Terms of Service & Data Processing

Last Updated and Effective as of: 2024


This Terms of Service and Data Processing Addendum (“Addendum”) forms part of the User Agreement by and between ListenFirst Media (“Company”), and each individual user together with their associated signatory on the Master Services Agreement (“Client”) (the “MSA”, together with this Addendum, the “Agreement”).  Except as modified below, the terms of the MSA shall remain in full force and effect.  

In accessing the ListenFirst platform, users agree to comply with the following provisions with respect to any Personal Data of one or more Data Subjects in connection with the Agreement. The purpose of the Addendum is to ensure compliance with applicable Data Protection Laws (as defined below). References to the Agreement will be construed as including this Addendum. To the extent that the terms of this Addendum differ from those in the Agreement, the terms of this Addendum shall govern.


  1. “Data Protection Laws” means all applicable laws, rules, regulations, declarations, decrees, directives, statutes, or other enactments, orders, mandates or resolutions issued or enacted by any government entity (including any domestic or foreign, supra-national, state, county, municipal, local, territorial or other government, which includes to the extent applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”) and the California Consumer Privacy Act (“CCPA”), and any industry self-regulatory principles that are applicable and prevailing practice in the location or region where the data Processing services are provided or received.
  1. Personal Data” means (A) all data gathered and compiled by Company from publicly available sources and any data derived by Company from such data (collectively, “LFM Data”) and (B) all data that is provided to Company by Client (including without limitation, the credentials of Client’s authorized users) (“Client Data”); in the case of each of (A) and (B), solely, in each case, when such data is considered personal data and/or personal information pursuant to the GDPR, CCPA or other applicable Data Protection Law.
  1. The terms, “Controller”, “Data Subject”, “Personal Data Breach” “Processing”, “Sub-processor” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.


  1. The parties agree that (i) Company is the Controller of LFM Data and (ii) Client is the Controller of Client Data. Furthermore, each of Company and Client acknowledges and agrees that pursuant to the MSA and this Addendum (i) Company obtains a limited right with respect to Company’s use and Processing of the Client Data and (ii) Client obtains a limited right with respect to Client’s use and Processing of the LFM Data.

    In each case, Company and Client agree that their use and Processing of Personal Data hereunder shall be  in accordance with (A) the approved use(s) as set forth herein and in the MSA (and any applicable SOW), (B) applicable Data Protection Laws and (C) this Addendum. 

    Each party represents and warrants that Personal Data for which it is the Controller has been collected, processed and transferred in accordance with all applicable Data Protection Laws. Additionally, Client represents and warrants that the instructions for Processing Client Data that it gives to Company shall at all times be in compliance with such applicable law. In addition, to the extent Client Data includes Personal Information (as defined by the CCPA), the parties agree to enter into any additional terms if and as required to comply with the CCPA, including without limitation, the CCPA Addendum attached hereto as Schedule I.  Both parties shall keep a record of all Processing activities with respect to Personal Data covered under this Addendum as required under applicable Data Protection Laws.

  2. Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the Processing by such party of Personal Data covered under this Addendum, including but not limited to: (i) providing the other party contact details for each partys privacy and data security manager or Data Protection Officer (if required by applicable Data Protection Laws) which are accurate and up to date; (ii) providing reasonable information and assistance to the other party with respect to the conduct of data protection impact assessments, in each case, as required by Data Protection Laws; and (iii) providing reasonable information and assistance to the other party regarding consultations between that party and a Supervisory Authority; in each case, solely as relates to the Processing of Personal Data hereunder.


  1. Each party as a Controller is separately responsible for honoring Data Subject access requests under Data Protection Law (including without limitation, rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from Data Subjects with respect to the personal data of which it is the Controller. Each party shall notify the other promptly upon receipt of any Data Subject request relating to Personal Data and shall provide reasonable and timely assistance to the other party as necessary to help facilitate compliance with this Section 3.1. For the avoidance of doubt, the parties agree that Company shall not respond to any Data Subject request in connection with Client Data without first consulting with and receiving approval from Client. Similarly, Client agrees not to respond to any Data Subject request in connection with LFM Data without first consulting with and receiving approval from Company. 


  1. Both parties shall ensure that their respective personnel engaged in the Processing of Personal Data under this Addendum are informed of the confidential nature of the Personal Data as well as any privacy and security obligations with respect to such Personal Data.

  2. Each party will take appropriate steps to ensure compliance with the Security Measures (as defined below) by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Personal Data under this Addendum have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of the Agreement.

  3. Each party shall ensure that access to Personal Data is limited to those personnel who require such access under the Agreement.


