top of page

Resources

CPG Consumer Spend Tracker

Download our weekly U.S. consumer packaged goods sector monitoring report.

Learn

Blog

New strategies and tactics.

Press Releases

Circana's official announcements.

Media Coverage

Circana in the press.

Industry Rankings

Industry rankings vs. previous data period.

Case Studies

See how Circana can help your business grow.

Reports

Perspectives from our thought leaders.

Product Training

A curriculum to address your needs.

Analyst Reports

Solving challenges that matter to you.

Podcast: Growth Insights

Thought leaders giving growth insights.

Quick Insights

Consumer insights and buying trends.

Solutions

Not sure where to start?

Uncover the right solution for your business in a few clicks.

Technology

Our Liquid Data® technology provides cross-industry data and advanced analytics in a single, open platform.

SOLUTIONS

Liquid Data Go

Designed for small CPG businesses. 

Liquid Data Engage

Curated reports and guided analysis.

Liquid AI

Answer the most pressing business questions.

Liquid Data Collaborate

Data and analytics for a single source of truth. 

NCSolutions
is now part of Circana!

The power of NCSolutions (NCS) and Circana’s combined data means a larger pool of buyers and stronger media solutions for you. 

Nielsen's 

Marketing Mix Modeling

is now part of Circana!

Optimize your spend across channels and marketing drivers—maximizing ROI and accelerating growth. 

purple dark.jpg

Which Jean Type Do You Prefer?

Apparel is always evolving, and denim’s leading the charge.

Women’s low-rise denim sales jumped +132% in the 30 weeks ending August 2, 2025, vs. last year.

So ... Which Jean Type Do You Prefer?

Company

Popular searches

Not sure where to start?

Uncover the right solution for your business in a few clicks.

Swirl Abstract Graphic

Circana Transaction Data Available on Google Cloud Marketplace

End User License Agreement

This End User License Agreement (this “Agreement”) is between Circana, LLC (“Circana”) and the person or entity agreeing to these terms (“You” or “Customer”). This Agreement states the terms under which Circana will provide the Circana Transaction Data (“Transaction Data”) selected in the Transaction Data selected by You in the Google Cloud Marketplace. By purchasing, accessing or using the Transaction Data You are agreeing to be bound by the terms of this Agreement (the date of such action, the “Effective Date”). If You are entering into this Agreement on behalf of an entity, then You represent and agree that You have the legal authority to bind that entity to this Agreement. If You do not accept the terms of this Agreement, then You are prohibited from using the Transaction Data.

1. Accessibility, Deliverable and Delivery Process. 

 

1.1 Registration and Account. Customer must have complete and accurate information for its Google Cloud Marketplace account (the “Account”) and keep the information complete and accurate at all times. Customer is responsible for (a) maintaining the security of its Account (for example, any applicable login credentials or security keys), (b) all activities that occur under Customer’s Account, and (c) any other actions taken in connection with Customer’s Account. Circana and Circana’s affiliates are not responsible for unauthorized access to Customer’s Account. Customer will notify Circana immediately if Customer believes there has been unauthorized access to or use of Customer’s Account to make a purchase or otherwise interact with Circana.

 

1.2 Transaction Data: Circana’s Transaction Data purchased by Customer in the Google Cloud Marketplace and delivered by Circana via the Google Analytics Hub to Customer’s BigQuery Tenant.

 

1.3 Circana will deliver the Transaction Data purchased by Customer to the Customer’s BigQuery tenant within a commercially reasonable period of time after purchase from the Google Cloud Marketplace.

 

2. Term of Agreement:

 

2.1 Customer may use the Transaction Data for the Permissible Use, as defined below, during for the term purchased in the Google Cloud Marketplace (the “Term”), subject to any additional termination rights contained herein. Customer must delete the Transaction Data and/or cause its agents including Data Management Platforms (“DMP”) and Data Supplier Platforms (“DSP”) to delete the Transaction Data from their systems or platforms as soon as reasonably possible following the Term for the Transaction Data, but in no event more than thirty (30) days following the end of the Term. Sections 5 – 13 shall survive the termination or expiration of this Agreement.

