Data Processing Addendum

This Data Processing Addendum was last updated on June 23, 2023.



This Data Processing Addendum, including its schedules and appendices (collectively, the “DPA”), by and between Company and Customer applies to Personal Data Processed by Company and its Subprocessors in connection with the provision of services under the Agreement. Capitalized terms not otherwise defined in the Agreement or in the text shall have the meanings ascribed to them in Section 16.


1. Use and Disclosure of Personal Data


1.1 Company’s Processing of Personal Data shall be governed by the Agreement, which sets out the subject matter, duration, nature, and purpose of the Processing, type of Personal Data and categories of Data Subjects, instructions for Processing Personal Data, and obligations and rights of the Parties.


1.2 Company shall only Process Personal Data in accordance with Customer’s instructions or as necessary to carry out an obligation under the Agreement in accordance with the requirements of any Data Protection Laws. Company will only Process the minimum amount of Personal Data required to meet its obligations under the Agreement or Data Protection Laws. In addition, except as permitted under any Data Protection Laws, Company will not:


  • sell or share Personal Data it collects pursuant to the Agreement,
  • retain, use, or disclose Personal Data it collects pursuant to the Agreement for any purpose other than the Business Purpose(s),
  • retain, use, or disclose Personal Data it collects pursuant to the Agreement outside the direct business relationship between the Parties, or
  • combine Personal Data it collects pursuant to the Agreement with Personal Data it receives from another source or collects from its own interaction with consumers.


The business purpose for processing Personal Data under the Agreement shall be to perform services on behalf of Customer, including:


  • maintaining or servicing accounts,
  • providing customer service,
  • processing or fulfilling orders and transactions,
  • verifying customer information, processing payments,
  • providing analytic services,
  • providing governance and compliance services and software,
  • providing storage, or
  • providing similar services on behalf of Customer (collectively, the “Business Purpose”).


1.3 Company shall comply with Data Protection Laws with respect to Personal Data it collects pursuant to the Agreement, including providing the same level of privacy protection to such Personal Data as required of businesses by the Data Protection Laws. Customer shall have the right to take reasonable and appropriate steps to ensure that Company uses the Personal Data it collects pursuant to the Agreement in a manner consistent with Customer’s obligations under the Data Protection Laws. Further, if Company engages in any unauthorized use of Personal Data it collects pursuant to the Agreement, Customer shall have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use. This Section 1.3 shall be applicable only to the extent that the Personal Data Processed by Company under the Agreement falls within the scope of the CCPA.


1.4 Company certifies that it understands the restrictions contained in this DPA and will comply with them. Company agrees that it shall promptly inform Customer if it makes a determination that it or its Subprocessors can no longer meet their obligations under this DPA or under Data Protection Laws.


2. Identification of Parties.


2.1 The Parties agree that Customer shall act as a Data Controller and Company shall act as a Data Processor under the Agreement.


2.2 The Parties acknowledge that Company may act as a Data Controller with respect to some Personal Data it collects for purposes of the Agreement (including Personal Data Company collects in conjunction with providing customer service to Web Visitors) (the “Company Personal Data”). Company shall be independently responsible for ensuring that it processes the Company Personal Data in compliance with Data Protection Laws. Other provisions of this DPA shall not apply to the Company Personal Data.


3. Compliance with Data Protection Laws


3.1 Both Parties agree to comply with all Data Protection Laws throughout the term of the Agreement and mutually covenant not to place the other in violation of Data Protection Laws. Company will immediately inform Customer if it believes any of Customer’s instructions are inconsistent with Data Protection Laws. 


3.2 Where Data Protection Laws may require Company to Process Personal Data for a purpose unrelated to the delivery of the services (including to respond to a government investigation, subpoena, request for information, or similar process), Company shall, to the extent permitted by Data Protection Laws and other applicable law, notify Customer of any required Processing, accommodate reasonable efforts and requests by Customer to limit any such required Processing, and process only the Personal Data necessary to meet its legal obligations.


4. Data Protection Assistance & Security Measures


4.1 Company shall reasonably cooperate with Customer with respect to any data protection impact assessments and/or prior consultations that may be required in respect of Processing carried out under the Agreement. 


4.2 Company shall promptly make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws. Further, during the term of the Agreement, Company will implement and maintain reasonable security measures designed to ensure a level of security and confidentiality appropriate to the risk represented by the Processing and the nature of the data to be protected and designed to allow Company to reasonably restore availability and access to data, where reasonably possible, in the event of a Data Security Breach.


5. Oversight of Personnel


5.1 Company shall ensure that any persons authorized to Process Personal Data on its behalf have committed themselves to confidentiality or are under an appropriate statutory or contractual obligation of confidentiality.


5.2 Company shall ensure that access to Personal Data is limited to those employees, contractors, and Subprocessors performing services in accordance with the Agreement. Company shall ensure that any processing by its employees and Subprocessors is done pursuant to the Agreement or as required by Data Protection Laws.


