UVeritech, Inc
Data Processing Addendum
UVeritech and Customer have entered into an agreement for the provision of UVeritech’s Services (as amended from time to time, the “Master Agreement”) This Data Processing Addendum (“DPA”) forms part of the Master Agreement. Each party agrees to this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of the Controllers. All capitalized terms not defined herein shall have the meaning set forth in the Master Agreement. The Parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the UVeritech Services.
In the event of any conflict between the terms of the Master Agreement, including any previously or concurrently executed addendums, and the terms of this DPA, the relevant terms of this DPA shall take precedence.
1. Definitions
1.1 “Customer Data” means all data and all content (i) submitted by Data Subjects through, or derived from their use of; or (ii) provided or otherwise made available by Customer to UVeritech in the course of UVeritech providing services pursuant to the Master Agreement.
1.2 “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
1.3 “Data Processing Addendum” or “DPA” means this data processing addendum, the Data Processing Statement, and any annexes, attachments, and appendices.
1.4 “Data Protection Law” means all laws and regulations, including laws and regulations of the United States and its states, applicable to the Processing of Personal Data under the Master Agreement, including but not limited to, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) and its implementing regulations (the “CCPA”), the Colorado Privacy Act (CO ST. § 6-1-1301 et seq.) and its implementing regulations (the “CPA”), and the Commonwealth of Virginia’s Consumer Data Protection Act (VA ST § 59.1-575 et seq.) (the “VDCPA”).
1.5 “Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.6 “Personal Data” means any information relating to (i) an identified or identifiable natural person and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws, where for each (i) or (ii), such data is Customer Data.
1.7 “Personal Data Breach” means breach of security of UVeritech’s systems leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by UVeritech.
1.8 “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
1.9 “Processor” means the entity which processes Personal Data on behalf of the Controller including as applicable any “service provider” as that term is defined by the CCPA.
1.10 “Selling” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for monetary or other valuable consideration.
1.11 “UVeritech Services” shall have the meaning set forth in section 3.4 below.
1.12 “Sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for targeted advertising based on Data Subjects’ Personal Data.
1.13 “Sub-processor” means any Processor engaged by UVeritech, by affiliate of UVeritech, or by another Sub-Processor, including Affiliates of UVeritech acting as Processors.
2. Roles of the Parties.
It is acknowledged and agreed that regarding the processing of Personal Data under this DPA, (a) Customer is the Controller (for its own part and on behalf of other Controllers below), and (b) UVeritech is the Processor (whether acting itself or through Sub-processors pursuant to Section 8 (Sub-processors). To the extent Customer instructs UVeritech to procure or obtain Personal Data on its behalf, for example, by gathering data from a third-party or making associations between data elements, Customer acknowledges and agrees that it is the Controller of such Personal Data and UVeritech is a Processor acting on Customer’s behalf.
3. Mutual Obligations.
3.1 In fulfilling its obligations under the Master Agreement, each party shall, in their respective roles, comply with all Data Protection Laws regarding Personal Data Processed under this DPA, including to the extent applicable:
(a) Processing Personal Data only where the party maintains a lawful basis of Processing;
(b) Maintaining reasonable controls to ensure that access to Personal Data will be limited personnel or third parties who have a legitimate need to Process Personal Data under the Master Agreement; and
(c) Using reasonable and secure methods to transfer Personal Data across any network, taking into account the nature of the transmission and the data elements contained in the transmission.
4. Customer Obligations.
4.1 Customer acts as, and as between Customer and UVeritech, will at all times remain, the Controller:
(a) Concerning any Personal Data Processed by UVeritech or its Sub-processors under this DPA; and
(b) As applicable, on behalf of and in the name of its Affiliates, end-customers, suppliers, contractors and/or partners in their capacity as Controllers and whose Personal Data at any time is Processed by UVeritech or its Sub-processors under this DPA.
4.2 Except as may be otherwise required under the applicable Data Protection Law, Customer shall, on behalf of any other Controller referenced in Section 4.1, serve as a single point of contact for UVeritech in all matters under this DPA and shall be responsible for the internal coordination, review and submission of instructions or requests to UVeritech as well as the onward distribution of any information, notifications and reports provided by UVeritech hereunder.
