Data Processing Addendum

This Data Protection Addendum (“DPA”) supplements and amends theAgreement between Company and Customer. Capitalized terms used in this DPA not defined herein shall have the same meanings as in the Agreement, except that any conflicts or inconsistencies between this DPA and the Agreement shall be interpreted in favor of this DPA.

NOW THEREFORE, inconsideration of the foregoing recitals and the mutual covenants contained herein, the parties, intending to be legally bound, agree as follows:

1.    Definitions:  

 “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100et seq, and the California Privacy Rights Act of 2020, as  amended, includingany implementing regulations.

 “CDPA” means the ConnecticutData Privacy Act, S.B. 6, 2022 Gen. Assemb., Reg. Sess. (Conn. 2022), as enacted. 

 “CPA” means the Colorado Privacy Act, CO St. §6-1-1301 et seq, as amended, including any implementing regulations.

 “Business” shall have the meaning set forth in the applicable Data Protection Laws and shall include any similar terms used by the  applicable Data ProtectionLaws.

 “Consumer” shall have the meaning set forth in the applicable Data ProtectionLaws, and shall include any similar terms used by the  applicable DataProtection Laws to describe the natural person who is identified or identifiable by Personal Data.

 “DataProtection Laws” means all laws and regulations of any state or country, as amended or replaced from time to time, applicable to  each respective party relating to the Processing of Personal Data applicable to the Agreement, including, but not limited to, where  applicable,CCPA, CDPA, CPA, UDPA, and VCDPA.

 “PersonalData” shall include Customer Data, and shall have the meaning set forth in the applicable Data Protection Laws and means any  information relating to, or that can be reasonably related to, an identified or identifiable natural person; an identifiable natural person is  one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,  location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or  social identity of that natural person.

 “Processing” or “Process”means any operation or set of operations which is performed on PersonalData, whether or not by automated  means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure  by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure or destruction.

 “Sell” or “Sale” or “Selling” shall have the meaning set forth in the applicable Data Protection Laws.

 “Service Provider” shall have the meaning set forth in any applicable Data Protection Laws, and shall include a“Processor,” as defined in  any applicable Data Protection Laws, and a“Contractor” as defined in CCPA, and any similar terms used by the applicableData Protection  Laws. 

 “Services” means any services provided by Company or the use of Personal Data by Company as described further in the Master  Agreement or Order Form. 

 “SecurityBreach” means any confirmed or demonstrable unauthorized access to or acquisition of Personal Data as described under  applicable laws.  

 “Share” or “Sharing” shall have the meaning set forth in the applicable Data Protection Laws.

 “Sub-Processor”means any person or entity appointed by or on behalf of Company to Process Personal Data on behalf of Customer in  connection with the Master Agreement, and shall include ServiceProviders.

 “UCPA” means the Utah Consumer Privacy Act, S.B. 227, 2022 Gen. Sess. (Utah 2022), as enacted.

 “VCDPA” means the Virginia Consumer Data ProtectionAct, VA St. § 59.1-571, as amended, including any implementing regulations.

 Capitalized terms used but not defined herein or in the Master Agreement have the meanings attributed to them in the applicableData  Protection Laws.

2.    The Parties’ Rights and Obligations 

 a.  Customer is disclosing the Personal Data for Company to Process the Personal Data for the limited and specified purposes set forth  within the Agreement. 

 b.  Customer shall be solely responsible for the accuracy, quality, integrity, and legality of the Personal Data it provides to Company, or  allows Company to Process on its behalf, pursuant to the Agreement. Customer expressly warrants that it has or will obtain any legally  required consents or authorizations. Customer shall provide Company immediate notice with any material changes to its privacy policy  or similar disclosures, if such changes materially affect Company’s Processing of the Personal Data under the applicable Data Protection  Laws. 

 c.  Company acknowledges and agrees to the following provisions:

  1. Company shall adopt commercially reasonable security procedures and practices to protect the Personal Data received from, or Processed on behalf of, Customer.
  2. Company shall Process Personal Data pursuant to Customer’s documented instructions(including with regard to transfers), as described in the Agreement or OrderForm or otherwise required by any Data Protection Laws.
  3. Not withstanding subsection (2)(c)(xiii), Company shall not retain, use, or disclose theCustomer Data, which includes Personal Data (but not Derivative Data) (1) outside of the direct business relationship between Customer and Company, or (2) for any purpose, including any commercial purpose, other than for the specific purposes specified herein, or specifically instructed by Customer in writing,or as otherwise permitted by any Data Protection Laws.
  4. Company shall not Sell or Share Personal Data it receives from or on behalf of Customer.
  5. Company shall Process Personal Data only during the term of the Agreement, as may be amended in writing.
  6. At Customer’s direction, Company shall promptly comply with any request from Customer requiring Company to return or delete Personal Data (including any existing copies), unless applicable law, including the Data Protection Laws, require retention of the Personal Data.
  7. Company agrees that Customer may take reasonable and appropriate steps to ensure that Company uses Personal Data, including any transfers of Personal Data, in a manner consistent with Customer’s obligations under applicable Data Protection Laws.Company will work, in good faith, to cooperate with any reasonable requests for documentation from Customer concerning its handling of Personal Data under the applicable Data Protection Laws.
  8. Customer may notify Company in writing of any belief that Company is improperly ProcessingPersonal Data. In such event, Customer’s notice shall include the factual basis of the circumstances surrounding the request. The parties shall cooperate in good faith to perform any necessary remediation.
  9. Company shall promptly inform Customer if, in Company’s opinion, it can no longer meet its obligations under applicable Data Protection Law, or any other applicable laws relating to data protection and privacy.
  10. Customer acknowledges that  Company utilizes Sub-processors.Company will provide a list of those Sub-processors upon Customer’s request. Company may appoint additional Sub-Processors and may substitute or add anySub-Processor in its reasonable discretion upon reasonable notice to Customer for its review. Customer shall no unreasonably object to any Sub-Processor engaged by Company

d.    Without limitation, Customer agrees that Company may (i) store, backup, and archive PersonalData, either on its own servers or on servers owned by a third-party service provider; and (ii) use de identified, aggregated and/or Derivative Data, in accordance with and subject to the Data Protection Laws, generated from the use of the Services. 

2.    Cooperation

Company will reasonably cooperate with and assist Customer in responding to a consumer rights request or as needed for Customer’s compliance with the Data Protection Laws.

3.    Confidentiality of the Processing

The parties will keep all Personal Data confidential in accordance with section 9 of the Agreement. 

4.    Security Breaches

In the event of a Security Breach involving thePersonal Data Processed pursuant to this DPA and the Agreement, Company shall notify Customer as soon as possible, but in no event later than as required by law or industry standard practice. Company shall investigate the Security Breach and provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Consumers of the Security Breach under the Data Protection Laws.

5.    Limitation on Liability / Disclaimer

Neither party will be liable under this DPA for lost revenues or indirect, special, incidental, consequential, exemplary, or punitive damages, even if the party knew or should have known that such damages were possible and even if direct damages do not satisfy a remedy. The total liability in connection with this DPA will be limited to the capped amounts and/or disclaimed liability under the Agreement.