6. Data Security Breaches


6.1 Company agrees to notify Customer without undue delay following discovery of any actual or suspected Data Security Breach of which it becomes aware. Company agrees to take such reasonable, remedial actions warranted to investigate and halt the root cause of such Data Security Breach to the extent it is ongoing. 


6.2 In the course of notification to Customer, Company will provide to Customer, to the extent reasonably available, sufficient information for Customer to assess the Data Security Breach and make any required notification to any Government Authority and/or Data Subjects. Such information shall include, to the extent reasonably available (i) the nature of the Data Security Breach; (ii) the categories and approximate number of Data Subjects and Personal Data records involved; and (iii) any measures taken or proposed to be taken to address or mitigate the incident. Customer will decide on the basis of all available information and Data Protection Laws if notification to Data Subjects and/or Government Authorities is required by law and shall make any such notifications.


7. Rights of Data Subjects


In the event Company receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, Company shall advise Customer of such request and follow reasonable instructions by Customer relating to such request. Customer shall inform Company of Customer’s receipt of any such request and shall provide information necessary for Company to comply with the request. Company shall assist Customer as needed in responding to or fulfilling requests from Data Subjects to exercise their rights under Data Protection Laws.


8. Cross-Border Data Transfers

 

In the event that cross-border transfers of Personal Data are necessary or appropriate for performance of the Agreement, the Parties shall cooperate to implement appropriate contractual, technical, and/or organizational measures to facilitate such transfers, to the extent required by Data Protection Laws, the terms of which may be outlined in a separate agreement.


9. Retention


Company agrees to retain Personal Data received from Customer for only so long as necessary to conduct the services under the Agreement or as may otherwise be required under Data Protection Laws.


10. Return/Destruction


Upon termination or expiration of the Agreement (or the conclusion of any post-expiration transition period), or earlier upon written request by Customer, Company agrees to return or destroy, at Customer’s choice, all Personal Data received pursuant to the Agreement, to the extent permitted by Data Protection Laws. 


Company shall promptly notify Customer of any inability to return or destroy Personal Data and agrees that any Personal Data retained as required by law shall remain subject to the requirements of this DPA, which shall survive termination of the Agreement with respect to such Personal Data.


11. Subprocessors


Customer grants Company general written authorization to engage Subprocessors to Process Personal Data for performance of the Agreement as set forth below and as may be subsequently listed at www.itsspringtime.com/dpa/. Company will update Customer with any changes to the Subprocessors via email and by updating the list of Subprocessors that can be viewed at www.itsspringtime.com/dpa/. If Customer does not object to Company’s engagement of any particular Subprocessor within five (5) business days of receiving such notice, Customer shall be deemed to have accepted Company’s engagement of such Subprocessor to Process Personal Data for performance of the Agreement. If Customer objects to Company’s engagement of a particular Subprocessor, the Parties will negotiate in good faith to resolve such objection. If the Parties are unable to agree within a thirty (30) day period following Customer’s objection, Company shall have the right to terminate the Agreement.


Subprocessor

Subprocessor Location

Nature and Subject Matter of Processing

Amazon Web Services

US-West

Hosting


Company shall ensure that all Subprocessors are engaged pursuant to a written contract that complies with the Data Protection Laws and contains terms that are substantially similar to this DPA. Subject to any terms in the Agreement, Company shall be responsible for any noncompliance with the Data Protection Laws by any Subprocessor.


12. Right to Audit


Customer shall have the right to audit Company during Company’s normal business hours and on sixty (60) days’ notice in order to monitor compliance with the terms of this DPA to the extent required by the Data Protection Laws. Company agrees to make available to Customer all information reasonably necessary to demonstrate Company’s compliance with this DPA and with Data Protection Laws. Customer shall compensate Company at Company’s then-standard rates for all time and expenses incurred in facilitating such audits and in providing information to Customer to demonstrate compliance with this DPA and Data Protection Laws. 


13. Effect of Violation


If Company breaches the terms of this DPA, Company will have thirty (30) days to cure the breach. If the breach is not cured within such thirty (30) day period, Customer shall have the right to terminate the Agreement.


14. Limitation of Liability


14.1 Company’s and Customer’s, and each of their Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to any section of the Agreement disclaiming liability, limiting liability for damages or types of damages, and excluding certain types of damages. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Company’s and its Affiliates' total liability for all claims from Customer and all of its Affiliates arising out of or related to the Agreement shall apply in the aggregate for all claims under both the Agreement and this DPA.


14.2 IN ADDITION TO THE TERMS OF SECTION 14.1, EACH PARTY’S LIABILITY UNDER THE DPA ARISING UNDER ANY THEORY OF LIABILITY, WHETHER IN AN EQUITABLE, LEGAL, OR COMMON LAW ACTION ARISING HEREUNDER FOR CONTRACT, STRICT LIABILITY, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE SHALL BE LIMITED TO THE AMOUNTS PAID OR PAYABLE TO COMPANY CUSTOMER DURING THE SIX-MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM FOR DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.


