This Data Processing Addendum (this “DPA”) forms part of the Enterprise Subscription and Services Agreement (the “Agreement”) between you (as defined in the Agreement) (“Controller”) and HRTMS Incorporated, a North Carolina corporation d/b/a JDXpert (“Processor”).  By entering into the Agreement, Controller and Processor also enter into, and agree to be bound by and comply in all respects with, this DPA.  This DPA applies where, and to the extent that, Processor processes personal data of data subjects on behalf of Controller when providing the JDXpert Materials and/or Services (collectively for the purposes of this DPA, the “Services”) under the Agreement.  This DPA may be supplemented with additional jurisdiction-specific clauses as described in Section 14(e) below.  All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

In consideration of the mutual obligations set forth herein and in the Agreement, the parties agree to the terms and conditions of this DPA, effective as of the effective date of the Agreement.

 

1.                   Defined Terms.  For the purposes of this DPA only, the following terms have the meanings given to such terms below:

(a)                “CCPA” means the California Consumer Privacy Act of 2018 and its implementing regulations (as amended, restated or supplemented from time to time, including by the California Privacy Rights Act of 2020).

(b)                “Controller Personal Data” means any personal data processed by Processor on behalf of Controller pursuant to the Agreement.  For the avoidance of doubt, all of Your Data that constitutes personal data is Controller Personal Data.

(c)                “EEA” means the European Economic Area.

(d)                “Data Privacy Framework” means, collectively, the terms of Processor’s certification with the U.S. Department of Commerce under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, or any substantially similar successor program recognized under Data Privacy Laws to provide for an adequate level of data protection.

(e)                “Data Privacy Framework Principles” means the Data Privacy Framework Principles (as supplemented by the Supplemented Principles) as set forth at https://www.dataprivacyframework.gov/s/framework-text.

(f)                 “Data Privacy Laws” means applicable laws relating to the privacy and protection of personal data, including without limitation (but only where applicable) GDPR, CCPA and the Other State Laws.

(g)                “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, including the recitals.  Where personal data of data subjects in the United Kingdom is involved, “GDPR” more specifically means and refers to Regulation (EU) 2016/679, the General Data Protection Regulation together with and as implemented by the UK Data Protection Act of 2018 and the implementing rules or regulations that are issued by the UK Information Commissioner’s Office (“ICO”).

(h)                “Other State Laws” means the U.S. state privacy laws listed and identified as the “Other State Laws” on Appendix 1 attached hereto.

(i)                 “personal data” means and includes “personal information,” “personal data” and “personally identifiable information” as defined under Data Privacy Laws.

(j)                 “Restricted Transfer” means a transfer of Controller Personal Data from Controller to Processor or any onward transfer of Controller Personal Data from Processor to a Subprocessor, in each case where such transfer would be prohibited by Data Privacy Laws in the absence of a self-certification to the Data Privacy Framework or the relevant parties’ agreement to another data transfer mechanism permitted by Data Privacy Laws.

(k)                “Subprocessor” means any person or entity (excluding employees of Processor) appointed by or on behalf of Processor to Process Controller Personal Data on behalf of Controller in connection with the Agreement.

(l)                 Additionally, the terms “controller,” “data subject,” “personal data,” “personal data breach,” “process,” “processor,” and “supervisory authorities” (or their respective substantially corresponding equivalents under Data Privacy Laws) shall have the meanings given to such terms under Data Privacy Laws.

 

2.                   Nature of Relationship.  The parties acknowledge and agree that Controller is a controller and Processor is a processor under Data Privacy Laws (and, for the purposes of CCPA only, Controller is a business and Processor is a service provider).

