Data Protection Addendum

This Data Protection Addendum (“DPA”) supplements and amends the Agreement between Company and Customer. Capitalized terms used in this DPA not defined herein shall have the same meanings as in the Agreement, except that any conflicts or inconsistencies between this DPA and the Agreement shall be interpreted in favor of this DPA.  

NOW THEREFORE, in consideration of the foregoing recitals and the mutual covenants contained herein, the parties, intending to be legally bound, agree as follows:

1. Definitions:

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq, and the California Privacy Rights Act of 2020, as amended, including any implementing regulations.

“CDPA” means the Connecticut Data Privacy Act, S.B. 6, 2022 Gen. Assemb., Reg. Sess. (Conn. 2022), as enacted. 

“CPA” means the Colorado Privacy Act, CO St. § 6-1-1301 et seq, as amended, including any implementing regulations.

“Business” shall have the meaning set forth in the applicable Data Protection Laws and shall include any similar terms used by the applicable Data Protection Laws.

“Consumer” shall have the meaning set forth in the applicable Data Protection Laws, and shall include any similar terms used by the applicable Data Protection Laws to describe the natural person who is identified or identifiable by Personal Data. 

“Data Protection Laws” means all laws and regulations of any state or country, as amended or replaced from time to time, applicable to each respective party relating to the Processing of Personal Data applicable to the Agreement, including, but not limited to, where applicable, CCPA, CDPA, CPA, UDPA, and VCDPA.

“Personal Data” shall include Customer Data, and shall have the meaning set forth in the applicable Data Protection Laws and means any information relating to, or that can be reasonably related to, an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” or “Process” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure or destruction.

“Sell” or “Sale” or “Selling” shall have the meaning set forth in the applicable Data Protection Laws.

“Service Provider” shall have the meaning set forth in any applicable Data Protection Laws, and shall include a “Processor,” as defined in any applicable Data Protection Laws, and a “Contractor” as defined in CCPA, and any similar terms used by the applicable Data Protection Laws.

“Services” means any services provided by Company or the use of Personal Data by Company as described further in the Master Agreement or Order Form.

“Security Breach” means any confirmed or demonstrable unauthorized access to or acquisition of Personal Data as described under applicable laws.

“Share” or “Sharing” shall have the meaning set forth in the applicable Data Protection Laws.

“Sub-Processor” means any person or entity appointed by or on behalf of Company to Process Personal Data on behalf of Customer in connection with the Master Agreement, and shall include Service Providers.

“UCPA” means the Utah Consumer Privacy Act, S.B. 227, 2022 Gen. Sess. (Utah 2022), as enacted.

“VCDPA” means the Virginia Consumer Data Protection Act, VA St. § 59.1-571, as amended, including any implementing regulations.

Capitalized terms used but not defined herein or in the Master Agreement have the meanings attributed to them in the applicable Data Protection Laws.

2. The Parties’ Rights and Obligations

1. 1. Customer is disclosing the Personal Data for Company to Process the Personal Data for the limited and specified purposes set forth within the Agreement.
   2. Customer shall be solely responsible for the accuracy, quality, integrity, and legality of the Personal Data it provides to Company, or allows Company to Process on its behalf, pursuant to the Agreement. Customer expressly warrants that it has or will obtain any legally required consents or authorizations. Customer shall provide Company immediate notice with any material changes to its privacy policy or similar disclosures, if such changes materially affect Company’s Processing of the Personal Data under the applicable Data Protection Laws.
   3. Company acknowledges and agrees to the following provisions:
   4. Company shall adopt commercially reasonable security procedures and practices to protect the Personal Data received from, or Processed on behalf of, Customer.
   5. Company shall Process Personal Data pursuant to Customer’s documented instructions (including with regard to transfers), as described in the Agreement or Order Form or otherwise required by any Data Protection Laws.
   6. Notwithstanding subsection (2)(c)(xiii), Company shall not retain, use, or disclose the Customer Data, which includes Personal Data (but not Derivative Data) (1) outside of the direct business relationship between Customer and Company, or (2) for any purpose, including any commercial purpose, other than for the specific purposes specified herein, or specifically instructed by Customer in writing, or as otherwise permitted by any Data Protection Laws.
   7. Company shall not Sell or Share Personal Data it receives from or on behalf of Customer.
   8. Company shall Process Personal Data only during the term of the Agreement, as may be amended in writing.
   9. At Customer’s direction, Company shall promptly comply with any request from Customer requiring Company to return or delete Personal Data (including any existing copies), unless applicable law, including the Data Protection Laws, require retention of the Personal Data. 
   10. Company agrees that Customer may take reasonable and appropriate steps to ensure that Company uses Personal Data, including any transfers of Personal Data, in a manner consistent with Customer’s obligations under applicable Data Protection Laws. Company will work, in good faith, to cooperate with any reasonable requests for documentation from Customer concerning its handling of Personal Data under the applicable Data Protection Laws.
   11. Customer may notify Company in writing of any belief that Company is improperly Processing Personal Data. In such event, Customer’s notice shall include the factual basis of the circumstances surrounding the request. The parties shall cooperate in good faith to perform any necessary remediation.
   12. Company shall promptly inform Customer if, in Company’s opinion, it can no longer meet its obligations under applicable Data Protection Law, or any other applicable laws relating to data protection and privacy.
   13. Customer acknowledges that Company utilizes Sub-processors. Company will provide a list of those Sub-processors upon Customer’s request. Company may appoint additional Sub-Processors and may substitute or add any Sub-Processor in its reasonable discretion upon reasonable notice to Customer for its review. Customer shall no unreasonably object to any Sub-Processor engaged by Company
   14. Without limitation, Customer agrees that Company may (i) store, backup, and archive Personal Data, either on its own servers or on servers owned by a third-party service provider; and (ii) use deidentified, aggregated and/or Derivative Data, in accordance with and subject to the Data Protection Laws, generated from the use of the Services.

3. Cooperation

Company will reasonably cooperate with and assist Customer in responding to a consumer rights request or as needed for Customer’s compliance with the Data Protection Laws.

4. Confidentiality of the Processing

The parties will keep all Personal Data confidential in accordance with section 9 of the Agreement.

5. Security Breaches

In the event of a Security Breach involving the Personal Data Processed pursuant to this DPA and the Agreement, Company shall notify Customer as soon as possible, but in no event later than as required by law or industry standard practice. Company shall investigate the Security Breach and provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Consumers of the Security Breach under the Data Protection Laws.

6. Limitation on Liability / Disclaimer

Neither party will be liable under this DPA for lost revenues or indirect, special, incidental, consequential, exemplary, or punitive damages, even if the party knew or should have known that such damages were possible and even if direct damages do not satisfy a remedy. The total liability in connection with this DPA will be limited to the capped amounts and/or disclaimed liability under the Agreement.