 

3. Permissible Use.

 

3.1 Transaction Data may only be used for media activation/buying, such as creating audiences (e.g. segmentation), planning, insights, targeting (audience building), analytics, activation, measurement, modeling, profiling, reporting, optimization and visualization.

 

3.2 Transaction Data or Derived Data may not be used for retailer programs or retailer cobranded programs (e.g., a retailer and advertiser strategically going to market for branded partnerships), including segmentation.

 

3.3 Transaction Data must remain in BigQuery. Customer and Approved Affiliates may upload Created Audiences or other Derived Data (defined below) into Customer’s DMP that meet the Security Requirements set forth in Attachment 3.

 

3.4 Customer and its Approved Affiliates may distribute to and use the Created Audiences on third-party DSPs on behalf of itself or its End Customer(s). 

 

4. Licensed Deliverable and Delivery Process.

 

4.1 Subject to the terms of this Agreement, Circana grants Customer and its affiliates Circana has approved in writing to access the Transaction Data (“Approved Affiliates”) a non-exclusive, non-transferable license to access and use the Transaction Data for the generation of Created Audiences and the Permissible Use as provided in Section 3 on behalf of itself or its End Customer. Customer is responsible and will be liable for assuring full compliance with this Agreement and the Order Form by its and their Approved Affiliates’ employees who use and access the Transaction Data as permitted by this Agreement, including all reporting of due from Approved Affiliates’ usage.

 

4.2 Customer and its Approved Affiliates may use Transaction Data to match with other Customer data and identify individuals in its own database for the Permissible Use Cases as described herein.

 

5. Fees.

 

5.1 The fees for the Transaction Data provided pursuant to this Agreement are set forth in the Google Cloud Marketplace.

 

6. Usage Based Activation and Draw Down.

 

6.1 As used in this Agreement, audiences created by Customer using the Transaction Data shall be referred to as “Created Audiences.”  The fees for Customer’s activation of Created Audiences (or other Derived Data activated in a DSP or other activation platform) pursuant to this Agreement are set forth in the Google Cloud Marketplace.   Usage is based on Total impressions as such term is defined by the Interactive Advertising Bureau (“IAB”), pursuant to usage reported by Customer.   

 

6.2 For any Created Audience or Derived Data that is activated in a DSP or other activation platform, including a lookalike modeled audience that is compiled using Transaction Data in combination with other non-Circana partner data, Customer will provide Circana Usage Reports that show the total impressions for the campaign.

 

6.3 Customer shall deliver monthly Usage Reports in the required format provided in Attachment 1 (“Usage Report”) the 30th of the month with the impressions for the previous month. Circana shall draw dwn against the amount of impressions Customer purchased in the Google Cloud Marketplace for usage-based activation for Created Audiences (or Derived Data that is activated in a DSP or other activation platform) on a monthly basis in arrears after Circana’s receipt of the prior month’s Usage Report.

 

6.4 For clarity, with respect to usage-based activation impressions incurred up to the expiration or termination of this SOW, (a) Customer shall deliver its usage report to Circana in no event later than thirty (30) days after the termination or expiration of Customer’s license for the Transaction Data. If Customer’s usage-based activation exceeds the amount of impressions Customer purchased in the Google Cloud Marketplace, Customer shall purchase additional impressions to cover the overage upon receipt of written notice from Circana.

 

7. Data.

 

7.1 Circana also grants to Customer and Approved Affiliates the right to create Derived Data from Transaction Data. “Derived Data” means any data or information which is derived and newly created from Transaction Data (but without including any of Transaction Data), provided always that such derived data: (i) is not and does not modify any of the Transaction Data; and (ii) cannot be identified as originating or deriving directly from the Transaction Data and cannot be reverse-engineered such that it can be so identified; (iii) is not substantially the same or capable of use as a substitute for Transaction Data; and (iv) in its electronic form is stored logically separated from Transaction Data.