 

3.                   Controller Representations and Warranties.  Controller represents and warrants to Processor that, prior to transferring any Controller Personal Data to Processor for processing, asking Processor to collect Controller Personal Data on the Controller’s behalf in connection with the Services, or otherwise providing or making available any personal data to Processor in connection with Processor’s performance of the Services, Controller has provided to the applicable data subjects every type of notice and obtained from the applicable data subjects every type of consent in each case as required by Data Privacy Laws pertaining to such disclosures of personal data to or collection of personal data on Controller’s behalf by Processor.  Controller shall indemnify and hold harmless Processor from and against all claims, liabilities, fines, penalties, costs or other expenses, of any kind or nature whatsoever, arising out of Controller’s breach of this Section 2.

 

4.                   Description of Processing.

(a)                Data Subjects: Personnel of Controller.

(b)                Categories of Data: With respect to personnel of Controller, information that identifies the data subject such as name, employer, address, email address, telephone number and other contact details.  Additionally, Controller may specifically request the Services to be configured to collect and process other categories of personal data (such as mapping job descriptions to a particular supervisor or employee) in connection with Processor’s implementation and onboarding services provided as part of the Services.

(c)                Special Categories of Data: Information concerning an individual’s union membership, but only if and when Controller has specifically requested the Services to be configured to collect and process this data in connection with Processor’s implementation and onboarding services provided as part of the Services, and otherwise none.

(d)                Nature and Purpose of Processing: All processing operations required to facilitate provision of Services to Controller in accordance with the Agreement, including managing user accounts for logging in to the JDXpert Software and in direct communications with personnel of Controller in connection with periodic customer account reviews and subscription renewal discussions, providing requested implementation and onboarding services and providing any requested technical support services.

(e)                Frequency of Transfer (per Section 12 of this DPA): Continuously throughout the term of the Agreement.

(f)                 Period of Retention of Personal Data: Except as otherwise provided in the Agreement or this DPA, in accordance with the retention policy of Processor, provided that to the extent that any personal data is retained beyond the termination of the Agreement for back up or legal reasons, the Processor will continue to protect such personal data in accordance with the Agreement and this DPA.

(g)                For Transfers to Subprocessors, the Subject Matter, Nature and Duration of the Processing: As described in Section 10 of this DPA.

 

5.                   Processing of Personal Data.  Processor shall process Controller Personal Data only as needed to perform the Services and otherwise only on documented instructions from Controller (including, for the avoidance of doubt, as described in the Agreement), unless Processor is required to do so by applicable law to which Processor is subject, in which case Processor shall inform Controller of that legal requirement before processing (unless the applicable law prohibits providing such information to Controller on important grounds of public interest).  Controller shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Controller Personal Data, and that the processing of Controller Personal Data in accordance with Controller’s instructions will not cause Processor to be in breach of Data Privacy Laws or any other laws, rules or regulations applicable with respect to the Controller Personal Data.  Processor represents that it has implemented appropriate technical and organizational measures in such a manner that its processing of Controller Personal Data will meet the requirements of Data Privacy Laws and ensure the protection of the rights of the data subjects.

 

6.                   Confidentiality of Personal Data.  Processor shall ensure that all persons (including Subprocessors) authorized to process Controller Personal Data have committed to keeping such Controller Personal Data confidential or are under an appropriate statutory obligation of confidentiality with respect to such Controller Personal Data.  Processor shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Controller Personal Data does not process such Controller Personal Data except as needed to perform the Services or otherwise upon instructions from the Controller, unless the Processor is required to do so by applicable law to which Processor is subject.

 

7.                   Security of Personal Data.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for Controller Personal Data appropriate to the risk, including in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed.  Such measures shall include, inter alia as appropriate: (a) the pseudonymization or encryption of Controller Personal Data, (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services used to process Controller Personal Data, (c) the ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident, and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.  Additionally, such measures shall include those set forth in Section 7 of the Agreement and in the then-current version of the JDXpert Security Frequently Asked Questions – Public Edition, a copy of which Processor shall provide to Controller upon Controller’s written request.