4.3 In its capacity as Controller, Customer confirms (for its own part and on behalf of each other Controller referenced above) that it is entitled to provide access to Personal Data to UVeritech for purposes hereof and, consequently, that it has a lawful basis and any necessary approvals from any relevant Data Subjects for UVeritech’s performance of the Services.
4.4 In fulfillment of its obligations under Data Protection Laws, Customer shall, to the extent applicable:
(a) Provide all required notice or obtain all required consents from individuals before Processing Personal Data, including before disclosing it to UVeritech for Processing;
(b) Provide Data Subjects with rights in connection with their Personal Data in a timely manner, including the ability to access, receive, correct, amend, or delete their Personal Data;
(c) Respond to Data Subjects’ or any legal authorities (including any data protection regulator) concerning Customer’s Processing of Personal Data;
(d) Maintain appropriate age verification mechanisms in compliance with Data Protection Laws and other applicable standards where Customer seeks to collect Personal Data of individuals under the age of eighteen.
5. Purposes for Processing:
5.1 Subject to as legally permitted in its capacity as a Processor under this DPA, UVeritech shall Process Personal Data hereunder solely in accordance with the documented instructions for the Customer and for the following limited purposes:
(a) performance of the UVeritech Services under the terms of the Master Agreement, including disclosure of Personal Data to third-parties where necessary to provide the Services;
(b) where applicable to the Services provided, setting up, operating, and monitoring the underlying infrastructure (hardware, software, servers, environments, connectivity, etc.) required to provide the Services and to meet the technical, security, and organizational requirements for the Processing of the Personal Data in connection therewith;
(c) Processing initiated by authorized users of the Customer in their use of the Services;
(d) Executing documented instructions of Customer provided such instructions relate to and are consistent with the Services provided by UVeritech;
(e) Addressing service issues or technical problems, and/or
(f) Meeting any express requirement under applicable law, in which case UVeritech shall, unless it is prohibited by applicable law from doing so, inform Customer of the legal requirement before Processing.
5.2 Processing Limitations: UVeritech is prohibited from:
(a) Selling or Sharing Personal Data;
(b) Retaining, using, disclosing, or Processing Personal Data: (i) for any purpose, including any commercial purpose, other than for the specific purposes of performing the Services provided under the Master Agreement and this DPA; (ii) outside of the direct business relationship between Customer and UVeritech.
(c) Combining, amending, or supplementing Personal Data with personal information received from another source unless directed to specifically by Customer.
5.3 Unauthorized Processing.
(a) UVeritech will promptly, but in no event later than five (5) days from the date of such determination, inform Customer if, in its determination: (i) any instruction or request violates Data Protection Law; or (ii) it can no longer meet its obligations under Data Protection Law. UVeritech is not entitled to condition the full and unlimited compliance with data controller’s instructions on payment of outstanding invoices etc., and the data processor has no right of retention over the personal data.
(b) UVeritech hereby grants Customer the right to take reasonable and appropriate steps to stop and remediate UVeritech’s unauthorized use of Personal Data. Such rights include but are not limited to the right to mandate the temporary or permanent cessation of Processing of Personal Data, the right to demand deletion or destruction of Personal Data at any time, and right to require UVeritech to notify any third party to whom UVeritech has sold, shared, or disclosed Personal Data without authorization to delete or return such Personal Data.
5.4 Legal Requests: UVeritech will report to Customer without undue delay any request, demand or order received by UVeritech from a competent supervisory authority or Data Subject relating to the Processing of Personal Data.
5.5 Assistance and Cooperation: Taking into account the nature of the Processing, UVeritech will assist Customer in complying with its obligation to respond to requests of Data Subjects under Data Protection Law (including requests for exercising Data Subjects’ rights under the applicable Data Protection Law) by appropriate technical and organizational measures, insofar as this is possible provided that UVeritech will provide such assistance to the extent:
(a) The information is available to UVeritech and such information is not otherwise available to Customer or the requested assistance cannot practicably be performed by Customer;
(b) Customer acknowledges that UVeritech has no responsibility to interact directly with any Data Subject or supervisory authority in respect of any request, demand or order (except as expressly provided under the applicable Data Protection Law or as otherwise agreed by the Parties in writing); and
5.6 Retention and Destruction of Personal Data. Subject to applicable legal retention obligations, upon termination of the Master Agreement, UVeritech will return to Customer or delete any Personal Data without keeping a copy, in accordance with the procedures and timeframes applied by UVeritech from time to time, and if requested confirm such deletion to Customer in writing.
