US States Data Laws Addendum
Privacy Policy - DPA - Subprocessors
- General. This addendum (“US States Data Laws Addendum”) is entered into as of the date below, and is incorporated into and forms a part of the DPA
This US States Data Laws Addendum sets forth the terms and conditions relating to compliance with:
a) The California Consumer Privacy Act of 2018 and any regulations, amendments and/or updates thereto including but not limited to as amended by the California Privacy Rights Act (collectively, the “CCPA”);
b) The Virginia Consumer Data Privacy Act and any regulations, amendments and/or updates thereto;
c) The Colorado Data Privacy Act and any regulations, amendments and/or updates thereto;
d) The Connecticut Act Concerning Personal Data Privacy and Online Monitoring and any regulations, amendments and/or updates thereto; and
e) The Utah Consumer Privacy Act and any regulations, amendments and/or updates thereto;
f) The Oregon Consumer Privacy Act and any regulations, amendments and/or updates thereto;
g) The Texas Data Privacy and Security Act and any regulations, amendments and/or updates thereto;
h) The Delaware Personal Data Privacy Act and any regulations, amendments and/or updates thereto;
i) The Iowa Consumer Data Protection Act and any regulations, amendments and/or updates thereto;
j) The Nebraska Data Privacy Act and any regulations, amendments and/or updates thereto (items b through j, together with any other U.S. state comprehensive privacy law that comes into effect subsequent to the date hereof, the “US States Data Laws”).
In the event of a conflict between this US States Data Laws Addendum and the DPA, this US States Data Laws Addendum will prevail.
2. CCPA.
A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the CCPA, Service Provider agrees that:
a) Personal Information is being disclosed by Customer to Service Provider only for the limited and specified purpose of the Agreement and Service Provider shall not retain, use or disclose Personal Information for any other purpose.
b) Service Provider shall comply with the applicable obligations under the CCPA and provide the same level of privacy protection as required of businesses covered under the CCPA.
c) Customer shall have the right (but not the obligation) to take reasonable and appropriate steps to monitor Service Provider’s compliance with this Addendum and to ensure that Service Provider is using the Personal Information in a manner consistent with the CCPA.
d) Service Provider shall immediately notify Customer in writing if it determines that it can no longer meet its obligations under the CCPA.
e) Customer shall have the right upon notice to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
f) Service Provider shall not sell, share, retain, use, cache or disclose Personal Data outside of the direct relationship between Customer and Service Provider as set forth in this Addendum.
g) Service Provider shall enable Customer to comply with consumer requests made pursuant to the CCPA as further defined in section 7.1 of the DPA.
h) If Service Provider engages any sub-processors of Personal Data then Service Provider shall notify Customer of such engagement in writing and ensure (and confirm to Customer) that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider.
I) Service Provider is not permitted to use any Personal Data for its own operational purposes or on its own behalf (for example to improve or benchmark Service Provider’s services).
j) Upon Customer’s request, Service Provider shall delete or return all Personal Data to Customer as requested at the end of the performance of Processing, unless retention of the Personal Data is required by Laws and then only to the extent required.
k) f Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
l) Service Provider acknowledges and agrees that it fully understands and agrees with the obligations and restrictions set forth in this Addendum.
Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the CCPA.
3. US State Data Laws
In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the US State Laws, Service Provider agrees that:
a) Service Provider is a “Processor” as such term is defined under the US State Laws.
b) Customer is a “Controller” as such term is defined under the US State Laws.
c) Customer hereby instructs Service Provider to process Personal Information solely for purposes of defined in the Agreement. The type of data subject to processing is as defined in Section 2 of the DPA. The duration of the processing is as defined in Annex I of the DPA.
d) Taking into account the context of the processing, Service Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Such measures are further defined in Annex II of the DPA.
e) All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Personal Information and the processing thereof.
f) Upon Customer’s reasonable request, Service Provider shall cooperate with Customer and provide information in a timely manner to Customer to (i) enable Customer to conduct and document data protection assessments and cooperate with reasonable audits by Customer or a qualified independent auditor; (ii) demonstrate Service Provider’s compliance with its obligations under the VA Act; (iii) take appropriate technical and organizational measures to fulfil consumer rights requests made to Customer; and (iv) help meet Customer’s obligations in relation to any data security and/or data breach notification.
g) Upon Customer’s request, Service Provider shall delete or return all Personal Data to Customer as requested at the end of the performance of the Processing, unless retention of the Personal Data is required by Laws and then only to the extent required.
h) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
B. Customer shall be responsible for complying with its own obligations as a controller to the extent applicable under the US State Data Laws.
Previous Versions
Below are previous versions of our Terms. They are effective as they correspond to the signature date of your Agreement.