 

7.2 As between the parties, Customer and/or Approved Affiliates, as applicable, own(s) and will retain all right, title and interest in and to Derived Data. For the avoidance of doubt, data derived from Customer’s services and/or the services of any Approved Affiliated, including without limitation Derived Data (e.g., user segments created from Transaction Data, Created Audiences), will not be deemed Circana Intellectual Property.

 

8. Destruction of Transaction Data.

 

8.1 Customer will promptly and securely destroy the Transaction Data and any models such Transaction Data may be incorporated using industry-accepted methods within sixty (60) days of termination of Customer’s license to the Transaction Data and promptly provide Circana with a written certification of such destruction.

 

9. Disclosure to Third Parties.

 

9.1 Unless otherwise agreed in writing by Circana, Customer shall not disclose or allow to be disclosed any Transaction Data to any person, firm or entity other than its End Customer or Customer’s DSP(s), and/or DMP(s).

 

9.2 If Customer is required to disclose a Transaction Data due to a legal, investigatory or governmental proceeding, Customer may make such required disclosure only after Customer has given Circana notice of the required disclosure, to the extent such notice is permitted by law, which is sufficient to allow Circana to seek an appropriate protective order. Customer shall provide any reasonable cooperation Circana may request from Customer in its pursuit of such protective order. In the event that Circana incurs any reasonable expenses as a result of complying with such protective order or as a result of any other legal, investigatory or governmental proceeding that Customer is involved in, Customer shall reimburse Circana for such expenses.

 

9.3 Customer shall not disclose a Transaction Data or any Circana data in any legal proceedings (including, but not limited to, any use in litigation and/or use with any governmental, investigatory, regulatory or other body or authority) except if and to the extent: (i) Circana is compelled by service of legal process and the information is subject to an appropriate protective order, or (ii) Customer gives Circana prompt advance notice of an official governmental demand and the information is subject to a confidentiality agreement in form and substance reasonably acceptable to Circana.

 

10. Reservation of Rights.

 

10.1 Each party reserves, for itself and for its applicable licensors, any intellectual property or other pre-existing proprietary rights not expressly granted in this Agreement. No license or right to any such intellectual property or other pre-existing proprietary right is granted to the other party, unless expressly granted under this Agreement. Circana and its licensors retain all rights in materials and services owned or developed by Circana or its licensors prior to or during the Term. Circana may resell the Transaction Datas in any form to third parties. Nothing herein shall prevent Circana from providing or otherwise considering, either internally or on behalf of third parties, services similar to or of the same nature as Transaction Datas being provided under this Agreement.

 

11. Limited Warranty; Disclaimer of Other Warranties.

 

11.1 Circana represents and warrants to Customer that it will provide Transaction Data to Customer in a professional and workmanlike manner.  

 

11.2 ALL CIRCANA SERVICES, CIRCANA DATA, AND OTHER ITEMS PROVIDED BY CIRCANA ARE PROVIDED “AS IS” WITHOUT ANY REPRESENTATION OR WARRANTY, EXPRESS, IMPLIED, OR STATUTORY.  CIRCANA, ITS SUPPLIERS AND THIRD PARTY AGENTS MAKE NO OTHER REPRESENTATIONS OR WARRANTIES AND SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, IMPLIED WARRANTIES OF ACCURACY, COMPLETENESS, TIMELINESS, MERCHANTABILITY, NON-INFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING IN THE COURSE OF DEALING, USAGE OR TRADE PRACTICE. CIRCANA, ITS SUPPLIERS, AND ITS THIRD PARTY AGENTS MAKE NO WARRANTY THAT CIRCANA SERVICES OR CIRCANA DATA MEET THE CLIENT’S REQUIREMENTS, OR THAT THEIR AVAILABILITY AND FUNCTIONALITY ARE UNINTERRUPTED, TIMELY, SECURE, OR ERROR FREE. CLIENT IS SOLELY RESPONSIBLE FOR ITS USE OF THE PROSCORES.