5.7 Confidentiality. UVeritech will only rely on personnel in the Processing of Personal Data who are contractually or by statutory obligation bound to maintain confidentiality, ensure that access to Personal Data Processed is limited to those personnel who require such access to perform the applicable UVeritech Services, and take commercially reasonable steps to ensure the reliability of personnel engaged in the Processing of Personal Data hereunder.
5.8 Non-Delegation. UVeritech will not delegate the processing of Personal Data to a Sub-processor other than pursuant to section 8 (Sub-processors) below.
5.9 Location of Processing. UVeritech shall process Personal Data in the locations identified in the Data Processing Statement. Any transfer of Personal Data countries or international organizations by the UVeritech or any Sub-processors shall only occur on the basis of documented instructions from the Customer and the parties shall enter into any trans-border data flow agreements as may be required under the applicable Data Protection Law, and to maintain such additional trans-border data flow agreement (with any updates and amendments as may be required to reflect changes in the applicable Data Protection Law, and/or in any other transfer mechanism required under the applicable Data Protection Law) for the entire period during which Personal Data is Processed by UVeritech hereunder.
6. Security
6.1 In connection with its Processing of Personal Data hereunder UVeritech will provide for and maintain appropriate administrative, physical, technical and organizational security measures for such Processing, which measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and to ensure a level of security appropriate to the particular risks involved in the Processing.
7. Data Breach.
7.1 UVeritech will inform Customer without undue delay after it becomes aware of any Personal Data Breach in connection with the Processing of Personal Data under this DPA, observing the following process:
(a) UVeritech will investigate the Personal Data Breach and take reasonable measures to identify its root cause(s) and, where such breach is caused by UVeritech or a UVeritech Subprocessor, take steps to prevent a recurrence;
(b) as information is collected or otherwise becomes available, to the extent legally permitted, UVeritech will provide Customer with a description of the Personal Data Breach, the type of the data to which the breach relates, and other information Customer may reasonably request concerning the affected Data Subject(s) where such information is available to UVeritech; and
(c) the Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subject(s) and/or the competent supervisory authorities.
7.2 To the extent that a Personal Data Breach is caused by Customer, a Customer Affiliate, or anyone acting for Customer, UVeritech will inform the Customer of the Personal Data Breach and provide information it discovers up to the stage it identifies the breach is caused by the Customer, Customer Affiliate or anyone acting for the Customer. Further assistance to investigate such a Personal Data Breach is subject to the prior agreement of the Parties.
8. Audits
8.1 If required under the applicable Data Protection Law or reasonable grounds exist to suspect non-compliance of this DPA or applicable Data Protection Law on UVeritech’s part, UVeritech shall upon Customer’s request, make all necessary information available to demonstrate compliance hereof. This may include a summary audit report or certification produced by a reputable third party which demonstrates UVeritech’ compliance in line with a generally accepted privacy and security framework. It is agreed that:
(a) Customer will primarily rely on any applicable summary audit reports, certifications or other verifications already available, if any, to confirm UVeritech’s compliance and exclude unnecessary repetitive audits;
(b) unless required by the applicable Data Protection Law, an audit will conducted not more than once in any twelve-month period;
(c) to the extent legally permitted, Customer agrees to use the report only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports shall be kept strictly confidential by the Parties.
9. Sub-processors
9.1 UVeritech may delegate the Processing of Personal Data to a Sub-processor which is bound to comply with provisions relating to confidentiality and data protection no less stringent than the terms of this DPA. UVeritech shall remain fully liable for the conduct of any of its Sub-processors as for its own conduct.
9.2 Subject to section 9.1, Customer (also on behalf of other Controllers referenced in section 4.1) hereby gives its general written consent and authorization to UVeritech to use Sub-processors identified in the Data Processing Statement for Processing of Personal Data solely for the purposes set forth in this DPA. UVeritech shall provide the Customer with notification of new Sub-processor(s) at least 30 days before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.
10. Disclosure of DPA.
As required or upon request, UVeritech acknowledges that Customer may provide a summary or copy of the DPA to any supervisory authority or governmental UVeritech.
11. Choice of Law and Jurisdiction.
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Master Agreement, unless required otherwise by applicable Data Protection Law.
12. Severability.
If any provision of this DPA is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions hereof, and all provisions not affected by such invalidity shall remain in full force and effect.