Data Processing Addendum
- Definitions
1.1 “Licensee Personal Data” means any Personal Data that Licensor Processes on behalf of Licensee pursuant to the Agreement.
1.2 “Data Controller”, “Data Processor”, “Data Subject”, and “Processing” shall have the meanings given to such terms in Data Protection Laws. For purposes of the California Consumer Privacy Act, the term “Data Processor” shall include a “service provider” and a “contractor”.
1.3 “Data Protection Laws” means all data protection laws of the United States and its states to the extent applicable to Licensor’s Processing of Licensee Personal Data under the Agreement.
1.4 “Effective Date” means the later of the date on which the Agreement becomes effective or the date on which Licensor first Processes Licensee Personal Data.
1.5 “Personal Data” means information relating to an identified or identifiable natural person that is “personal data”, “personal information”, “personally identifiable information” or such similar term as defined under Data Protection Laws.
1.6 “Data” means all data that is received by Customer and all other content transmitted, posted, received or created through Customer’s use of the Services or the Software.
- General
2.1 Roles. The parties acknowledge and agree that: (a) Licensor acts as a Data Processor under Data Protection Laws in relation to any Licensee Personal Data that Licensor Processes on Licensee’s behalf; and (b) Licensee is and remains the Data Controller with respect to all such Licensee Personal Data.
2.2 Processing. The parties agree that Licensor’s provision of the Services may involve the Processing by Licensor of certain Licensee Personal Data. Licensee instructs Licensor to engage in the following processing:
- Nature and Purposes of the Processing: Licensor will process Licensee Personal Data for the purposes of providing the Services, as instructed by Licensee, and to perform its rights and obligations under the Agreement. Processing activities may include: collection, retrieval, organization, storage, alteration, enhancement, aggregation, de-identification, use, and disclosure. Licensor may also Process Licensee Personal Data if and to the extent that Licensor is required to do so by applicable law. In such a case, Licensor shall inform Licensee of the legal requirement before engaging in such Processing, unless applicable law prohibits disclosing such information.
- Type of Data that are Subject to the Processing: The types of Data Subjects include the individuals selected by Licensee or Licensee’s employees, agents, and/or contractors, and the types of Personal Data include intelligence and other information collected and Processed via Licensee’s use of the Services.
- Duration of the Processing: The term of the Agreement plus the period from the end of the term until deletion of all Licensee Personal Data by Licensor.
2.3 Restrictions. Except as otherwise permitted by Data Protection Laws, Licensor shall not (a) sell or share (as such terms are defined by Data Protection Laws) Licensee Personal Data; (b) retain, use, or disclose the Licensee Personal Data for any purpose other than for the business purposes specified in the Agreement; (c) retain, use, or disclose Licensee Personal Data outside of the direct business relationship between Licensor and Licensee; and (d) combine the Licensee Personal Data with personal information that Licensor receives from or on behalf of another person or persons, or collects from its own interaction with the applicable Data Subject. Licensor understands the restrictions set forth herein and will comply with them.
- Parties’ Rights and Obligations
3.1 Compliance. Licensor shall comply with all Data Protection Laws applicable to its role as a Data Processor, including, with respect to Licensee Personal Data, including implementing reasonable security procedures and practices, which are appropriate to the nature of the Licensee Personal Data, to protect Licensee Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure.
3.2 Assistance. Upon the reasonable request of Licensee, Licensor will make available to Licensee all information in Licensor’s possession that is reasonably necessary to demonstrate compliance with the obligations under Data Protection Laws. Upon the reasonable request of Licensee, Licensor shall provide assistance to enable Licensee to comply with Data Subject requests made pursuant to Data Protection Laws; provided, however, that Licensee shall be required to inform Licensor of such requests and provide Licensor the information necessary for Licensor to comply with such request.
3.3 Audits. Licensor will permit Licensee to monitor Licensor’s compliance with this DPA through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months. Upon reasonable and written notice and subject to obligations of confidentiality and pursuant to a non-disclosure agreement, Licensor will allow for, contribute to, and cooperate with reasonable assessments, audits, and inspections, by Licensee or a third-party auditor mutually agreed upon by the parties with respect to the Processing by Licensor of Licensee Personal Data. Alternatively, Licensor may (a) at its cost, arrange for a qualified and independent assessor/auditor to conduct (at least annually) an assessment of Licensor’s policies and technical and organizational measures in support of the obligations under Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments; and (b) provide a report of such assessment to Licensee upon request. Licensor shall notify Licensee if it makes a determination that it can no longer meet its obligations under Data Protection Laws. Licensee shall have the right, upon notice to Licensor, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Licensee Personal Data by Licensor.