  1. Each party acknowledges and agrees that the other party may engage third-party Sub-processors in connection with the Processing of Personal Data. 
  1. In connection with the Processing of Client Data, Company shall notify Client in writing in advance of the appointment of any Sub-processor, and permit Client to object to such Sub-processor (on reasonable grounds) within a reasonable period of time following receipt of written notice (provided however, Company may continue to use Sub-processors who have been engaged prior to the effective date of this Addendum). Additionally, each party shall ensure that any Sub-processor engaged by it hereunder is subject to a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Addendum and meet the requirements of applicable Data Protection Laws, Each party shall be liable for the acts and omissions of its Sub-processors to the same extent as such party would itself be liable if performing the services of each Sub-processor directly under the terms of this Addendum.


  1. Each party shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of the Personal Data. Each party will implement and maintain technical and organizational measures designed to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (the “Security Measures”). The Security Measures shall ensure a level of security appropriate to the risk and in accordance with applicable requirements of Data Protection Laws, including encrypting Personal Data; ensuring ongoing confidentiality, integrity, availability and resilience of the party’s systems and services; helping restore timely access to Personal Data following a Personal Data Breach; and regularly testing effectiveness of the Security Measures.
  1. Each party will cooperate in good faith and reasonably assist the other in ensuring compliance with the other partys obligations under applicable Data Protection Law (taking into account the nature of the Processing and data type), including without limitation, with respect to the security of Personal Data (including in connection with Personal Data Breaches), any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, as applicable.
  1. Each party shall, if requested by the other party, make available to the other party all information reasonably necessary to demonstrate compliance with such party’s obligations under this Addendum and each party may (or if mandated by a Supervisory Authority or applicable Data Protection Law, will) allow for an audit by a mutually agreed upon independent auditor. To request an audit, the requesting party must submit a detailed audit plan reasonably in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit (such plan to be mutually agreed upon by the parties in advance of the audit). The auditor must execute a written confidentiality agreement acceptable to both parties before commencement of the audit. The audit must be conducted during regular business hours, subject to the audited party’s policies, and may not unreasonably interfere with either partys business activities. Any such audits are at the expense of the party making the request. Each party agrees to notify the other party if any material non-compliance with this Addendum is discovered during the course of an audit and the party who has been found in such non-compliance shall remediate such non-compliance promptly following notification thereof. For the avoidance of doubt, all confidential information of a party obtained by the other party or the auditor pursuant to any audit hereunder shall be maintained in confidence by the auditing party and the auditor and may not be disclosed to any third party, except to the extent necessary to assert or enforce any of the auditing party’s rights under this Addendum or is required to be disclosed by Data Protection Law, by any Supervisory Authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives the audited party as much notice of this disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this section, it takes into account the reasonable requests of the audited party in relation to the content of this disclosure.


  1. If either party becomes aware of any Personal Data Breach affecting Personal Data for which the other party is the Controller, such party will promptly notify the other party of the Personal Data Breach without undue delay. Notifications made pursuant to this section will take place within a reasonable time and no longer than two (2) business days after discovery and shall describe, to the extent possible, details of the Personal Data Breach, including steps taken to mitigate the potential risks and to address the Personal Data Breach. Each party will promptly investigate the Personal Data Breach if it occurred within its systems, network or servers or those of its Sub-processors and will reasonably assist the other party as reasonably necessary in order to comply with and meet applicable requirements of Data Protection Laws.
  1. Notifications of Personal Data Breaches will be delivered to the other partys contact(s) identified in the Agreement and/or applicable SOW (including, if required by Data Protection Law, such party’s Data Protection Officer) by any reasonable means, including via email. It is each partys responsibility to ensure that such party’s contact information is up to date. Any notification of or response to a Personal Data Breach under this Section 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Personal Data Breach.
  1. Unless otherwise required under applicable law (i) with respect to LFM Data, Client shall not and (ii) with respect to Client Data, Company shall not, notify any Supervisory Authority or law enforcement agency directly of any Personal Data Breach and will not communicate with any Supervisory Authority or law enforcement agency directly about any actual or suspected Personal Data Breach without advance notice to and the consent (not to be unreasonably withheld) of the other party who is the Controller of the data at issue; provided however, for the avoidance of doubt, nothing herein shall restrict either party from giving notice of any breach as relates to personal data that is not Personal Data (as defined herein).
  1. Unless prohibited by applicable law, each of Company and Client shall notify the Controller of any third party legal process relating to any Personal Data Breach, including, but not limited to, any legal process initiated by any governmental entity (foreign or domestic).  
  1. Without limiting the foregoing, the applicable Controller shall make the final decision on notifying (including the contents of such notice) such Controller’s clients, employees, service providers, Data Subjects and/or the general public of such Personal Data Breach, and the implementation of the remediation plan. 