 

12. Confidentiality of Information. 

 

12.1 “Confidential Information” means any non-public information of either party relating to its business activities, operations, financial affairs, technology, marketing or sales plans that is disclosed to the other party under this Agreement. Confidential Information includes, but is not limited to, the terms and pricing of this Agreement.

 

12.2 Except as expressly allowed by Sections 3 and 4, neither party will use or disclose the Confidential Information of the other party without the prior written consent of the other party. Circana may disclose Customer’s Confidential Information without Customer’s prior consent to subcontractors who have a need to know such information related to the provision of the Services if such subcontractors have agreed to be bound by confidentiality obligations at least as stringent as those contained in this Agreement. The use and disclosure restrictions in this paragraph will continue during the Term of this Agreement and for three (3) years after its expiration or termination. However, a party’s trade secrets will be subject to such use and disclosure restrictions for as long as the applicable information is deemed a trade secret or otherwise protected under applicable law. Confidential Information will not include information which (i) is or becomes public knowledge through no breach of the Agreement by the receiving party, (ii) is received by the receiving party from a third party that is not subject to any confidentiality obligations with respect to such information, or (iii) is already known or is independently developed by the receiving party without use of the Confidential Information. Subject to Sections 1 and 2, each party will take all reasonable precautions to protect the other party’s Confidential Information from third parties, using at least the same standard of care as it uses to maintain the confidentiality of its own Confidential Information.

 

13. Indemnification.

 

13.1 Customer agrees to indemnify and hold Circana, its licensors and their respective officers, directors and agents harmless from and against any and all third-party claims, damages, losses, liabilities or expenses (including reasonable attorneys’ fees) arising from or related to Customer’s access, use, disclosure or resale of the Transaction Data in any manner not specifically authorized by the Agreement.

 

13.2 Circana agrees to indemnify and hold Customer and its officers, directors and agents harmless from any and all third party claims, losses, damages, losses, liabilities or expenses (including, without limitation, reasonable attorneys’ fees) arising from any actual infringement of any United States (or a jurisdiction where Circana is performing or delivering services) patents, copyrights or trademarks based on the expressly permitted use of the Transaction Data.  Notwithstanding the foregoing, Circana will have no liability for any claim of infringement based on (a) the combination of the Transaction Data with other data, if such infringement could have been avoided by not combining the Transaction Data; or (b) the modification of the Transaction Data, if such infringement could have been avoided by not modifying the Transaction Data.  If a Transaction Data has become (or in Circana’s reasonable judgment is likely to become) the subject of an infringement claim Circana will, at its option and expense, (a) replace or modify the Transaction Data, or (b) if (a) is not commercially reasonable to Circana, then Circana may at its sole option terminate the Customer’s use of the Transaction Data and this Agreement without further liability by Circana provided, that Circana will refund any pre-paid fees.  THIS PARAGRAPH STATES THE ENTIRE LIABILITY OF CIRCANA WITH RESPECT TO INFRINGEMENT OF THIRD-PARTY PATENTS, COPYRIGHTS, TRADEMARKS, OR OTHER PROPRIETARY RIGHTS, BY PROSCORES OR CIRCANA DATA.

