DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the Agreement into which this DPA has been incorporated (“Agreement”) by and between the Parties thereto (each a “Party” and together the “Parties”) in connection with their performance under the Agreement. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
In the course of its performance under the Agreement, a Party (“Processor”) may Process Controller Personal Data on behalf of the other Party (“Controller”), and the Parties agree to comply with the following provisions with respect to such Controller Personal Data.
In this DPA, the following terms shall have the meanings set out below:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract interest or otherwise.
"Aggregate Data" means information that relates to a group or category of individuals, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual or household.
“Controller Group Member” means Controller or any Controller Affiliate.
“Controller Personal Data” means any Personal Data Processed by Processor or Processor’s Subprocessor on behalf of Controller pursuant to the Agreement.
“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Data and the rights of Data Subjects, or is otherwise defined as a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.
“Data Protection Laws” means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (a) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (b) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (c) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (d) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (e) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; and (f) all other equivalent laws and regulations in any relevant jurisdiction relating to Personal Data and privacy, and as each may be amended, extended or re-enacted from time to time.
“Data Subject” means an identified or identifiable natural person whose Personal Data is being Processed. Where applicable, the term “Data Subject” shall refer to “Consumer” as that term is defined under Data Protection Laws.
“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.
“Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as “personal data,” “personal information,” or “personally identifiable information” by applicable Data Protection Laws.
“Process” means any operation, or set of operations, which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, access to, retrieval of, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, or which is otherwise defined as “process” by applicable Data Protection Laws. "Processes" and “Processing” shall be construed accordingly.
“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, but not limited to: the California Privacy Protection Agency; and U.S. state attorneys general.
“Subprocessor” means any third party appointed by Processor to Process Controller Personal Data on behalf of Controller in connection with the Agreement.
The terms “Business,” “Business Purpose,” “Controller,” “Processor,” “Sale,”, “Sensitive Personal Data,” “Sensitive Personal Information,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.
PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Controller Personal Data, Controller is the Controller or Business (as applicable), Processor is the Processor or Service Provider (as applicable), and that Processor will engage Subprocessors pursuant to the requirements set forth in Section 5 below. The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Data Protection Law.
2.2 Processor’s Processing of Controller Personal Data. Processor shall treat Controller Personal Data as confidential and shall only Process Controller Personal Data as necessary to perform its obligations on behalf of and in accordance with Controller’s documented instructions for the following permitted purposes: (i) in accordance with the Agreement and applicable order or scope of work; (ii) if initiated by Data Subjects; and/or (iii) to comply with other documented reasonable instructions provided by Controller (e.g., via email) where such instructions are consistent with the terms of the Agreement and Data Protection Laws.
2.3 California Personal Data Processing. To the extent that the Agreement or Controller’s instructions to Processor involve the Processing of Controller Personal Data concerning California Data Subjects, and to the extent that the CCPA governs the Processing of the Controller Personal Data, the Parties acknowledge and agree that with respect to such information:
2.3.1 Controller shall disclose Controller Personal Data to Processor only for the limited and specified purposes specified in the Agreement. Controller reserves the right, upon reasonable notice, to take reasonable and appropriate steps to help ensure that Processor uses Controller Personal Data transferred in a manner consistent with Controller’s obligations under the CCPA, including reasonable and appropriate steps to stop and remediate unauthorized use of Controller Personal Data.
2.3.2 Processor shall not: (a) Sell or Share Controller Personal Data; (b) retain, use, or disclose Controller Personal Data for any purpose other than for the Business Purposes specified in the Agreement; (c) retain, use, or disclose Controller Personal Data outside of the direct business relationship between Processor and Controller; or (d) combine Controller Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with Data Subjects, provided that Processor may combine Personal Data to perform a Business Purpose (with the exception of “advertising and marketing services,” as defined under the CCPA). Processor shall comply with applicable obligations and provide the same level of privacy protection as required by the CCPA, and shall assist Controller through appropriate technical and organizational measures to comply with CCPA requirements, taking into account the nature of the Processing. Processor shall notify Controller if it makes a determination that it can no longer meet its obligations under the CCPA.