  1. Each party will delete the Personal Data provided to it by the other party in the timeframe set forth in the MSA or applicable SOW (e.g., upon expiration or termination of the applicable license term), or, otherwise, as soon as reasonably practicable or any other lawful timeframe as mutually agreed upon by the parties in writing, unless applicable law requires further retention. 
  1. Without limitation of the foregoing, on expiry or termination of the Agreement, each party will permanently delete the Personal Data provided to it by the other party and discontinue processing of such Personal Data. 


  1. The parties agree to enter into the European Commission’s Standard Contractual Clauses (then in-effect as of the applicable date) in respect of any data transfer that would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses (e.g., a data transfer between the EU and a non-EU jurisdiction).  In the event the Standard Contractual Clauses are invalidated by the European Commission, the parties agree to work in good faith to effectuate another method of cross-border data transfer in accordance with applicable Data Protection Laws.


  1. Both parties agree that their respective liability under this Addendum shall be apportioned according to each parties͛ respective responsibility for the harm (if any) caused by each respective party.
  1. Nothing in this Section 10 will affect, and shall be subject to, the remaining terms of the Agreement relating to liability.


  1. In the event that a party is in breach of its obligations under this Addendum, then each party may temporarily suspend the access to or continued transfer of Personal Data for which it is the Controller until the breach is repaired or remedied to the reasonable satisfaction of the Controller. Nothing herein shall be deemed to limit each party’s rights of termination under the Agreement.
  1. Nothing in this Addendum shall confer any benefits or rights on any person or entity other than the parties to this Addendum.
  1. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses, the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this Addendum is governed by the laws of the country or territory identified as the governing law in the Agreement.

Appendix 1

Subject matter and details of the processing (LFM Data)

Data subjects: The Personal Data concern the following categories of Data Subjects:  

Social media users

Categories of data: The Personal Data concern the following categories of data:

User names of the applicable social media services users

Nature and purpose of processing Personal Data:

Analyze social data to drive business insights. 

Processing operations: The Personal Data transferred will be subject to the following processing activities: 

Internal digital intelligence initiatives. 

Subject matter and details of the processing (Client Data)

Data subjects: The Personal Data concern the following categories of Data Subjects:  

LFM Platform users.  

Categories of data: The Personal Data concern the following categories of data:

LFM Platform user names and email addresses. If single-sign on method is Facebook or Google, Facebook Profile name and Google Profile name also included.

Nature and purpose of processing Personal Data:

Names and emails of LFM Platform users are for LFM Platform sign-in and ListenFirst email marketing.

Processing operations: The Personal Data transferred will be subject to the following processing activities: 

ListenFirst platform user accounts will be linked with Client User emails, Facebook User profiles and/or Google User Profiles. Additionally, client user emails will be ingested into ListenFirst Marketing Database for CRM activities.

Schedule I

CCPA Addendum

This CCPA Addendum (“Addendum”), by and between User and their associated signatory on the Master Services Agreement (“Client”) and ListenFirst Media LLC (“Service Provider”) (each, a “Party” and collectively, the “Parties”), is hereby incorporated by reference into the Master Services Agreement entered into by the Parties as of the Effective Date of the Master Services Agreement between the Parties (the “Agreement”); and sets forth the terms and conditions applicable to compliance with the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq. (as may be amended from time to time) (the “CCPA”). In the event of any conflict between the provisions of this Addendum and the provisions of the Agreement, the provisions of this Addendum will apply.

Whereas, Client is a Business subject to (and as defined under) the CCPA;

Whereas, Service Provider provides Services to Client pursuant to the Agreement and, in connection with such Services, it is necessary to Process Personal Information on behalf of Client;

Now therefore, in consideration of the mutual covenants and agreements in this Addendum and the Agreement, and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Client and Service Provider agree as follows:

I. Definitions

(A) “Aggregated” means information that relates to a group or category of individuals, from which individual identities have been removed, that is not linked to any individual or household, including via a device.

(B) “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, that is provided to Services Provider by Client and is Processed solely on behalf of Client by Service Provider in connection with the Services.

(C) The terms “Consumer,” “Processing” (or “process”), and “Sale,” (including the terms “sell,” “selling,” “sold,” and other variations thereof) shall have the meanings given to those terms under the CCPA (including California Civil Code § 1798.140).

Any capitalized term used but not defined herein shall have the meaning ascribed to it in the CCPA and/or the Agreement (as the case may be).  

II. CCPA Compliance

(A) Service Provider acknowledges and agrees that it shall Process Personal Information solely as necessary to perform its obligations under the Agreement for the Business Purpose described in the Agreement (or as otherwise agreed in writing by the parties) (the “Permitted Purposes”). Service Provider shall not: (a) Sell Personal Information; (b) retain, use or disclose Personal Information for any purpose other than for the Permitted Purposes; or (c) retain, use, or disclose the information outside of the direct business relationship between Service Provider and Client. Service Provider hereby certifies that it understands the foregoing restrictions and that it shall comply with such restrictions. In no event shall Service Provider Process the Personal Information for its own purposes or those of any third party; provided however, Service Provider may utilize Personal Data in Aggregated and/or Deidentified form in connection with Service Provider’s ordinary business practices.

Service Provider shall reasonably cooperate with Client in connection with the request of any individual (with Client providing prompt written notice to Service Provider of any such requests) to exercise any of such individual’s rights under the CCPA. Service Provider shall notify Client in the event that Service Provider receives any such requests directly.

(B) Client represents, warrants and covenants as follows:

  1. The Personal Information that it shares with Service Provider subject to this Addendum is necessary for Service Provider to perform the Permitted Purposes and Client shall not provide any Personal Information to Service Provider unless it shall have given the necessary notices and obtained the necessary consents, in each case, from the applicable individuals whose Personal Information is Processed by Service Provider for the Permitted Purposes.
  2. Client shall comply with all of its obligations and duties under the CCPA, and shall not Process, Sell or otherwise share Personal Information in violation of the CCPA or any other applicable law.
  3. Client shall promptly make Service Provider aware if Client is in violation of the CCPA and as such may be liable for a civil penalty under the CCPA. In such instance Service Provider may immediately terminate the Agreement. In such case, Client agrees to indemnify, defend and hold harmless Service Provider in connection with any liability, claim, penalty or other damage arising out of any such violation by Client (or otherwise, from the violation or breach of Client of any of the terms herein).

(C)The Parties acknowledge and agree that neither of them has reason to believe that the other Party is unable to comply with the provisions of this Addendum or otherwise that such Party is in violation of the CCPA.

III. Miscellaneous

(A) This Addendum is the complete agreement between the Parties and supersedes any prior oral or written agreement between the Parties, including the Agreement, concerning compliance with the CCPA in connection with the Services.

(B) Except as expressly set forth herein, the terms of the Agreement shall remain unmodified and in full force and effect.

Schedule II

Acknowledgment and Agreement to Third-Party Terms of Service

This Schedule II forms part of the User Agreement between ListenFirst Media (“Company”) and the individual user and their associated signatory on the Master Services Agreement (“Client”), collectively referred to as the “Agreement.” It specifies additional terms related to the use of third-party services integrated with or required by the ListenFirst platform.

Acknowledgment of Third-Party Services

  1. Integration with Third-Party Services: The ListenFirst platform may incorporate or necessitate the use of third-party services, platforms, and content, including but not limited to services provided by YouTube (“Third-Party Services”).
  2. Agreement to Third-Party Terms: By accessing and utilizing the Third-Party Services through the ListenFirst platform, the Client and its authorized users (“Users”) acknowledge and agree that such access and use are subject to the terms and conditions of the Third-Party Services, including the YouTube Terms of Service, accessible at https://www.youtube.com/t/terms (“Third-Party Terms”).
  3. User Obligations: Users commit to reviewing, understanding, and agreeing to the Third-Party Terms prior to utilizing the corresponding Third-Party Services. Compliance with these Third-Party Terms is mandatory for Users who wish to access and use the ListenFirst platform.
  4. Revoking Access to Data: Users have the right to manage and revoke ListenFirst’s access to their YouTube data at any time. This can be done through the Google security settings page at https://security.google.com/settings/security/permissions.

Compliance and Responsibility

  1. User Compliance: Users are solely responsible for their compliance with the Third-Party Terms. The Company assumes no liability or responsibility for Users’ actions that may breach these terms.
  2. No Endorsement by Company: The inclusion or integration of Third-Party Services within the ListenFirst platform does not constitute an endorsement, sponsorship, or recommendation of such Third-Party Services by the Company. The Company disclaims any liability for the availability, quality, performance, or content of the Third-Party Services.
  3. Changes to Third-Party Terms: Users acknowledge that Third-Party Terms may be updated or modified by the respective third-party service providers at any time. Users are responsible for regularly reviewing these terms to ensure continued compliance.

Limitation of Liability

The Company shall not be liable for any direct, indirect, incidental, special, consequential, or exemplary damages arising from or relating to the Users’ access to or use of Third-Party Services, including, without limitation, damages related to any information obtained from the Third-Party Services, system issue, data loss, or business interruption resulting from the use of or reliance on any Third-Party Services integrated with the ListenFirst platform.

By using the ListenFirst platform, Users affirm their understanding and agreement to be bound by this Schedule II, including the obligation to comply with all applicable Third-Party Terms.

This Schedule II is hereby incorporated into and made a part of the Agreement by this reference. Except as specifically modified by this Schedule, all other terms and conditions of the Agreement remain in full force and effect.