15. Miscellaneous


15.1 The obligations of confidentiality, data privacy, and data security under this DPA will survive the termination and/or expiration of the Agreement, including any Statements of Work thereunder.


15.2 The headings contained in this DPA are intended solely for ease of reference and shall be given no effect in the construction or interpretation of this DPA.


15.3 Company has the authority to unilaterally amend this DPA solely for the purpose of complying with existing or new Data Privacy Laws. When Company changes this DPA, Company will update the ‘Last Updated’ date at the top of this page at www.itsspringtime.com/dpa/ and notify Customer via email that material changes have been made to this DPA. Any such changes will become effective no earlier than thirty (30) days after they are posted except to the extent required by Data Privacy Laws. Customer’s continued use of any Services after the date any such change becomes effective constitutes acceptance of the DPA, as amended. This DPA shall constitute the entire agreement between the Parties regarding the subject matter hereof and supersede all proposals and prior discussions and writings between the Parties with respect thereto. No failure or delay in enforcing any right or exercising any remedy will be deemed a waiver of any right or remedy.


16. Definitions


Addendum” means any amendment or addendum to the Agreement that references Reseller Terms, including the DPA, or any Order.


Agreement” means the agreement between Company and Customer pursuant to which Company will provide any services such as (i) the Terms of Service and any amendment, addendum or Order (“Addendum”) referencing those Terms of Service or (ii) a Master Services Agreement, Master Services and Reseller Agreement, Reseller Agreement or similar agreement governing the provision of any services and any Addendum referencing those agreements.


Affiliate” means any entity that directly or indirectly controls, is controlled, or is under common control with Company or Customer, respectively, through ownership or control of more than 50% of the voting interests of Company or Customer, as applicable.


Company” shall have the meaning defined in the applicable Agreement and for purposes of this DPA shall include Company’s Affiliates.


Customer” means the counterparty to the Agreement and its Affiliates who is either (i) a Reseller of Offerings, (ii) a user of Offering(s) who subscribed to the Offering through a Reseller or (iii) a user of Offering(s) who subscribed to the Offering directly from Company.


Data Protection Laws” mean any applicable laws, regulations and other legal or self-regulatory requirements, as may be amended from time to time, relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including but not limited to:


the California Consumer Protection Act, as amended, including by the California Privacy Rights Act (collectively, the “CCPA”)

the Colorado Privacy Act

the Connecticut Data Privacy Act

the Utah Consumer Privacy Act

the Virginia Consumer Data Protection Act

the Iowa Consumer Data Protection Act

the Indiana Consumer Data Protection Act

the Montana Consumer Data Privacy Act

the Tennessee Information Protection Act

the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and

the UK General Data Protection Regulation.


Data Controller” means an entity which alone or jointly with others determines the purposes and means of the Processing of Personal Data as further defined by the GDPR. Data Controller also refers to a “Business” as defined in Data Protection Laws.


Data Processor” means an entity which Processes Personal Data on behalf of the Data Controller. Data Processor also refers to a “Service Provider” as defined in Data Protection Laws.


Data Security Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure and acquisition of, or access to, Personal Data.


Data Subject” means any person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The term includes persons who have already been identified as well as those who might be identified by reference to the identifiers set forth above.


Government Authority” means a legislative, executive, administrative, or regulatory entity, judicial body, or other public agency or authority of any jurisdiction that is authorized by law to enforce individual rights with respect to Personal Data, or to oversee or monitor compliance with privacy, data protection, or data security laws, rules, regulations, or other Data Protection Laws.


Order” shall mean a statement of work, SoW or purchase order relating to an Offering or an addendum that contains additional terms.


Personal Data” means all information received pursuant to the services performed under the Agreement that Data Protection Laws treat as “personal information” (or equivalent terms, including without limitation, “personal data,” “personally identifiable information,” “nonpublic personal information”, “sensitive personal information” or “sensitive data”).


Process” (and its conjugates, including without limitation, “processes,” “processed” and “processing,” regardless of whether such terms are capitalized or not) means any operation or set of operations which is performed upon Personal Data, including (without limitation) collection, creation, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.


Sell” (and its conjugates, including without limitation, “selling,” “sale,” and “sold,” regardless of whether such terms are capitalized or not) shall have the meaning afforded to it under Data Protection Laws.


Share” (and its conjugates, including without limitation, “sharing” and “shared”, regardless of whether such terms are capitalized or not) shall have the meaning afforded to it under Data Protection Laws. The term also means disclosing Personal Data to a third party for purposes of “targeted advertising,” as such term is defined by Data Protection Laws.


Subprocessor” means any third party engaged by Company to Process Personal Data for performance of the Agreement excluding any Affiliate of Company.

Share by: