DPA Statement

Data Processing Addendum

This Data Processing Addendum (“Addendum”) sets forth the agreement between us (the “Processor”) and you (the “Customer”) with regard to the processing of Personal Data (as hereinafter defined) in connection with your use of our products and services (the “Service”), in accordance with the requirements of Data Protection Laws (as hereinafter defined).

Customer hereby agrees that it is entering into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Processor processes Personal Data for which such Authorized Affiliates qualify as a Data Controller (as hereinafter defined). For the purposes of this Addendum only, and except where indicated otherwise, the term “Customer” shall include Customer and its Authorized Affiliates.

This Addendum applies where and only to the extent that Processor processes Customer Data that originates from the EEA (as hereinafter defined) and/or that is otherwise subject to Data Protection Laws on behalf of Customer as Data Processor (as hereinafter defined) in the course of providing the Service. Customer and Processor hereby agree to comply with the following provisions, each acting reasonably and in good faith.

1. DEFINITIONS

“Affiliate” of a Person means any entity that directly or indirectly controls, is controlled by, or is under common control with such Person. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of such Person.

“Authorized Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Service pursuant to a written agreement between Customer and Processor (the “Agreement”), but has not signed its own agreement with Processor and is not a named customer under the Agreement.

“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as enacted by the state of California, as may be amended from time to time.

“Customer Data” means any Personal Data that Processor processes as a Data Processor on behalf of Customer under the Agreement.

“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. Customer is the Data Controller with respect to Customer Data.

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. Processor, including its Affiliates, is the Data Processor with respect to Customer Data.

“Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the processing of Personal Data in connection with the Services, including where applicable EU Data Protection Laws, the CCPA, and the data protection or privacy laws of any other country.

“EEA” means, for purposes of this Addendum, the European Economic Area, United Kingdom and Switzerland.

“EU Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation), as may be amended from time to time (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).

“Personal Data” means any information relating to an identified or identifiable natural person, provided, that with respect to this Addendum, the reference is to Personal Data processed in relation to Customer’s access to and use of the Service.

“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.

“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).

“Request” means a written request from a Data Subject to exercise his/her specific data subject rights under the Data Protection Laws in respect of Personal Data.

“Security Measures” means the security measures applicable to the specific Service purchased by Customer detailed on Schedule A attached hereto and incorporated herein.

“Standard Contractual Clauses” means the agreement executed by and between Customer and Processor and attached hereto as Attachment 1 pursuant to the European Commission’s decision on Standard Contractual Clauses as implemented in Commission Decision 2021/914 dated 4 June 2021 for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as made available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as amended from time to time).

“Sub-processor” means any Data Processor engaged by Processor to assist in fulfilling its obligations with respect to providing the Service.

The terms, “Data Subject”, “Member State”, “Processing”, “Process” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws, as applicable, and their cognate terms shall be construed accordingly.

2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller of Customer Data and Processor will process Customer Data only as a Data Processor acting on behalf of Customer.

2.2 Customer’s Processing of Customer Data. Customer shall (i) comply with the Data Protection Laws and its obligations as a Data Controller under the Data Protection Laws in connection with its use of the Service and with respect to any processing instructions issued to Processor, and (ii) provide notice and either have obtained or obtain all consents and rights necessary under Data Protection Laws for Processor to process Customer Data and provide the Service. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquires and uses Customer Data.

2.3 Processor’s Processing of Customer Data. Processor shall only process Customer Data on behalf of and in accordance with Customer’s instructions for the period set forth in the Agreement and shall treat Customer Data as confidential. The following are deemed instructions by Customer to Processor to process Customer Data: (i) Processing in accordance with the Agreement and any applicable order form(s) and/or statement(s) of work pursuant thereto; (ii) Processing initiated by Account Users (as hereinafter defined) in their use of the Service; (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the; and (iv) Processing in accordance with all configurations of the Service by or for Customer.

2.4 Details of Data Processing.

(a) Subject matter: The subject matter of the data processing under this Addendum is the Customer Data.
‍
(b) Duration: As between Processor and Customer, the duration of the data processing under this Addendum is until the termination of the Agreement in accordance with its terms; provided, however, that Processor may continue to store Customer Data after the termination of such agreement, as set forth in this Addendum.