3.4 Personnel. Licensor will ensure that each person processing Licensee Personal Data on behalf of Licensor is subject to a duty of confidentiality with respect to such Licensee Personal Data.
3.5 Subcontractors. After providing Licensee an opportunity to object, Licensor may engage any subcontractor to Process Licensee Personal Data, provided Licensor shall require any such subcontractor to execute a written contract that requires the subcontractor to meet the same obligations as Licensor is required to meet under this DPA with respect to Licensee Personal Data.
3.6 Licensee Responsibilities
- Licensee shall comply with its obligations under Data Protection Laws with respect to Licensee Personal Data. Licensee shall not use the Services in a manner that violates Data Protection Laws, nor shall Licensee instruct Licensor to Process Licensee Personal Data in violation of Data Protection Laws. Licensee represents, warrants, and covenants that it will only instruct Licensor to Process Licensee Personal Data and use the Services in a manner that complies with Data Protection Laws. Licensee acknowledges and agrees that it controls how the Services are used to Process Licensee Personal Data.
- As between Licensor and Licensee, Licensee shall have sole responsibility for the accuracy, quality, and legality of Licensee Personal Data and the means by which Licensee acquires Licensee Personal Data. Licensee represents and warrants that it has all rights and necessary consents and that it has provided all necessary notices to Process Licensee Personal Data and to transfer Licensee Personal Data to Licensor. Licensee shall obtain all necessary consents from Data Subjects and shall maintain a record of such rights and consents. Licensee shall immediately notify Licensor if a Data Subject revokes or changes his or her consent to the Processing of his or her Personal Data and shall immediately instruct Licensor of any new or revised scope, duration, subject matter, nature, or purposes regarding the Processing of Licensee Personal Data by Licensor
- As between Licensor and Licensee, Licensee is responsible for using and configuring the Services in a manner which enables both parties to comply with Data Protection Laws and for implementing appropriate technical and organizational measures with respect to its systems, networks, resources, personnel, and operations to ensure the privacy and security of Licensee Personal Data.
- Effect of Termination. At Licensee’s direction, Licensor will, upon the expiration or termination of the Agreement, delete or return to Licensee all Licensee Personal Data, unless retention of the data is required by law.
- Ownership
5.1 By Licensor. Licensor its service providers and licensors are and shall at all times remain the owner of all copyright, trademarks, trade secrets, patents and any other intellectual property rights in and to the CymonixIQ+ Software License, the Services, Third Party Components and related documentation, materials, logos, names and other support materials provided pursuant to the terms of this Addendum. Customer shall acquire no right whatsoever to all or any part of the Services, Software, or underlying software except the limited right to access and use the Software and Services in accordance with the terms of this Addendum and Licensor and its licensors reserve all rights not expressly granted to software. Customer must fully reproduce any copyright or other notice marked on any part of the documentation or other materials on all authorized copies and must not alter or remove any such copyright or other notice. Customer hereby grants to Licensor a royalty-free, worldwide, irrevocable, perpetual license to use and incorporate into the Services and Software any suggestions, ideas, enhancement requests, recommendations or other feedback provided by Customer relating to the operation of the Services or Software and for any information provided by the Customer pursuant to CymonixIQ+ License Agreement.
5.2 Customer Data. As between Licensor and Customer, all Data will remain the sole and exclusive property of Customer. Customer is solely responsible for ensuring the accuracy, quality, integrity, reliability, appropriateness and right to view and use the Data. Subject to the terms and conditions of the CymonixIQ+ License Agreement, Customer grants to Licensor a world-wide, non-exclusive, royalty-free license to access the Data for the purpose of performing the Services. Access to the Data shall only be by Licensor’s employees and/or subcontractors whose job function requires access. Except as specified in this Channel Partner Agreement, Licensor may not access the Data for any other purpose without the express written consent of Customer. Access to Data by any outside party shall only be in accordance with the terms of this CymonixIQ+ License Agreement or where required by law. Customer grants to Licensor a world-wide, non-exclusive, royalty-free license to aggregate or compile Data with the customer data of other customers using the Services so long as such aggregation or compilation omits any data that would enable the identification of Customer, its Licensees or any individual, company or organization (“Aggregated Data”). Licensor shall have a worldwide, perpetual, royalty-free license to use, modify, distribute and create derivative works based on such Aggregated Data, including all reports, statistics or analyses created or derived therefrom. Additionally, Customer grants Licensor the right to access Data to provide feedback to Customer concerning its use of the Services.
