This U.S. Data Privacy Agreement (“USDPA”) governs all Supplier Services provided to Customer under the Agreement named in the DPA, to which this USDPA is Schedule A. The purpose of this USDPA is compliance with the California Consumer Privacy Act of 2018, Cal. Civil Code §1798.100 et seq., (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), and the Colorado Privacy Act (“CPA”) (collectively, “Applicable Laws”). All capitalized terms shall have the meanings as defined in the Applicable Laws, except that the term “Personal Information” used here shall include the definition of “Personal Data” in the CPA and the VCDPA, and the term “Security Incident” used here shall include the term “breach of security” described in Cal. Civil Code §1798.82, the “Security Breach” definition in the Colorado Revised Statutes §6-1-716(1)(h), and the “Breach of the security of the system” definition in Title 18.2 of the Code of Virginia.
1. Relationship with the Agreement.
The parties agree that this USDPA shall replace any existing data processing addendum the parties may have previously entered into in connection with Personal Information. This USDP shall have no effect on any data processing addendum regarding compliance with European laws and regulations.
Except for the changes made by this USDPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this USDPA and the Agreement, this USDPA shall prevail to the extent of that conflict.
Customer is a Business as defined by the CCPA (§1798.140(d)), and Supplier is a Service Provider (CCPA §1798.140 (ag)) with respect to the Personal Information specified in Exhibit 1 below. Under the CPA §6-1-1303(7) and (19), and the VCDPA§59.1-571, as between the
Parties, Customer is a Controller and Supplier is a Processor of the Personal Information specified in Exhibit 1. Customer discloses the Personal Information to Supplier solely for the Business Purpose specified in Exhibit 1. Supplier shall Process Personal Information only to the extent reasonably necessary for the performance of the Services. Supplier is specifically prohibited from (a) Selling (CCPA §1798.140 (ad); CPA §6-1-1303(23); VCDPA §59.1-571) or Sharing (CCPA §1798.140 (ah)) the Personal Information; (b) retaining, using, or disclosing the Personal Information for any purpose other than for the Business Purpose; (c) retaining, using, or disclosing the information outside of the direct business relationship between Supplier and Customer; and (d) combining the Personal Information which the Supplier receives from or on behalf of Customer, with Personal Information which it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer. Personal Information may be Deidentified or Aggregated as part of the Services, but only to the extent such Deidentification or Aggregation, as the case may be, meets the standard for such activity that is required under Applicable Laws.
3. Subcontractors; Authorized Disclosures; Confidentiality.
Where Supplier provides a third party with access to Personal Information, or contracts any of its rights or obligations concerning Personal Information to a third party, such subcontractor shall be subject to contractual terms at least as restrictive as set forth in this USDPA and as required by Applicable Laws. Supplier remains responsible and fully liable for the acts and omissions of each subcontractor. Supplier shall ensure that each person processing Personal Information is subject to a duty of confidentiality with respect to the Personal Information. Supplier shall engage a subcontractor only after providing the Customer will an opportunity to object.
Supplier shall implement, maintain, and enforce a written information security program that incorporates administrative, physical, and technical measures to protect the security and confidentiality of Personal Information and the systems used to Process Personal Information (the “Security Measures”). Such Security Measures shall, at a minimum: (i) be no less rigorous than accepted industry standards and practices for information security (i.e., ISO 27001/2 certified or SSAE 16 (Type 2) compliant); (ii) be appropriate to the risks presented by the nature of the Services and Supplier’s Processing of Personal Information, in particular from any potential Security Incident; and (iii) comply with applicable law.
5. Security Incident.
In the event of any Security Incident, Supplier shall, at its sole cost and expense: (i) immediately (and in no event later than twenty-four (24) hours after becoming aware of the Security Incident) notify Customer; (ii) promptly undertake an investigation of the Security Incident and reasonably cooperate with Customer in connection with its investigation, including by preserving and making available to Customer all relevant records, logs, files, or other relevant materials and regular updates; and (iii) as directed by Customer, promptly undertake appropriate remediation measures, and any other measures required by applicable law or otherwise commensurate with the nature of the Security Incident. Supplier shall promptly reimburse Customer for all costs and expenses (including legal fees) reasonably incurred by Customer in connection with the Security Incident. Supplier shall not publicize or deliver any notices referencing a Security Incident in a manner that identifies Customer without prior written approval from Customer.
6. Data Access Requests.
Supplier shall cooperate with Customer if a relevant consumer requests from Customer (i) access to his or her Personal Information, (ii) information about the categories of sources from which the Personal Information is collected, or (iii) information about the categories or specific pieces of such Personal Information, including by providing the requested information in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit the information to another entity without hindrance. Supplier shall promptly inform Customer in writing of any requests it receives with respect to Personal Information. Upon Customer’s request, Supplier shall promptly delete a particular consumer’s Personal Information from Supplier’s records. In the event Supplier is unable to delete the Personal Information for reasons permitted Applicable Laws, Supplier shall (i) promptly inform Customer of the reason(s) for its refusal of the deletion request, (ii) ensure the privacy, confidentiality and security of such Personal Information, and (iii) delete the Personal Information promptly after the reason(s) for Supplier’s refusal has expired. Supplier shall take appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to Data Access Requests.
Supplier shall comply with all Applicable Laws. Supplier agrees to negotiate in good faith any amendments to the Agreement that are necessary to comply with Applicable Laws. Supplier shall notify Customer if it can no longer meet the requirements of the Applicable Laws, and Supplier grants to Customer the right to take reasonable and appropriate measures to stop and remediate unauthorized use of Personal Information upon such notification.
At least once per year covering the preceding twelve (12) month period, Supplier shall undertake an independent third-party audit of Supplier’s policies and technical and organizational measures in support of the obligations under this USDPA using an appropriate and accepted control standard or framework and audit procedure as applicable. Upon Customer’s request, Supplier shall provide copies of such audits to Customer. Supplier shall also make available to Customer all information necessary to demonstrate compliance with this USDPA, and shall permit Customer to monitor Supplier’s compliance with this USDPA through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months. Supplier shall contribute to reasonable audits and inspections by Customer. Supplier grants to Customer the right to take reasonable and appropriate measures to help ensure that Supplier’s use of Personal Information is consistent with Customer’s obligations under Applicable Laws.
Supplier certifies that it understands and will comply with the requirements and restrictions set forth in this USDPA.
10. Return or Destruction of Personal Information.
At the choice of Customer, Supplier shall delete or return all Personal Information to Customer as requested at the end of the provision of Services, unless retention of the Personal Information is required by Applicable Laws.
11. Data Protection Assessments.
Supplier shall assist Customer to meet its obligations under Applicable Laws. Taking into account the nature of the processing and the information available to Supplier, Supplier shall assist Customer by providing information to Customer necessary to enable Customer to conduct and document any data protection assessments required by Applicable Laws.