(c) Purpose: The purpose of the data processing under this Addendum is the provision of the Service to the Customer and the performance of Processor’s obligations pursuant to the Agreement (including this Addendum) or as otherwise agreed by the parties.

(d) Nature of the processing: Processor provides a subscription and/or license to its Service, as described in the Agreement.

(e) Categories of data subjects: Any individual accessing and/or using the Service through the Customer’s Account as authorized by Customer (“Account Users”); any end user of a mobile application, web domain, device, software application and/or communication channel owned or controlled by Customer (if applicable) or any end user with respect to whom Customer sends notifications or processes Personal Data via the Service (collectively, “End Users”).

(f)Types of Customer Data:

Customer and Account Users: Account User’s login information to the Service;
End Users: Processor may process Personal Data on behalf of Customer via the Service, the extent of which is determined by Customer based on Customer’s configuration and use of the Service, which may include, in Customer’s sole discretion based on the Service package subscribed to by the Customer, the following categories of Personal Data: First Name, Last name, Email Address, Mobile Number, Zip Code, Age (or Date of Birth), Gender, Transaction Details, Address, Location/IP Address, and Credit Card payment information or other payment information.
Special categories of personal data. Customer is contractually prohibited from processing via the Service any “special categories of personal data” as defined in Data Protection Laws.

2.5 Legitimate Interests. Notwithstanding anything to the contrary in the Agreement or this Addendum, Customer acknowledges that Processor will have a right to use and disclose data relating to the operation, support and/or use of the Service for its legitimate business purposes, such as billing, account management, technical support, and product development.

3. RIGHTS OF DATA SUBJECTS AND COOPERATION

3.1 Data Subject Requests. Processor will provide reasonable cooperation to assist Customer, at Customer’s cost to the extent legally permissible, to respond to any Requests from Data Subjects or applicable data protection authorities relating to the processing of Personal Data in connection with the use of the Service. In the event any such Request is made directly to Processor, Processor will respond to such communication directly.

3.2 Records of Processing. To the extent Customer is unable to independently access the relevant records of processing of Customer Data within the Service, Processor will provide reasonable cooperation to assist Customer in a timely manner as is required by Customer to demonstrate Processor’s compliance with its obligations under the Data Protection Laws and under this Addendum.

3.3 Government Requests. If a law enforcement agency sends Processor a demand for Customer Data (for example, through a subpoena or court order), Processor will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Processor may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, Processor will give Customer reasonable notice of such demand to allow Customer to seek a protective order or other appropriate remedy unless Processor is legally prohibited from doing so.

3.4 Data Protection Impact Assessments. To the extent Processor is required under Data Protection Laws, Processor will (at Customer’s expense to the extent legally permitted) provide reasonably requested information regarding the Service to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

4. PROCESSOR PERSONNEL

Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Processor shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Processor shall ensure that access to Personal Data is limited to those of its personnel who require such access to perform Processor’s obligations under the Agreement and/or to provide the Service.

5. SUB-PROCESSORS

5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) Processor’s Affiliates may be retained as Sub-processors; and (b) Processor may engage third-party Sub-processors in connection with the provision of the Service. Processor has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Addendum with respect to the protection of Personal Data to the extent applicable to the nature of the Service provided by such Sub-processor. Processor shall make available to Customer the current list of Sub-processors for the Service and shall give Customer the opportunity to reasonably object to any addition to or replacement of such Sub-processors.

5.2 Objection Right for new Sub-processors. If Customer has a reasonable basis to object to Processor’s use of a new Sub-processor, Customer shall notify Processor promptly in writing within 10 business days after receipt of Processor’s notice regarding such new Sub-processor. In the event Customer objects to a new Sub-processor(s) on a reasonable basis, Processor will use reasonable efforts to work in good faith with Customer to find an acceptable, reasonable, alternate solution. If the parties are not able to agree to an alternate solution within a reasonable time (no more than 90 days), Customer may terminate the applicable order form(s) and/or statement(s) of work in respect only to the specific Service which cannot be provided by Processor without the use of the objected-to new Sub-processor, by providing written notice to Processor.

6. SECURITY

6.1 Controls for the Protection of Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including the measures described in the Security Measures. Customer is responsible for reviewing the information made available by Processor relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Processor may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Customer.

6.2 Third-Party Certifications. Processor and its Sub-processors have obtained the third-party certifications and audits, if any, set forth in the Security Measures. Upon Customer’s written request at reasonable intervals, Processor shall provide a copy of Processor’s and/or a Sub-processor’s then most recent third-party audits or certifications, as applicable, or any summaries thereof, that Processor or such Sub-processor, as applicable, generally makes available to its customers at the time of such request.

6.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except to the extent expressly provided in this Addendum, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.

6.4 Audits. Upon Customer’s request, and subject to any confidentiality obligations set forth in the Agreement, Processor shall make available to Customer information regarding Processor’s compliance with the obligations set forth in this Addendum in the form of the third- party certifications and audits described in the Security Measures. Customer may contact Processor in accordance with the “Notices” provision of the Agreement to schedule an on-site audit of the procedures relevant to the protection of Personal Data. Customer shall reimburse Processor for any time expended for any such on-site audit at Processor’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Processor shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Processor with information regarding any non-compliance discovered during the course of an audit.

7. SECURITY INCIDENT MANAGEMENT AND NOTIFICATION

Processor maintains the security incident management policies and procedures specified in the Security Measures and shall, to the extent permitted by law, notify Customer without undue delay of any actual unauthorized disclosure of Customer Data by Processor or its Sub-processors of which Processor becomes aware (a “Security Incident”) and provide details of the Security Incident to the Customer. To the extent such Security Incident is caused by a violation of the requirements of this Addendum by Processor, Processor shall identify and remediate the cause of such Security Incident.

8. DELETION OF CUSTOMER DATA

Processor shall delete Customer Data in accordance with the procedures and timeframes specified in the Agreement. The parties agree that the certification of deletion of Personal Data shall be provided by Processor to Customer only upon Customer’s written request. Notwithstanding the foregoing, Processor shall not be required to delete Customer Data to the extent Processor is required by applicable law to retain some or all of the Customer Data, or to the extent it has archived Customer Data on back-up systems, which Customer Data Processor will securely isolate and protect from any further processing, except to the extent required by applicable law. In addition, Processor may retain and use, or continue to use, any anonymized or pseudonymized Customer Data for archival purposes in the public interest, scientific or historical research purposes or statistical purposes.

9. INTERNATIONAL TRANSFERS

9.1 Processing Locations. Unless otherwise specified by Processor to Customer, Processor stores Customer Data in the United States and/or Canada. For purposes of providing the Service, Customer Data may transfer from the originating location of Customer Data to the Service located in the United States and/or Canada. Additionally, for purposes of providing the Service including technical support, Customer Data may be accessed from locations where Processor’s Affiliates are located.

9.2 Privacy Shield. Although the Processor does not rely on the EU-US Privacy Shield as a legal basis for transfers in light of the judgement of the Court of Justice of the EU in Case C-311/18, for as long as the Processor is self-certified to the Privacy Shield, any Personal Data protected by EU Data Protection Laws and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that Processor will be deemed to provide adequate protection (within the meaning of Data Protection Laws) for any such Personal Data either by virtue of having self-certified its compliance with Privacy Shield or, if Processor has not self-certified its compliance with Privacy Shield, by having otherwise complied with Privacy Shield Principles. Processor agrees to protect such Personal Data in accordance with the requirements of the Privacy Shield Principles. If Processor is unable to comply with this requirement, Processor will inform Customer.

9.3 Standard Contractual Clauses. As an alternative transfer mechanism to the Privacy Shield certification referenced in Section 9.2, to the extent that Processor processes any Personal Data protected by EU Data Protection Laws and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, Processor and Customer may enter into the Standard Contractual Clauses approved by the European Commission from time to time for the transfer of Personal Data to Data Processors established in third countries. The parties agree that (i) purely for the purposes of the descriptions in the Standard Contractual Clauses, Processor will be deemed the "data importer" and Customer will be deemed the "data exporter" (notwithstanding that you may yourself be located outside Europe and/or be acting as a processor on behalf of third party controllers) and (ii) if and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.