2.4 Details of the Processing. The subject matter of Processing of Controller Personal Data by Processor is the performance of the Parties pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Controller Personal Data, and categories of Data Subjects Processed under this DPA are further specified in the Agreement.
2.5 Instructions for Processing. Controller providing Controller Personal Data to Processor shall instruct Processor and each Processor Affiliate (and authorizes Processor and each Processor Affiliate to instruct each Subprocessor) to Process Controller Personal Data, as reasonably necessary for the performance of the Parties to be consistent with the Agreement; and warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in this section. Processor shall immediately inform Controller if, in its opinion, an instruction violates Data Protection Laws.
RIGHTS OF DATA SUBJECTS
3.1 Data Subject Request Notifications. Processor shall, to the extent legally permitted, promptly notify Controller if Processor receives a request from a Data Subject to exercise the Data Subject’s rights, including the rights to: knowledge/access; correction; deletion; restriction; objection; data portability; opt out of the Processing of and/or the Sale or Sharing of Personal Data; limit the use or disclosure of Sensitive Personal Data or Sensitive Personal Information; or any other request with respect to Personal Data of the applicable Data Subject, as set forth under applicable Data Protection Laws (“Data Subject Request”). With respect to a Data Subject Request exercising the right to deletion and to the extent required by Data Protection Laws, Processor shall notify its Subprocessors to delete any Controller Personal Data that they are Processing on behalf of Processor.
3.2 Assistance With Data Subject Requests. Taking into account the nature of the Processing and the Controller Personal Data, Processor shall assist Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Controller does not have the ability to address a Data Subject Request directly, Processor shall, upon Controller’s written request, exercise reasonable efforts to assist Controller in responding to such Data Subject Request, to the extent Processor is legally permitted to do so. This shall include, to the extent required by Data Protection Laws, Processor taking affirmative steps to delete (or enabling Controller to delete) Controller Personal Data collected, used, processed, or retained by Processor. Nothing in this Section 3 shall require Processor to disclose or reveal any trade secrets.
4.1 Confidentiality. Processor shall ensure that its personnel engaged in the Processing of Controller Personal Data are informed of the confidential nature of the Controller Personal Data, have executed written confidentiality agreements, and have received appropriate training regarding the Processing of Controller Personal Data.
4.2 Reliability. Processor shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any Processor personnel engaged in the Processing of Controller Personal Data.
4.3 Limitation of Access. Processor shall ensure that Processor’s access to Controller Personal Data is limited to those personnel performing in accordance with the Agreement.
4.4 Data Protection Officer. To the extent required by applicable Data Protection Laws, each Party has appointed a data protection officer.
5.1 Appointment of Subprocessors. With respect to the Processing of Controller Personal Data, each Controller Group Member authorizes Processor and each Processor Affiliate to appoint (and permit each Subprocessor appointed in accordance with this Section 5.1 to appoint) Subprocessors in accordance with this Section 5. Processor and each Processor Affiliate may continue to use those Subprocessors already engaged by Processor or any Processor Affiliate as of the date of this DPA, subject to Processor and each Processor Affiliate in each case, as soon as practicable, meeting the obligations set out in this Section 5. Processor or a Processor Affiliate has entered or will enter into a written agreement with each Subprocessor containing data protection obligations substantially similar to those in this DPA with respect to the protection of Controller Personal Data to the extent applicable to the nature of the services provided by such Subprocessor.
5.2 Prior Authorization for Appointment of New Subprocessors. Controller authorizes Processor’s engagement of Subprocessors. Processor shall give Controller written notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor, and shall not disclose any Controller Personal Data to any such new Subprocessor without Controller’s prior written authorization. Processor shall submit such written notice and request for Controller’s authorization to Controller at least thirty (30) days prior to the engagement of any new Subprocessor, along with information sufficient to allow Controller to decide whether to authorize the new Subprocessor. Processor remains fully liable for any breach of this DPA that is caused by an act, error, or omission of its Subprocessor.
6.1 Standard of Care. Processor agrees and covenants that it shall: (i) keep and maintain all Personal Data in strict confidence, using such degree of care as is reasonable and adequate to prevent loss or unauthorized access, use or disclosure; (ii) implement and maintain current and appropriate administrative, technical, and physical safeguards with respect to all business processes and physical premises and all computing equipment, systems, applications, and software used by or for Processor to access, receive, generate, handle, store, transmit, or otherwise process any Personal Data, to protect against a Data Security Incident; (iii) use and disclose Personal Data solely and exclusively for Controller for the purposes for which the Personal Data, or access to it, is provided to Processor pursuant to the terms and conditions of the Agreement and this DPA, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Personal Data for Processor’s own purposes or for the benefit of anyone other than Controller, without Controller’s prior written consent; (iv) ensure that Personal Data delivered to Processor shall be stored in the United States or other jurisdictions approved by Controller in writing and shall not be transferred to any other countries or jurisdictions without the prior written consent of Controller; and (v) not, directly or indirectly, disclose Personal Data to any person other than its authorized employees who have a need to know or otherwise access Personal Data to enable Processor to perform its obligations under the Agreement (“Authorized Employees”) without express written consent from Controller unless and to the extent required by government authorities or as otherwise, to the extent expressly required, by applicable law (“Authorized Third Party”) in which case, Processor shall (x) use best efforts to notify Controller before such disclosure or as soon thereafter as reasonably possible; (y) be responsible for and remain liable to Controller for the actions and omissions of such Authorized Third Party concerning the treatment of such Personal Data as if they were Processor’s own actions and omissions; and (z) require the Authorized Third Party that has access to Personal Data to execute a written agreement agreeing to comply with the terms and conditions of this DPA relating to the treatment of Personal Data.
6.2 Compliance with Data Protection Laws. Processor represents and warrants that it and its Processing and security of Personal Data does and will comply with all applicable Data Protection Laws.
6.3 Security Safeguards. At a minimum, Processor’s safeguards for the protection of Personal Data shall include: (i) limiting access to Personal Data of Authorized Employees; (ii) securing business facilities, data centers, paper files, servers, back-up systems and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (iii) implementing network, device application, database and platform security; (iv) securing information transmission, storage and disposal; (v) implementing authentication and access controls within media, applications, operating systems and equipment; (vi) encrypting Personal Data at rest and transmitted over public or wireless networks; (vii) implementing appropriate employee security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law; and (viii) providing appropriate privacy and information security training to Controller’s employees.
6.4 Data Security Incident Management and Notification. Processor shall maintain security incident management policies and procedures, and shall notify Controller without undue delay and in line with the timelines required by applicable Data Protection Laws after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data that is transmitted, stored, or otherwise Processed by Processor or its Subprocessors (a “Data Security Incident”). Processor shall make reasonable efforts to identify the cause of such Data Security Incident and immediately take those steps reasonably necessary in order to remediate the cause of any such Data Security Incident, to the extent the remediation is within Processor’s reasonable control. Immediately following Processor’s notification to Controller of a Data Security Incident, the Parties shall coordinate with each other to investigate the Data Security Incident. Processor agrees to fully cooperate with Controller in its handling of the matter, including, without limitation: (i) assisting with any investigation; (ii) providing Controller with physical access to the facilities and operations affected; (iii) facilitating interviews with Processor’s employees and others involved in the matter; and (iv) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by Controller. In the event of a Data Security Incident, Controller shall be responsible for notifying Data Subjects and or Regulatory Authorities as required by Data Protection Laws, and Processor, taking into account the nature of processing and the information available to Processor, shall assist Controller in relation to such notification obligations. Processor shall reimburse Controller for its costs incurred in responding to, and mitigating damages caused by any Data Security Incident, including all costs of notice, identity protection and monitoring services and remediation. Any such reimbursement shall not limit any other remedy arising from a Data Security Incident available to Controller at law or in equity, or pursuant to this DPA or the Agreement. Nothing in this DPA shall be construed to require Processor to violate, or delay compliance with, any legal obligation it may have with respect to a Data Security Incident.
INFORMATION PROVISION AND COOPERATION
7.1 Demonstration of Processor’s Compliance. Processor shall, upon Controller’s reasonable request and to the extent required by Data Protection Laws, make available to Controller all information in Processor’s possession necessary to demonstrate Processor’s compliance with its obligations under Data Protection Laws.
