | Option is not included. |
Clause 13 (Supervision) | Irish Data Protection Commission. |
Clause 17 (Governing Law) | Ireland. |
Clause 18 (Choice of Forum and Jurisdiction) | Ireland. |
Annex I.A (List of Parties) | As set forth in Appendix A. |
Annex I.B (Description of the Transfer) | As set forth in Appendix A. |
Annex I.C (Competent Supervisory Authority) | Irish Data Protection Commission. |
Annex II (Technical and Organisational Measures) | The parties shall maintain appropriate technical and organizational measures. |
Section 2 - UK: For data transfers from the UK, the UK Agreement is incorporated into this DTA as follows:
UK Addendum Term | Amendment/Selected Option |
Table 1: Start Date | As set forth in Section 13. |
Table 1: Parties | As set forth in Appendix A. |
Table 2: Addendum EU SCC | Module 1 (Controller-Controller) of the EU SCCs apply. |
Table 3: Appendix Information | As set forth in Section 1 of this Appendix B. |
Table 4: Ending this Addendum | Exporter. |
Mandatory Clauses | The Mandatory Clauses are incorporated into this Appendix C. The ‘Alternative Part 2 Mandatory Clauses’ are not selected. |
Policy Last Updated: May 2026