Data Processor Addendum (California)
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or General Terms and Conditions (the “T&Cs”) for Compusense Inc. (“Compusense”), governing certain Software as a Service (SaaS) by Compusense (the “Services”). This DPA becomes part of the T&Cs upon execution by you (“Customer”) and Compusense of the [invoice] and is incorporated into the T&Cs by reference.
1.1 Terms Defined Here. In this DPA:
(a) “Affiliate” means each and every subsidiary, affiliate, or parent company of the Customer and each and any subsidiary of a parent company of the Customer.
(b) “CCPA” means the California Consumer Privacy Act of 2018, and the regulations promulgated thereunder, as it/they may be amended from time to time.
(c) “Data Protection Law(s)” means any data privacy, data security, and data protection law, directive, regulation, order, or rule, including without limitation the CCPA and the California Privacy Rights Act of 2020. Nothing herein concedes the applicability of any Data Protection Law to Customer, the Services, or a particular consumer or data subject.
(d) “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person, household, or device linked to same, wherever located. For purposes of this DPA, Personal Information includes such data submitted by or on behalf of Customer, its Affiliates, or its/their customers related to the Services; or otherwise processed, collected, created, or accessed by Compusense as a result of the Services.
1.2. Terms in Data Protection Laws. Terms defined in this DPA, or if not defined in the DPA then as defined in the T&Cs, or for which definitions in Data Protection Laws are incorporated by reference, will, to the greatest extent consistent with their meanings, apply to terms of similar effect in Data Protection Laws that apply to natural persons governed by such laws (including without limitation, “data subjects,” “personal data,” “personal information,” “nonpublic personal information,” and “personally identifiable information”). As used in this DPA, the following terms have the meanings given them by the CCPA : “business,” “business purpose,” “commercial purpose,” “consumer,” “personal information,” “process,” “sell,” and “service Compusense;” provided this DPA governs Personal information of all natural persons, wherever located, and not just of Californians.
2. COMPUSENSE RESPONSIBILITIES
2.1. Purpose and Use Restrictions
(a) Compusense shall not collect, retain, use, or disclose the Personal Information (and has not collected, retained, used, or disclosed the Personal Information) for any purpose other than to perform the Services pursuant to the T&Cs, except, where a Data Protection Law applies to particular Personal Information, where and only to the extent permitted or required by that Data Protection Law.
(b) Without limiting the generality of the foregoing, and for the avoidance of any doubt, Compusense: (i) shall not collect, retain, use, or disclose the Personal Information for a commercial purpose (other than providing the Services); (ii) shall not sell the Personal Information (where “sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating the Personal Information, orally, in writing, or by electronic or other means, to another person or entity, for monetary or other valuable consideration); (iii) shall not collect, retain, use, or disclose the Personal Information outside the direct business relationship between Compusense and Customer; (iv) shall not collect more than the minimum Personal Information necessary, nor retain the Personal Information longer than necessary, to perform the Services; (v) shall not use the Personal Information to build or modify a profile about a natural person to use in providing services to an entity other than Customer; and (vi) shall not correct or augment the Personal Information nor otherwise combine it with Personal Information from another source (including from Compusense itself). This DPA does not authorize processing of Personal Information for “targeted advertising” or “cross-context behavioral advertising” (as defined respectively by the CDPA and CPRA).
2.2. Legal Obligations. Compusense shall comply with: (a) any and all legal obligations applicable to it as Customer’s service provider, data processor, or entity with similar status under applicable Data Protection Laws, and Compusense shall make no effort to alter any such status without Customer’s consent; and (b) any and all legal obligations otherwise imposed on Compusense by applicable Data Protection Laws.
(a) Compusense shall reasonably cooperate with Customer as necessary for Customer to fulfill its responsibilities pursuant to applicable Data Protection Laws with respect to the T&Cs.
(b) Where reasonably requested by the Customer, Compusense shall promptly: (i) provide Customer copies of any or all of the Personal Information in a structured, commonly used, machine-readable format easily rendered into text an average consumer/data subject can read and understand; (ii) correct any or all Personal Information; (iii) delete any or all Personal Information (pursuant to Section 2.4 (Disposal/Deletion)); (iv) assist Customer as it reasonably requests in addressing requests by consumers/data subjects (or their agents), including without limitation requests to “know;” to “delete,” to “opt out,” or to not “opt in”; and (v) assist Customer as it reasonably requests to facilitate its compliance with applicable Data Protection Laws, including without limitation through Compusense cooperation with audits and data protection assessments. For the avoidance of doubt, Compusense shall not respond to requests from consumers/data subjects (or their agents) as to Personal Information, except where and to the extent applicable Data Protection Law requires a response directly from Compusense. Neither the T&Cs nor this DPA authorizes or permits Compusense, on Customer’s behalf, to respond to requests from consumers/data subjects (or their agents), or other third parties unless the parties agree otherwise in a writing signed by both parties.