 

14. Limitation of Liability.

 

14.1 EXCEPT FOR EITHER PARTY’S MISAPPROPRIATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY (WHICH INTELLECTUAL PROPERTY OF CIRCANA INCLUDES, WITHOUT LIMITATION, CIRCANA DATA), INDEMNIFICATION OBLIGATIONS, OR BREACH OF CONFIDENTIALITY OBLIGATIONS, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, RELIANCE, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION LOST REVENUES OR PROFITS) REGARDLESS OF THE LEGAL THEORY UNDER WHICH SUCH LIABILITY IS ASSERTED, AND REGARDLESS OF WHETHER A PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH LIABILITY. EXCEPT FOR CLIENT’S PAYMENT OBLIGATIONS AND EITHER PARTY’S MISAPPROPRIATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY, INDEMNIFICATION OBLIGATIONS, OR BREACH OF CONFIDENTIALITY OBLIGATIONS, THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY RELATED TO A CLAIM UNDER THIS AGREEMENT WILL BE LIMITED TO THE TOTAL AMOUNT PAID TO CIRCANA UNDER THIS AGREEMENT DURING THE TWELVE-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE THE CLAIM AROSE.

 

15. Timelines.

 

15.1 All timelines contained in the Agreement are subject to Customer cooperation and provision of all requested information and approvals in a timely manner.  Unless otherwise provided in this Agreement, any pre-existing materials (e.g. syndicated reports and software applications) are provided “as is” without updates or support.

 

16. Force Majeure.

 

16.1 Neither party shall be liable to the other party for any loss, injury, delay, damages or casualty suffered by the other party due to strikes, governmental action, unusually severe weather, acts of God or public enemy, or any other cause which is beyond the reasonable control of either party, and any failure or delay by either party in the performance of its obligations under this Agreement due to one or more of the foregoing causes will not be considered a breach of this Agreement.

 

17. General.

 

17.1 The parties shall comply with the terms of the US Data Protection Addendum in Attachment 2. If Customer elects to transfer the Transaction Data to a DMP or DSP such DMP or DSP must meet or exceed the Security Requirements in Attachment 3.

 

17.2 All matters relating to or arising under this Agreement shall be governed by the laws of the State of Illinois without regard to conflict of laws. Customer agrees that monetary damages may not be a sufficient remedy for a breach of any provisions of Sections 1, 3 – 6 and 9 hereof and that Circana shall be entitled to seek specific performance, injunctive or other equitable relief as a remedy for any such breach. Customer shall comply with all applicable laws, statutes, ordinances and other governmental regulations regarding Customer’s use of Transaction Data, including without limitation, all export laws and restrictions and regulations of any United States or foreign agency or authority. 

 

17.3 This Agreement constitutes the entire agreement of the parties, and supersedes any previous agreements between the parties, related to the subject matter hereof. No purchase order terms or other pre-printed terms will serve to modify the terms of this Agreement. If any term of the Agreement is held unenforceable, such term will be construed as nearly as possible to reflect the original intent of the parties and remaining terms will continue to be enforceable without modification. All amendments will be in writing and signed by each party’s authorized representative. This Agreement may be executed in counterparts, each of which shall constitute an original, and all of which together shall constitute one agreement.  Any photocopy or scanned copy in portable document format (PDF) shall be deemed an original copy for all purposes.  If any provision of this Agreement is held to be invalid, such invalidity shall not affect the enforceability of any other provision.

 

17.4 Neither party may assign this Agreement, nor any rights or licenses granted by this Agreement, in whole or in part, without the prior written consent of the other party, which consent will not be unreasonably withheld. However, either party may assign this Agreement to a successor entity as a result of a merger, acquisition, reorganization, or other similar corporate transaction if such successor entity is not a competitor of the non-assigning party. The assigning party must give the non-assigning party prior written notice of any such transaction and the successor entity must agree in writing assume all of the assigning party’s obligations and liabilities under this Agreement.

Attachment 1 – Usage Report Requirements

Usage Reports must be provided in the following format:

google-marketplace-transaction-data-eula-Picture1.png

Attachment 2 – U.S. Data Protection Addendum (“DPA”)

Google-Marketplace-ProScore.png

In consideration of the mutual obligations hereto, the parties agree that the terms of this Addendum will apply to the Services (defined below) to the extent set forth herein. The Agreement will remain in full force and effect except as modified below.

1. Definitions

 

1.1 In this Addendum, the following terms will have the meanings set out below:

(a) “Aggregate Data” means information that relates to a group or category of Data Subjects or households, from which individual identities have been removed and which is not linked or reasonably linkable to any consumer or household (including via a device). Aggregate Data does not include data that has been deidentified or pseudonymized.

 

(b) “Agreement” means the existing agreement(s), order(s), purchase orders, statements of work, and/or other commercial arrangement(s), pursuant to which Circana provides products and services to Customer and includes any exhibits and/or amendments thereto.

 

(c) “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the respective Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

 

(d) “CCPA” means the California Consumer Privacy Act and any implementing regulations issued thereto, each as amended (including by the California Privacy Rights Act and any regulations promulgated thereto).

 

(e) “Customer Personal Data” means any Personal Data Processed by Circana or a Subprocessor on behalf of Customer pursuant to or in connection with the Services.

 

(f) “Data Breach” means any known unauthorized access to, or use, disclosure or other Processing of a Party’s Personal Data that compromises the security of that Party’s Personal Data.

 

(g) “Data Protection Laws” means all national, federal, state, and local, cybersecurity and data protection laws applicable to the Processing of Personal Data under this Addendum, together with any implementing or supplemental rules and regulations, each as amended, including but not limited to the CCPA, to the extent applicable.

 

(h) “Data Subject” means the individual to whom the Personal Data relates.

 

(I) “Personal Data” means any information that relates to an identified or identifiable natural person, or is otherwise linked or reasonably linkable to a particular Data Subject or household (including any personal or household device), as well as other information defined as “personal data,” “personal information” or equivalent term under applicable Data Protection Laws.

 

(j) “Process” or “Processing” means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.

 

(k) “Services” means Circana Transaction Data.

 

(l) “Subprocessor” means any person (including any third party and any Circana Affiliate but excluding an employee of Circana) appointed by or on behalf of Circana that Processes Customer Personal Data.

 

1.2 Capitalized terms not otherwise defined herein will have the meaning set forth in the Agreement. 

 

2. Processing of Customer Personal Data

 

2.1 The parties agree that Customer discloses the Personal Data to Circana for the specific and limited purposes set forth in Annex 1 hereto.

 

2.2 Circana and Customer will (i) comply with all applicable Data Protection Laws in the Processing of Personal Data and Circana shall provide the same level of privacy protection as is required by Data Protection Laws and this Addendum; and (ii) only Process Customer Personal Data for the purposes set forth in Annex 1 and as otherwise permitted or required pursuant to the Agreement or applicable Data Protection Laws.

 

2.3 If Circana believes it will be unable to comply with Data Protection Laws, Circana will promptly notify Customer. Without limiting the foregoing, Circana will grant Customer the right to take reasonable and appropriate steps: (i) to help ensure that Circana uses Personal Data transferred in a manner consistent with Customer’s obligations under Data Protection Laws; and (ii) to, upon notice, stop and remediate any unauthorized use and Processing of Personal Data.

 

2.4 Annex 1 to this Addendum sets out a description of the Processing of Customer Personal Data, including the subject matter and duration of the Processing, the specific and limited purposes for the Processing, the type of Personal Data Processed, and the categories of Data Subjects subject to such Processing.

 

3. Personnel

Circana will take reasonable steps to ensure the reliability of any employee, personnel, agent or contractor who may have access to Customer Personal Data, ensuring in each case that (i) access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data for the purposes of the Services and to comply with applicable laws, and (ii) such employees, personnel, agents or contractors are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

 

4. Security

 

4.1 Circana shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.

 

5. Data Subject Rights and Reasonable Cooperation

 

5.1 The Parties will provide reasonable support and assistance as necessary to enable one another to comply with their obligations under Data Protection Laws, as set forth in this Section 5.

