This Data Protection Addendum (“Addendum”) forms part of and is incorporated by reference into the Agreement (defined below) between the Aspire entity that is a party to the Agreement (“Service Provider”) and the customer entity that is a party to the Agreement (“Customer”), each a “Party”, and collectively the “Parties.” Service Provider and Customer have agreed to the terms of this Addendum. The terms of this Addendum shall take effect as of the effective date of the Agreement.
NOW THEREFORE, in consideration of the mutual obligations and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
1. Purpose and Background
1.2. Service Provider provides to Customer certain services (“Services”) pursuant to each Agreement, which may include enabling integrations with certain third-party services, platforms and tools as directed by Customer (“third party integrations”). In order to provide the Services and otherwise perform the Agreement, Service Provider may collect, receive, store, retain, disclose or otherwise process (collectively, “process”) personal data on behalf of Customer (“Customer Personal Data”).
1.3. The terms of this Addendum apply to the processing of Customer Personal Data pursuant to each Agreement and the Services.
1.4. The Parties agree that this Addendum replaces and supersedes any existing data processing addendum the Parties may have previously entered into in connection with the Services.
1.5. If there is any conflict between this Addendum and any Agreement, this Addendum will prevail to the extent of that conflict in connection with the processing of Customer Personal Data.
1.6. Notwithstanding anything to the contrary in any Agreement or this Addendum, the liability of each Party and each Party’s affiliates under this Addendum is subject to the exclusions and limitations of liability set out in the applicable Agreement.
1.7. Any claims against Service Provider or its affiliates under this Addendum may only be brought by the Customer entity that is a party to the applicable Agreement against the Service Provider entity that is a party to the applicable Agreement.
1.8. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the applicable Agreement, and subject to the dispute resolution provisions, if any, set forth in the applicable Agreement, in each case unless required otherwise by applicable data protection laws.
1.9. This Addendum shall remain in effect for (a) until termination or expiration of the applicable Agreement, or (b) as long as Service Provider carries out Customer Personal Data processing operations on behalf of Customer, if later in time.
1.10. Service Provider may amend this Addendum from time to time and will notify Customer in advance of any material changes pursuant to the notice procedures set forth in each Agreement.
2. Roles of the Parties
2.1. The Parties agree that Customer is the data ‘controller’ and ‘business,’ and Service Provider is the data ‘processor’ and ‘service provider’ for the Customer Personal Data, pursuant to and as applicable under data protection laws.
2.2. Each Party will comply with its obligations under this Addendum and all applicable data protection laws, and make available, at the other Party’s request, information necessary to demonstrate compliance.
2.3. Customer is responsible for providing any notices, obtaining any consents or authorizations, and otherwise satisfying compliance obligations with respect to the processing (including transfer to the United States) of Customer Personal Data pursuant to the Services and each Agreement, including collection, use, transfers and other processing of personal data (including Customer Personal Data) pursuant to any third party integrations requested by Customer.
3. Processing of Personal Information
3.1. The Customer Personal Data processed pursuant to the Services may include the following categories of personal data: name, address, phone number and contact information for clients and prospective clients of Customers, as well as technicians, contractors and other personnel of Customer; scheduling, billing, accounting and transactional information; communications and call recordings; information about services requested, received and considered by such clients and prospective clients, and other personal data Customer collects or causes to be collected related to the Services.
3.2. The nature and purposes of the processing of such Customer Personal Data pursuant to the Services is to enable Customer to manage certain business activities, including to engage with their own current, former and prospective clients, technicians, personnel and others; to manage appointments, quotes, billing and payments; and to otherwise support and manage key business functions, including marketing, payroll, customer service, sales, engagement, reporting, accounting, productivity and business intelligence activities. Customer Personal Data is processed on an ongoing basis, subject to and in accordance with the terms of each Agreement.
3.3. Service Provider will only process Customer Personal Data in order to perform the Services on behalf of Customer (including to enable third party integrations requested by Customer, as well as for customer support, quality control, product and services improvement, and security purposes), as set forth in this Addendum, each Agreement, and as otherwise necessary for compliance with applicable laws.