5.3 Data and Privacy Policy of Customer. The Customer represents and warrants to Licensor that – and all such representations and warranties are subject to the exclusions set out in CymonixIQ+ License Agreement. Data that is either provided to or acquired by Licensor from Customer is owned exclusively by Customer and that the Customer has full right and title to provide the Data to Licensor; ii. Data that is either provided to or acquired by Licensor is subject to a privacy policy in effect as of the Effective Date and Customer’s customers have provided to Customer their written consent for its collection, use and storage by Licensor and its third-party service providers in accordance with this Agreement and in any jurisdiction in North America; iii. Customer complies with all applicable privacy legislation as of the Effective Date in the performance of its obligations hereunder in respect of any Data collected, used, transferred, created or disclosed pursuant to this Agreement; iv. Licensor’s obligation for any Data that is stored by the Licensor (either directly or indirectly through the use of Third Party Components) are entirely as a result of the Customer’s use of the Services and are solely at the risk of the Customer: the Licensor does not provide any security warranty of any kind in the use of the Service; and v. Customer will not provide Licensor with data of any kind for which Licensor either has no need or does not have the right to collect, use and store under the terms of the CymonixIQ+ License Agreement.
5.4 Data from the Licensor. To the extent that the Data is received by the Customer either directly from the Licensor or through a third party provider that has an agreement to provide data with the Licensor, then Licensor warrants that the Data is provided with full right by Licensor to provide the Data to the Customer subject to all of the warranties and representations made on the part of the Customer and based on other information provided by the Customer to the Licensor.
- Data Security
6.1 Customer acknowledges and agrees that use of or connection to the Internet is inherently insecure and provides opportunity for unauthorized access by a third party to Customer’s and its Users’ (as well as Licensor’) computer systems, networks and any and all information stored therein. Customer is solely responsible for ensuring that (i) Customer’s computer systems are secure and protected from unwanted interference (such as “hackers” and viruses), (ii) all transmissions are screened for viruses or other harmful code prior to transmission to Licensor’ servers; and (iii) Data is encrypted. LICENSOR DOES NOT GUARANTEE THE PRIVACY, SECURITY, AUTHENTICITY, AND NONCORRUPTION OF ANY INFORMATION TRANSMITTED OR STORED IN ANY SYSTEM CONNECTED TO THE INTERNET. WE SHALL NOT BE RESPONSIBLE FOR ANY ADVERSE CONSEQUENCES WHATSOEVER OF CUSTOMER’S OR ITS USERS’ CONNECTION TO OR USE OF THE INTERNET, AND LICENSOR SHALL NOT BE RESPONSIBLE FOR ANY USE BY CUSTOMER OR ANY USER OF CUSTOMER’S INTERNET CONNECTION IN VIOLATION OF ANY LAW, RULE OR REGULATION
- Miscellaneous
7.1 The parties and their respective employees, contractors, and agents shall cooperate with regulatory authorities in the performance of its tasks with respect to this DPA.
7.2 Licensee will indemnify, defend, and hold Licensor harmless against any claim, demand, suit or proceeding (including any damages, costs, reasonable attorney’s fees, and settlement amounts) made or brought against Licensor by a third party alleging that the Processing of Licensee Personal Data or Licensee’s use of the Services violates Data Protection Laws.
7.3 ANY CLAIMS BROUGHT UNDER THIS DPA WILL BE SUBJECT TO THE TERMS AND CONDITIONS OF THE CYMONIXIQ+ LICENSE AGREEMENT, INCLUDING THE EXCLUSIONS AND LIMITATIONS SET FORTH IN THE AADDENDUM; PROVIDED, HOWEVER, THAT THE PARTIES HAVE NOT LIMITED THEIR LIABILITY UNDER THE CYMONIXIQ+ LICENSE AGREEMENT, WITH RESPECT TO ANY DATA SUBJECT’S RIGHTS UNDER DATA PROTECTION LAWS WHERE SUCH LIMITATION WOULD BE PROHIBITED BY LAW.
7.4 In the event of a conflict between the CymonixIQ+ License Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.
7.5 All notices provided for in this DPA shall be sent to Licensor and Licensee at the addresses provided in the CymonixIQ+ License Agreement and in accordance with all requirements for service of notices set forth therein.
7.6 This DPA will terminate automatically upon the termination of the CymonixIQ+ License Agreement.