2.4. Disposal/Deletion. Upon the expiration or other termination of the Services or Customer’s reasonable request, Compusense shall: (a) return the Personal Information to Customer and then dispose of and delete all Personal Information in Compusense’s possession or control, including without limitation the control of its employees or agents (pursuant to Section 2.5(a) (Safeguards) below); and (b) provide Customer written comfirmation of such disposal and deletion. Compusense’s obligations pursuant to the T&Cs and this DPA will continue until all disposal and deletion required above in this Section 2.4.
(a) Safeguards. Compusense shall maintain reasonable technical, physical, and administrative safeguards (including without limitation policies, procedures, staffing, and contractual provisions) to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure. Without limiting the generality of the foregoing, Compusense shall protect the Personal Information with at least the same degree of care it uses to protect data and information of similar nature and importance but not less than reasonable care. Without limiting the generality of its obligations, Compusense shall protect the security, confidentiality, and integrity of the Personal Information by: (i) securely storing for the Services or as required by Section 2.4 (Disposal/Deletion), so as to render the information unreadable and irretrievable (including without limitation from electronic media); and (iii) requiring that any employee or sub-processor with access to Personal Information is subject to a written T&Cs with confidentiality and security obligations consistent with those imposed on Compusense by this DPA, including without limitation those of Subsection 2.5(b) (Incident Notification and Management).
(b) Incident Notification and Management. Compusense shall notify Customer promptly of any unauthorized access to or destruction, use, modification, or disclosure of any Personal Information (any “Security Incident”). This notification shall include: (i) a description of the Security Incident; (ii) the categories and types of Personal Information affected; (iii) if applicable, the categories and number of records, and natural persons, whose Personal Information was affected; and (iv) such other information as may be required by applicable Data Protection Law or useful to address the Security Incident. Compusense shall also (v) promptly investigate and remedy the Security Incident, (vi) take commercially reasonable steps to mitigate the effects of the Security Incident and to prevent further such incidents, (vii) cooperate with Customer and law enforcement with respect to the Security Incident, and (viii) take any other actions required of Compusense by applicable law.
2.6. Non-Personal Information. Neither this Section 2.6 (Non-Personal Information) nor this DPA authorizes processing of de-identified information or aggregate consumer data, as those terms are defined in applicable Data Protection Laws (“Non-PI”). If Compusense processes Non-PI, Compusense shall: (a) take reasonable precautions to ensure that Non-PI cannot be associated with a natural person, household, or device linked to same, including without limitation by implementing technical safeguards that prohibit reidentification of Non-PI, implementing business processes that specifically prohibit reidentification of Non-PI, and implementing business processes to prevent inadvertent release of Non-PI; (b) publicly commit to maintain and use Non-PI only in deidentified form, and make no attempt to reidentify Non-PI; (c) permit and facilitate reasonable Customer oversight of Compusense’s compliance with this Section 2.6; and (d) process Non-PI only if, to the extent, and for the purposes permitted by then-applicable Data Protection Law and the T&Cs (if any).
3.1. Additional Restrictions. For the avoidance of doubt: (a) Compusense shall provide privacy protections no less than required by applicable Data Protection Laws and shall comply with such laws; (b) Compusense is Customer’s service Compusense and processor for the Personal Information, which is provided to Compusense for a business purpose; (c) Customer does not sell Personal Information to Compusense in connection with this DPA or the T&Cs; (d) Compusense has not given Customer any reason to believe Compusense could not comply with this DPA; (e) without limiting its obligations elsewhere in this DPA, Compusense shall promptly notify Customer if Compusense determines it can no longer meet its obligations under this DPA; (f) Customer may audit Compusense’s use and management of Personal Information and/or Non-PI at any time, upon 5 business days’ notice, and Compusense shall comply with such audit; (g) Compusense’s compliance with this DPA is at its own expense; and (h) nothing in this DPA limits Customer’s rights or remedies under applicable law or the T&Cs.
3.2. Cross-Border Transfers. Customer does not concede that any Data Protection Law applies to it or the Services, including without limitation any such law in a jurisdiction other than the United States. However, if Customer so requests with regard to an international cross-border transfer of Personal Information, Compusense shall execute and comply with appropriate data transfer agreements and other measures under the European Union’s General Data Protection Regulation (“GDPR”), with Compusense as processor/importer and Customer as controller/exporter.
3.3. Construction. Except as modified by this DPA, the T&Cs will remain in full force and effect. This DPA’s terms prevail in the event of conflict between them and the T&Cs or any documents attached to, linked to, or referenced in the T&Cs. This DPA may be modified solely in writing signed by both parties.
3.4. Certification. Compusense certifies that it understands its obligations pursuant to this DPA and shall comply with them.
3.5. Liability. The disclaimers and limitations of liability set out under the T&Cs shall apply also to this Addendum.