3.4. Service Provider may disclose Customer Personal Data to and permit the processing of Customer Personal Data by vendors, service providers and subcontractors who perform services for or on behalf of Service Provider (each a “subcontractor”). Customer consents to Service Provider’s appointment of subcontractors provided:
(i) Any subcontractor is subject to equivalent contractual obligations as applicable to Service Provider hereunder; and
(ii) Service Provider remains responsible and liable for the actions of its subcontractors.
3.5. Service Provider will provide Customer with reasonable and appropriate support as required by data protection laws, including by (i) providing reasonable support (including via appropriate technical and organizational measures) as necessary to enable Customer to comply with its obligations under data protection law to respond to consumer requests regarding their personal data; (ii) providing reasonable information to Customer, upon request, as necessary to enable Customer to conduct any data protection assessments or other privacy assessments required by data protection laws; (iii) making available information as reasonably necessary to demonstrate compliance with its obligations under applicable data protection laws; and (iv) providing reasonable assistance as necessary to enable Customer to meet its security and breach notification obligations under applicable data protection laws.
3.6. The Parties acknowledge that Service Provider is located in the United States. Customer expressly agrees that the Customer Personal Data will be transferred to, and stored and processed in, the United States and other jurisdictions where Service Provider and its service providers are located.
3.7. Service Provider will implement and maintain reasonable technical and organizational security measures that are appropriate to the nature of the personal data (including Customer Personal Data) it processes and designed to protect against unauthorized or unlawful processing and accidental loss, destruction of, or damage to, personal data.
3.8. Service Provider will take steps to ensure that each person that Service Provider engages or permits to process Customer Personal Data is subject to a duty of confidentiality.
3.9. To the extent required by data protection laws, the Parties agree:
(i) Service Provider will, upon request, up to once per calendar year and at Customer’s sole expense, cooperate with reasonable audits and assessments by Customer (or its designated, qualified assessor) of Service Provider’s policies and technical and organizational measures relevant to its compliance with this Addendum and applicable data protection laws; and
(ii) Unless prohibited by applicable data protection laws, Service Provider may satisfy its obligation pursuant to Section 3.9(i) by undergoing, and providing to Customer a report reflecting, an annual audit of Service Provider’s policies and technical and organizational measures by a qualified, independent auditor using an appropriate and accepted control standard or framework, such as a SOC-2, Type 2 Report.
3.10. Upon expiration or termination of each Agreement, Service Provider will return or delete Customer Personal Data in accordance with the terms of each Agreement, unless otherwise required by applicable law.
3.11. To the extent that CA Privacy Laws apply, Service Provider further agrees that Service Provider:
(i) will not collect, retain, use, transfer or disclose any Customer Personal Data (a) outside of the direct business relationship between Customer and Supplier, and (b) except to perform the Services (including in support of any third party integrations requested by Customer) and as set forth in Section 3.1 and 3.3;
(ii) will not sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate Customer Personal Data to any third party for monetary or other valuable consideration;
(iii) will not combine the Customer Personal Data with other personal data that Service Provider receives from third-party businesses (or collects from its own interaction(s) with consumers), except (i) as permitted by Customer and (ii) to perform a business purpose (as such term is defined by CA Privacy Laws);
(iv) will not share Customer personal data for the purpose of cross-contextual behavioral advertising; and
(v) will notify Customer if it is no longer able to meet its obligations under the Addendum and CA Privacy Laws and enable Customer to take reasonable and appropriate steps as necessary to help ensure that Service Provider is using the Personal Data in a manner consistent with the Customer’s instructions and obligations under CA Privacy Laws.
3.12. Customer acknowledges and agrees that Service Provider may, as permitted by applicable data protection laws, and without limiting any data rights provisions set forth in each Agreement, collect, use and process aggregated, de-identified, and other non-identifiable data derived from the Services to improve its operations, enhance the features, functions, and performance of the Services, for benchmarking, reporting across Service Provider’s customer base, to develop industry reports, to develop general statements regarding the performance and capabilities of Service Provider’s products and services across Service Provider’s customer base, and to create new products and services offerings, provided such data is not Customer Personal Data.