10. RELATIONSHIP WITH THE AGREEMENT

10.1 Status of Agreement. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and such agreement, this Addendum will prevail to the extent of that conflict.

10.2 Claims. Any claims brought under or in connection with this Addendum will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. Other than liability that may not be limited under applicable law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under such agreement and all Addenda (including this Addendum) together.

10.3 No Third Party Beneficiary. No one other than a party to this Addendum, its successors and permitted assignees will have any right to enforce any of its terms. Any claims against Processor or its Affiliates under this Addendum will be brought solely against the entity that is a party to the Agreement. Customer further agrees that any regulatory penalties or other liabilities incurred by Processor in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this Addendum or any applicable Data Protection Laws will count toward and reduce Processor’s liability under the Agreement as if it were liability to the Processor under the Agreement.

10.4 Governing Law. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

11. LEGAL EFFECT

This Addendum shall be legally binding between Customer and Processor, regardless of whether this Addendum is physically appended to the Agreement, provided that this Addendum is incorporated by reference into such Agreement and Customer is provided with the URL to this Addendum.

Effective Date of this Data Processing Addendum:06/27/2023
Contact [email protected]

Schedule A

Security Measures

The security measures Processor implements to protect Personal Data are set forth below, and any others mutually agreed to by the parties pursuant to the Addendum:

Software Development

All software engineers receive software security training that covers security best practices including OWASP Top Ten and Mobile Security best practices.
Use of static code analysis tools to analyze code for security vulnerabilities.
All source code is developed in accordance with a standard Software Development Life Cycle (SDLC) process that includes:

(a) Software and Security code review before being promoted to production use;
(b) Running through a continuous integration test suite; and
(c) Manual quality assurance testing

Hosting Environment

All hosting environments use carrier class data centers having high availability standards and redundancy. Typical certifications for these data centers include:
(a) PCI DSS Level 1 Service Provider;
(b) SOC 1 Type II & SOC 2 Type II; and
(c) ISO 27001

Confidentiality

Customer Data is not made available or disclosed contrary to as provided in this Addendum.
Customer Data is processed only in accordance with this Addendum and only as required for the performance of the Services.
Processor takes precautions to prevent viewing of computer screens that may contain Customer Data. When outside of a Processor facility, Processor employees and sub-processors may only access Customer Data in a private space or utilize a privacy screen to obscure the Customer Data from unauthorized viewing

Processor ensures that all employees, agents, sub-processors, and representatives likely to handle Customer Data are under a duty of confidentiality and receive appropriate security awareness training.

Electronic Data

Customer Data is not made available or disclosed contrary to as provided in this Addendum.
Customer Data is processed only in accordance with this Addendum and only as required for the performance of the Services.
Processor takes precautions to prevent viewing of computer screens that may contain Customer Data. When outside of a Processor facility, Processor employees and sub-processors may only access Customer Data in a private space or utilize a privacy screen to obscure the Customer Data from unauthorized viewing

Paper Data

While most documentation and data is managed electronically, there are some circumstances that require printing of paper documents, such as validation documents that require handwritten signature. When handling printing documents, Processor will take every precaution to prevent its exposure to anyone outside of those individuals authorized to access to the Personal Data contained within those printed documents.

Customer Data contained in printed form is shredded immediately after its use. For validation documents, documents are shredded after all approvals are hand-signed and the document has been scanned.

Passwords and Encryption

All Customer Data is encrypted to prevent unauthorized access and access to such Customer Data is password protected. The encryption key and passwords are kept secure at all times.

All web traffic is encrypted by TLS 1.2 or greater. Processor follows NIST recommendations for hashing symmetric and asymmetric encryption.

Security Incidents

If Processor becomes aware of unauthorized access or disclosure of Customer Data under its control, Process will adhere to the procedures described in the Incident Response Plan.

Audit

Processor executes internal security audits in accordance with its internal audit policies and procedures. Any remedial measures identified in an audit will be fully and promptly implemented.

Access Control

Access to Customer Data is restricted pursuant to Processor’s internal access control policies and procedures. Authorized personnel will be permitted to access Customer Data only to the extent necessary for the performance of their duties.