 

5.2 Taking into account the information available to the Parties, the Parties will:

 

5.2.1 Promptly notify one another if either Party receives a request from a Data Subject or a regulatory or supervisory authority under any Data Protection Laws in respect of the other Party’s Personal Data, and: (i) not respond to such request, unless required by applicable law to which that Party is subject; and (ii) provide reasonable assistance, to the extent possible, as necessary to enable the other Party to comply with its obligations under Data Protection Law to respond to such requests. 

 

5.2.2 Provide reasonable assistance as requested with any data protection impact assessments, prior consultations with, or other notification or similar obligations to Supervisory Authorities or other competent data privacy authorities, which either Party reasonably considers to be required by Data Protection Law.

 

6. Data Breach

 

6.1 Each Party will notify the other Party without undue delay upon becoming aware of a Data Breach. The Parties will cooperate and timely agree on commercially reasonable steps to promptly investigate and remediate the Data Breach, as well as to satisfy any notifications to regulators or to Data Subjects which are required following a Data Breach.

 

7. Deletion of Customer Personal Data

 

7.1 Subject to Section 7.2, Circana will delete Customer Personal Data within thirty (30) calendar days of cessation of the Services.

 

7.2 Notwithstanding Section 7.1, Circana may retain Customer Personal Data for an additional period of time only to the extent and for such period as required by applicable law.

 

8. Audit rights

 

8.1 Upon Customer’s written request, and to the extent required by Data Protection Laws, Circana shall provide Customer with information reasonably necessary to demonstrate compliance with its obligations set forth in this Addendum and applicable Data Protection Laws. Such information may include the most recent reports, certificates, and/or extracts pursuant to Circana’s ISO27001 or similarly held industry certification.

 

8.2 Such written requests under Section 8.1 shall be limited to no more than once per any twelve (12) calendar month period.

 

8.3 Any information provided by Circana to Customer in accordance with this Section 8, shall be considered confidential information of Circana and subject to the confidentiality obligations in the Agreement. Customer shall maintain Circana confidential information in the strictest confidence. Customer agrees to restrict access to Circana confidential information only to those Customer personnel who (i) have a business need to have access to such confidential information and (ii) are bound by a duty of confidentiality.

 

9. General Terms

 

9.1 Order of precedence. In the event of a conflict between the terms of the Agreement and this Addendum, this Addendum will control.

 

9.2 Changes in Data Protection Laws.If any variation is required to this Addendum as a result of a change in Data Protection Laws, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this Addendum to address such changes. 

 

9.3 Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Annex 1 to Attachment 2 – Description of Processing

This Annex 1 to the Addendum includes certain details of the Processing of Customer Personal Data as may be required by applicable Data Protection Laws. The obligations of the Parties are set out in the Addendum and the Agreement.

 

1. Subject Matter and Duration

The subject matter and duration of the Processing of Personal Data:

  • The subject matter and duration of the Processing of Personal Data are set out in the Agreement.

 

2. Business Purposes

  • The specific and limited purposes for the Processing of Personal Data include:

The Services, as defined in the Agreement, and as otherwise necessary to perform the obligations under the Agreement.

 

3. Personal Data

The types of Personal Data to be Processed include:

  • Identifiers, such as tokenized loyalty (FSP) card numbers

  • Pseudonymized data including: indirect identifiers, demographic data, transactional data

  • Other Personal Data as listed in the Agreement

 

4. Data Subjects

The categories of Data Subjects to whom Personal Data relates include:

  • Customers of Customer’s End Customer

 

Attachment 3 – Security Requirements

  1. Client’s information security organization maintains a data governance program that includes processes to track data providers, evaluate service data capabilities, and periodically assess risks and compliance with this Addendum.

  2. Client’s legal and information security organizations must approve before the transfer or sale or access to Circana Transaction Data.

  3. Client’s client (“End Client”) that access Transaction Data must agree by contract to comply with applicable laws and this Addendum or equivalent information security measures.