 

8.                   Assistance and Cooperation. 

(a)                Processor shall provide, at Controller’s cost, reasonable assistance to Controller in performing any data protection impact assessments and/or relevant consultations with supervisory authorities or other competent data privacy authorities, in each case to the extent required by Data Privacy Laws (such as, where applicable, GDPR Articles 35 or 36), and in each case solely in relation to Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, Processor and its Subprocessors.

(b)                Taking into account the nature of the Processing and the information available to Processor, Processor shall, at Controller’s cost, assist Controller as Controller may reasonably require, including by appropriate technical and organizational measures, insofar as this is possible, in ensuring compliance with Controller’s obligations under Data Privacy Laws to appropriately secure and safeguard Controller Personal Data (such as, where applicable, pursuant to GDPR Article 32).

(c)                Taking into account the nature of the Processing, Processor shall, at Controller’s cost, assist Controller as Controller may reasonably require, including by appropriate technical and organizational measures, insofar as this is possible, to enable the Controller to comply with requests by data subjects to exercise their rights under Data Privacy Laws.  Processor shall: (i) promptly notify the Controller if Processor receives a request from a data subject under Data Privacy Laws with respect to Controller Personal Data, and (ii) not respond to that request except on the written instructions of Controller or as required by applicable law to which Processor is subject, in which case Processor shall (to the extent permitted by applicable law) inform Controller of that legal requirement before Processor responds to the request.

 

9.                   Recordkeeping; Information and Audit Rights.  Processor shall maintain all records pertinent to its processing of Controller Personal Data that are required by Data Privacy Laws, such as, where applicable, Article 30(2) of the GDPR, and (to the extent they are applicable to Processor’s activities for Controller) Processor shall make such records available to the Controller upon Controller’s reasonable written request.  Processor shall make available to the Controller on Controller’s reasonable request all information necessary to demonstrate compliance with this DPA, and shall, at Controller’s cost, allow for and cooperate with audits, including inspections, by the Controller or an auditor appointed by Controller in relation to the Processing of the Controller Personal Data by Processor, subject to the following:

(a)                Information disclosed to Controller or its auditor or that is otherwise revealed in such records, inspections or audits shall be the Confidential Information of Processor under the confidentiality provisions of the Agreement.

(b)                Controller may request an audit by emailing privacy_inquiries@jdxpert.com.

(c)                Audits may not be conducted more than once per year or more frequently: (i) to the extent required by a supervisory authority, or (ii) in the event of and in connection with a particular personal data breach.

(d)                Audits shall be conducted only during Processor’s normal business hours and only with reasonable advance written notice of not less than 15 business days (except in the event of a personal data breach or if Controller has a reasonable basis to believe (supported by substantial evidence) that Processor is in material non-compliance with this DPA, in which case advance notice shall be not less than 72 hours).

(e)                Following Processor’s receipt of Controller’ written request to conduct an audit and/or inspection, Processor and Controller will discuss and agree in advance on the reasonable scope, start date and duration of this audit, as well as any applicable security and confidentiality controls that may be required.

(f)                 No such audit shall include access to Processor’s (or any Subprocessors’) facilities or systems (e.g., computing infrastructure, servers, data storage mechanisms and infrastructure, audit logs, activity reports, system configuration, etc.) without Processor’s prior written consent, except to the extent required by a supervisory authority.

(g)                The Processor may charge a fee (based on the Processor’s reasonable costs) for any such audit.  The Processor will provide Controller with additional details of this fee including the basis of its calculation, in advance of the audit.  Additionally, Controller will be responsible for any fees charged by any third-party auditor appointed by Controller for this audit.

 

In lieu of an audit, upon reasonable request by Controller, but no more than once per year, Processor agrees to complete, within thirty (30) days of receipt, an audit questionnaire provided by Controller regarding Processor’s compliance with this DPA, of reasonable length and required detail (not to exceed a reasonably estimated four person-hours to complete unless otherwise agreed to and subject to the payment of additional fees set forth in a separate written agreement by the parties), provided that any such questionnaire responses shall be the Processor’s Confidential Information under the confidentiality provisions of the Agreement.