7.2 Audits and Assessments.
7.2.1 Processor shall reasonably cooperate with Controller in relation to any audit of Processor reasonably necessary to enable Controller to comply with its obligations under Data Protection Laws (“Audit”), and shall ensure the equivalent cooperation from relevant Subprocessors. Any Audit shall be: (i) conducted by Controller or an independent third party engaged by Controller; and (ii) subject to the confidentiality obligations set forth in the Agreement. Controller shall use reasonable endeavours to minimize any disruption caused to the Processor’s business activities as a result of an Audit. Audits shall take place no more than once in any calendar year unless and to the extent that Controller (acting reasonably and in good faith) has reasonable grounds to suspect a Data Security Incident or any material breach of this DPA by Processor.
7.2.2 To the extent permitted by Data Protection Laws, Processor may, with Controller’s consent and as an alternative to the requirements set forth in Section 7.1, arrange for a qualified and independent assessor to conduct an assessment of Processor’s policies and technical and organizational measures in support of Processor’s obligations under Data Protection Laws, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Such assessment shall be conducted at least annually and at Processor’s expense. Processor shall provide a report of such assessment to Controller upon request (“Assessment Report”).
7.2.3 Any Assessment Report or information disclosed in connection with an Audit shall be the confidential information of Processor and/or the applicable Processor Affiliate (and/or Subprocessor, as the case may be). For the avoidance of doubt, any Assessment Report or information obtained by Controller pursuant to an Audit shall be maintained in confidence by Controller and may not be disclosed to any third party, including, without limitation, any other agents or representatives of Controller, except to the extent necessary to assert or enforce any of Controller’s rights under the Agreement, this DPA or if otherwise required to be disclosed by Data Protection Law, by any Regulatory Authority, or by a court or other authority of competent jurisdiction. If any such disclosure is so required, Controller agrees to give Processor as much advance notice of the disclosure as possible (where notice of disclosure is not prohibited) and Controller shall meaningfully consult with Processor (unless legally prohibited from doing so) in relation to the content and scope of the disclosure.
7.3 Data Protection Assessments. Upon Controller’s request and to the extent required under Data Protection Laws, Processor shall provide Controller with the necessary information and with reasonable cooperation and assistance needed to fulfil Controller’s obligation to carry out a Data Protection Assessment related to Controller’s performance under the Agreement, to the extent that Controller does not otherwise have access to the relevant information and that such information is reasonably available to Processor. To the extent required under Data Protection Laws, Processor shall provide reasonable assistance to Controller in its cooperation or prior consultation with a Regulatory Authority in the performance of its tasks relating to this Section 7.
RETURN AND DELETION OF PROCESSOR DATA
Processor shall, on the written request of Controller, return all Controller Personal Data to Controller and/or at Controller’s request delete the same from its systems.
Subject to the Agreement, to the extent that Processor receives Deidentified Data from Controller or processes Controller Personal Data in such a way that it becomes Deidentified Data, Processor shall:
- Take reasonable measures to ensure that the Deidentified Data cannot be associated with an individual or household;
- Publicly commit to maintain and use the Deidentified Data only in a de-identified fashion and not attempt to re-identify the data, unless otherwise permitted by Data Protection Laws; and
- Contractually obligate any recipients of the Deidentified Data, including any Subprocessors, to comply with the requirements of this Section 10.
INDEMNIFICATION; LIMITATION OF LIABILITY
Processor shall indemnify, defend, and hold harmless Controller and its Affiliates, and each of their officers, directors, employees, and agents from and against all claims, demands, suits, causes of action, awards, judgments and liabilities, including reasonable attorneys' fees and costs (collectively “Claims”) arising out of or alleged to have arisen out of Processor’s breach of its obligations under this DPA, or otherwise in connection with its processing activities under or in connection with this DPA, including without limitation breach of statutory duty or non-compliance with any part of the Data Protection Laws; and any “Limitation of Liability” terms under the Agreement, including but not limited to those that attempt to (i) establish a maximum amount that one Party may recover from the other Party or (ii) limit the type or category of loss or damage that a Party could recover from the other Party, shall not apply to such Claims.
In the event there is any conflict or inconsistency between the provisions of this DPA and any of the provisions of the Agreement, the provisions of this DPA shall control.