  4. Client maintains an appropriate process and procedures to manage Circana and End Client data intake and protection.

  5. Client Business unit-specific data intake and protection processes may vary but must include, at minimum, means for (1) identifying Circana and End Client data and any pertinent requirements prior to data intake or creation; (2) maintaining an inventory of Circana and End Client data created or received; and (3) ensuring Client and End Client implements and maintains appropriate information security measures, including proper data and media disposal when Client or End Client no longer has a business need to retain the DaaS (or is no longer permitted to do so by agreement.

  6. Identify any pertinent Client data requirements before data intake or creation according to your business unit’s data intake and protection process. Requirements may be contractual or the result of applicable law or regulations, or both.

  7. Client’s processes and procedures must provide for secure data transfer. Maintain an inventory of data that includes, at a minimum (a) a description of the DaaS data; (b) the location(s) where the data is stored;(c) who is authorized to access the data (by category or role, if appropriate);(e) how long the data is to be retained (using criteria, if appropriate); and (f) any specific contractual or regulatory obligations or other identified data protection or management requirements.

  8. Protect all Circana and End Client data Client creates or receives in accordance with this Addendum and the requirements set forth in Appendix 1.

  9. Ensure that any Circana data or media containing Transaction Data is securely disposed of when it is no longer required for Client’s business purposes, or as otherwise required by mutual agreement.

  10. Client supports an ongoing risk management action cycle to: (a) enforce this Addendum; (b) identify information security risks; (c) develop procedures, safeguards, and controls; and (d) verify that safeguards and controls are in place and working properly.

  11. Client maintains a risk assessment program to identify information security risks across its IT environment, including application software, databases, operating systems, servers, and other equipment, such as network components and other connected devices. The information security coordinator coordinates risk assessment activities that may take several forms, including analyses, audits, reviews, scans, and penetration testing. 

  12. Client maintains a process to identify and track applicable vulnerabilities, scan devices for current patch status, and advise system administrators. Schedule any necessary updates using standard change management processes and according to risk level.

  13. Client maintains a formal vulnerability disclosure policy.

  14. Client maintains compliance management processes to enforce the terms of this Addendum or substantially similar terms.

 

Annex 1 to Attachment 3 – Additional System Security Requirements

  1. Client will certify that it is operating according to a strict definition of security procedures and policies contained in ISO27001:2013 and ISO27002;

  2. Client will provide to Circana certificates and attestations to certification for any security certifications currently held (such as ISO27001);

  3. Client will provide results from annual SSAE18 or SOC I/II Type II audits performed by recognized and certified security practitioners and covering the facilities and systems housing Circana Transaction Data.

  4. Client will perform regular internal vulnerability scans and regular (at least annual) penetration tests to be performed by recognized third party security practices. Results of such tests or letters of attestation issued by recognized third party security practice indicating that there were no major findings will be provided to Circana on an annual basis;

  5. Client will provide attestation to the rigid application of secure coding standards in accordance with OWASP (or higher);

  6. Client will insure that Circana Data is strongly encrypted at rest and in motion with encryption standards conforming to NIST SP 800 or similar;

  7. Client will ensure that access to Circana Data is strictly limited to those with the need to know and authorized End Clients and that such access is revoked immediately upon the cessation of need to know or authorized End Clients.

  8. Client will provide a description of controls in place to prevent Circana Data from being downloaded in whole or in part by unauthorized third parties. Such controls include the detection and prevention of unauthorized bulk electronic transfer of Circana Data and copy of Circana Data onto portable external storage devices;

  9. Client will provide a description of controls in place to ensure that updates to systems containing Transaction Data are performed by authorized personnel and systems and that measures are in place to validate the accuracy and appropriateness of such updates;

  10. Circana may, at its expense, audit or cause to be audited the compliance with security requirements defined herein. Such audits would be limited to once per calendar year. Audits may include physical data center environment, vulnerability and penetration test results, back up policies, encryption policies, access policies, business continuity policies and security policy and procedure overview.

View all solutions that

bottom of page