 

10.               Subprocessors.

(a)                Processor shall not engage any Subprocessor to process Controller Personal Data under the Agreement without written authorization from Controller.  Processor reserves the right to maintain its Subprocessor list through means such as publication of its Subprocessor list online, and Controller hereby provides written authorization for Processor to engage the Subprocessors listed online at https://jdxpert.com/subprocessors, as such list may be updated from time to time (the “Subprocessor List”).  Controller may receive notifications of new Subprocessors by emailing subprocessor@jdxpert.com with the subject “Subscribe,” and once subscribed in this manner Controller will receive notification of new or replacement Subprocessors before those Subprocessors are authorized to process Controller Personal Data on behalf of the Processor.  Processor shall send notice to Controller by email of any additional or replacement Subprocessors at least 30 days in advance of engaging any such additional or replacement Subprocessors to process Controller Personal Data under the Agreement.  Controller may object to any such additional or replacement Subprocessor within 10 days of receiving such notice, provided that such objections are reasonable and on grounds relating to the protection or privacy of the Controller Personal Data involved in accordance with Data Privacy Laws or this DPA.  Processor shall use commercially reasonable efforts to resolve any such objection by Controller, and Controller shall reasonably and in good faith cooperate with Processor in such efforts.  If Processor cannot resolve Controller’s objection within a reasonable period of time following receipt of Controller’s objection (such period of time not to exceed 60 days), and if Processor is unable to provide some or all of the Services without the use of the objected-to Subprocessor, then Controller may terminate the applicable Services which cannot be provided by Processor without the use of the objected-to Subprocessor by providing written notice to Processor.

(b)                Where Processor engages a Subprocessor for carrying out specific processing activities on behalf of Controller with respect to Controller Personal Data, Processor shall by contract impose on the Subprocessor substantially the same data protection obligations as set forth in this DPA.  Where the Subprocessor fails to fulfil such data protection obligations, Processor shall remain fully liable to Controller for the performance of that Subprocessor’s obligations.

(c)                Controller understands, acknowledges and agrees that Processor is (and its Subprocessors are) based in the United States and that the Processor provides (and the Subprocessors may provide) services under the Agreement from the United States, and Controller hereby consents to the transfer of Controller Personal Data to the United States for Processing by Processor and its Subprocessors in accordance with Section 12 below.

 

11.               Return or Deletion of Controller Personal Data. 

(a)                Subject to Sections 11(a), 11(b) and 11(c) below and Section 7(e) of the Agreement, Processor shall at Controller’s request within thirty (30) days after the date of cessation of Services involving the Processing of Controller Personal Data (the “Cessation Date”), either; (i) return to the Controller the Controller Personal Data in a mutually agreeable format; or (ii) delete and ensure the deletion of all copies of Controller Personal Data.

(b)                Processor (and Processor’s Subprocessors) may retain Controller Personal Data to the extent and for such period as is required by applicable law, rule or regulation, provided that Processor shall ensure the continued confidentiality of all such Controller Personal Data, and shall ensure that the Controller Personal Data are only accessed and used for the purpose(s) specified in the applicable law, rule or regulation requiring its retention.  Additionally, solely to the extent not prohibited by Data Privacy Laws, Processor (and Processor’s Subprocessors) may retain Controller Personal Data stored in electronic archived or backup systems until such copies are deleted in the ordinary course in accordance with Processor’s data retention policies, provided that any such retained Controller Personal Data will remain protected to the standards of this DPA for so long as it is retained.

(c)                Processor may retain and use for its business purposes any aggregated or de-identified data (i.e., data that is no longer personal data) created from or using Controller Personal Data, during and after termination of the Agreement.

(d)                Processor’s obligations under this Section 11 shall be subject to any agreed-upon post-termination data retrieval provisions in the Agreement.

