Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (“DPA”) pertains to the underlying Cloud Hosting Agreement (“Agreement”) in which ISVHost (“Service Provider”) is providing cloud hosting services to customer (“Company”)  and forms part of the Agreement.  

WHEREAS, Service Provider performs certain services for Company under the Agreement (“Services”);  

WHEREAS, as part of the Services that Service Provider provides to Company pursuant to the Agreement, Service Provider will be given or have access to Personal Information, as that term is used and understood under Data Privacy Laws (defined below);

WHEREAS, the parties seek to implement a DPA that complies with the requirements of Data Privacy Laws.  

NOW THEREFORE, IT IS AGREED AS FOLLOWS:  

1. Definitions

1. “Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly- branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.  

2. “Consumer” means an individual who is a resident of a jurisdiction with applicable Data Privacy Laws, including but not limited to a “consumer” as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, and other applicable state privacy laws.

3. “Data Privacy Laws” means all applicable laws, rules, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing (as defined below) of Personal Information.

4. “Personal Information” includes all information that identifies a person as defined by Applicable Data Privacy Laws.

5. “Process” and “Processing” mean any operation or set of operations performed in relation to Personal Information, including but not limited to the collection, storage, and use of Personal Information.  

6. “Profiling” means any form of automated processing of Personal Information to evaluate, analyze, or predict an individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

7. “Security Breach” means the unauthorized or unlawful destruction, loss, alteration,  disclosure, or Processing of Personal information.  

8. “Sale,” “Sell,” or “Third Party” shall have the meanings set forth in California Civil Code § 1798.140, as amended, and analogous definitions under other applicable Data Privacy Laws.

9. “Sensitive Data” or “Sensitive Personal Information” means Personal Information that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; Personal Information collected from a known child; or precise geolocation data, as further defined by applicable Data Privacy Laws.

10. “Service Provider” includes the term “Processor” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws.

11. “Share,” “Shared,” or “Sharing” shall have the meanings set forth in California Civil Code § 1798.140, as amended, and analogous definitions under other applicable Data Privacy Laws.

12. “Subprocessor” means any subcontractor that Processes Personal Information on Service Provider’s behalf.

2. Service Provider Obligations

1. Service Provider will Process Personal Information for the limited purpose of providing the Services to Company enumerated in the Agreement or as otherwise instructed by Company in writing. All Processing of Personal Information by Service Provider shall be in compliance with Data Privacy Laws.  

2. Without limiting the foregoing, Service Provider shall not: (i) Sell Personal Information; (ii) Share Personal Information for Cross-context Behavioral Advertising purposes; (iii) retain, use, or disclose any Personal Information for any purpose, including any commercial purpose, other than for the business purposes specified in the Agreement or as otherwise authorized by Company in writing; (iv) retain, use, or disclose any Personal Information to any third party outside of the direct business relationship between Company and Service Provider; (v) violate any applicable restrictions enumerated in Data Privacy Laws, including those on combining the Personal Information that Service Provider receives from, or on behalf of, Company with Personal Information that Service Provider receives from, or on behalf of, another person or persons, or that Service Provider collects from any interaction between itself and any individual; provided, however, that the foregoing shall not prohibit Service Provider from combining De-identified Data (as defined below) with other de-identified or anonymized data for Service Provider’s internal analytical, research, or product improvement purposes; or (vi) engage in any Processing of Personal Information that is prohibited or not permitted by “Processors” or “Service Providers” under Data Privacy Laws.

3. Notwithstanding the foregoing, Service Provider may de-identify, anonymize, or aggregate Personal Information received from Company, provided that: (i) such de-identification, anonymization, or aggregation is performed in accordance with applicable Data Privacy Laws; (ii) the resulting data (“De-identified Data”) cannot reasonably be used to identify any individual or be linked back to any individual; (iii) Service Provider implements technical safeguards and business processes to prevent re-identification; and (iv) Service Provider contractually prohibits any downstream recipients from attempting to re-identify the data. Service Provider may use, retain, and combine De-identified Data for its own internal analytical, research, benchmarking, and product or service improvement purposes. Service Provider shall not attempt to re-identify any De-identified Data or any other pseudonymized, anonymized, aggregate, or de-identified information.

4. In the event Service Provider is legally obligated to provide any Personal Information to a third party: (i) Service Provider will promptly provide Company with a reasonable opportunity to contest the legal obligation or to seek protection for the disclosure; and (ii) Service Provider, after consultation with Company and its legal counsel, will disclose only the minimum amount of Personal Information necessary to comply with the legal obligation.

5. Service Provider shall, within five (5) business days, notify Company if Service Provider determines that it can no longer meet its obligations under this DPA or Data Privacy Laws or that it has breached any of its obligations in this DPA or violated any Data Privacy Laws.  

6. Except as may be necessary to comply with legal obligations, Service Provider will delete all Personal Information from its systems upon the end of the Services relating to the Processing. In the event that Service Provider is legally required to maintain such Personal Information, Service Provider shall provide notice of the same to Company. Thereafter, such Personal Information may continue to be stored within Service Provider’s system, but shall not be Processed in any other way and shall comply with all applicable Data Privacy Laws.  

7. Service Provider grants to Company the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information.  

8. The parties shall provide their reasonable cooperation to each other to modify or amend this DPA in the event new or changed Data Privacy Laws require such modification or amendment.  

3. Sensitive Data and Profiling Restrictions. The following additional requirements apply to Service Provider’s Processing of Sensitive Data and any Profiling activities:

1. Service Provider shall not Process Sensitive Data except to the extent strictly necessary to perform the Services and only with Company’s prior written consent specifying the categories of Sensitive Data to be Processed and the purposes for such Processing.

2. Service Provider shall implement and maintain enhanced technical and organizational security measures for Sensitive Data that are appropriate to the heightened risk associated with such data, including encryption at rest and in transit, access controls limiting access to authorized personnel, and logging of all access to Sensitive Data.

3. Service Provider acknowledges that Consumers have the right to limit the use and disclosure of their Sensitive Data under applicable Data Privacy Laws and shall honor any such limitation requests transmitted by Company.

4. Service Provider shall not engage in Profiling of Consumers using Personal Information received from Company unless: (i) such Profiling is strictly necessary to perform the Services; (ii) Company has provided prior written authorization for such Profiling activity; and (iii) the Profiling does not produce legal or similarly significant effects on Consumers without appropriate safeguards.

5. Service Provider shall provide Company with sufficient information to enable Company to conduct any required data protection impact assessment or similar assessment related to Profiling activities under applicable Data Privacy Laws.

6. If Service Provider receives a Consumer’s request to opt out of Profiling, either directly or through Company, Service Provider shall promptly cease all Profiling activities with respect to that Consumer’s Personal Information and confirm such cessation to Company in writing.

4. Assistance with Processing. If Service Provider engages any Subprocessor or other person to assist it in Processing Personal Information, it shall notify Company of such engagement, and such Subprocessors or persons engaged shall:  

1. Have been selected through steps reasonably designed to ensure such Subprocessor’s or person’s reliability, competence and trustworthiness, including conducting appropriate background checks where legally able to do so;

2. Have received the training necessary to facilitate Service Provider’s compliance with this DPA;

3. Have entered into an appropriate written agreement obligating such Subprocessor or person to comply with Data Privacy laws and to Process Personal Information only as allowed by this DPA; and

4. Receive from Service Provider access to Personal Information only to the extent that such access is needed to enable the Subcontractor or person to carry out the obligations for which such Subcontractor or person has been engaged.

5. Assistance With Data Privacy Law Compliance. The parties will reasonably cooperate with and assist each other to ensure their respecrtive compliance obligations under the Data Privacy Laws, taking into account the nature of the Service Provider's processing and the information available to the Service Provider. Without limiting the foregoing:

1. Service Provider shall notify Company as soon as possible, but at least within three (3) business days of receiving any request or complaint related to any Personal Information.  

2. Service Provider shall not respond to any such requests unless Company has authorized Service Provider in writing to do so, except to the extent Service Provider has an obligation under applicable law to respond directly.  

3. If Service Provider has an obligation under applicable law to respond directly, it shall, unless legally prohibited from doing so, notify Company of this requirement prior to making the initial notification and comply with Company’s reasonable instructions in responding to such request.

4. In the event Company requests Service Provider to delete or modify any Personal Information, Service Provider shall promply do so and shall  pass along those deletion or modification requests to downstream parties in accordance with Data Privacy Laws.

6. Security. Service Provider shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Information appropriate to the risk and in all cases such measures shall be in compliance with applicable Data Privacy Laws

7. Security Breach. Service Provider will comply with all Security Breach-related obligations applicable to it under Data Privacy Laws. Taking into account the nature of Processing and the information available to it, Service Provider will provide reasonable assistance to Company in complying with Company’s Security Breach-related obligations.

The Parties to the Agreement hereby represent and warrant that they are duly authorized to legally bind such Party to the terms of this DPA.

‍