 

12.               Restricted Transfers.  

(a)                To the extent that Controller Personal Data includes information about individuals who are located in the EEA, the United Kingdom and/or Switzerland, and Processor or any Subprocessors store or otherwise obtain access to such Controller Personal Data outside of the EEA, the United Kingdom and/or Switzerland as a result of a Restricted Transfer, Processor hereby represents and warrants that: (i) Processor has self-certified to the Data Privacy Framework and that any such Restricted Transfers are within the scope of Processor’s certification to the Data Privacy Framework; (ii) Processor shall at all relevant times for purposes of this Attachment 1 maintain a “current” Data Privacy Framework certification status with the United States Department of Commerce related to its processing of Controller Personal Data and remain at all times in compliance with the requirements of the Data Privacy Framework; (iii) with respect to Controller Personal Data that includes information about individuals who are located in the EEA, the United Kingdom and/or Switzerland, Processor shall comply with the Data Privacy Framework Principles when handling such data; (iv) Processor shall promptly notify Controller if Processor makes a determination that it can no longer meet its obligations under this Section 12, and, in such event Processor shall work with Controller and promptly take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing meets the level of protection as is required by this Section 12; and (v) Processor shall immediately cease (and procure that all Subprocessors immediately cease) processing such Controller Personal Data if in Controller’s reasonable discretion Controller determines that Processor has not or cannot correct any non-compliance with this Section 12 in accordance with clause (iv) above within a reasonable time frame. 

(b)                Additionally, to the extent that Controller Personal Data includes information about individuals who are located in the EEA, the United Kingdom and/or Switzerland, Processor or any Subprocessors store or otherwise obtain access to such Controller Personal Data outside of the EEA, the United Kingdom and/or Switzerland as a result of a Restricted Transfer, and such Controller Personal Data consists of personal data about Controller’s employees (past or present) collected in the context of the employment relationship (and as such constitute human resources data as defined and descried in the Data Privacy Framework Principles) (“Human Resources Data”), then Processor additionally declares its commitment to comply with all applicable requirements of the Data Privacy Framework Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities (including for the avoidance of doubt a commitment to cooperate with the relevant local authority or authorities concerned in conformity with the Data Privacy Framework Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities and comply with the advice given by such authorities).  In compliance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework, Processor commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning its handling of Human Resources Data received in reliance on the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework in the context of the employment relationship.

 

13.               Personal Data Breach.  Taking into account the nature of processing and the information available to Processor, Processor shall reasonably assist Controller in Controller’s efforts to comply with its obligations regarding personal data breaches as set forth in Data Privacy Laws, such as, where applicable, GDPR Articles 33 and 34.  If any Controller Personal Data is subject to any personal data breach Processor shall, upon becoming aware of the personal data breach, without undue delay notify Controller, take reasonable steps to contain and counteract the personal data breach and minimize any damage resulting from the personal data breach, and provide Controller with sufficient information to allow Controller to meet any obligations to report to supervising authorities or inform the applicable data subjects of the personal data breach to the extent required under Data Privacy Laws.  Processor shall co-operate, at Controller’s cost, to assist Controller in the investigation, mitigation and remediation of each such personal data breach.

 

14.               Miscellaneous.

(a)                Subject to the following sentence of this Section 14(a), in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail.  In any event, Processor’s liability under this DPA, including for breach or other failure under this DPA by Processor or its Subprocessors, shall be (to the maximum extent permitted under Data Privacy Laws and other applicable laws) subject to the exclusions and limitations of liability provided for in the Agreement as if this DPA were a part of the Agreement, ab initio.

(b)                To the extent this DPA is not governed exclusively by Data Privacy Laws, it will be governed by and construed in accordance with the laws selected pursuant to the governing law provision set forth in the Agreement.

(c)                This DPA constitutes the entire understanding of the parties with respect to the subject matter hereof and supersedes all prior agreements, oral or written.

(d)                Except as expressly stated in Data Privacy Laws, the parties to this DPA do not intend to create any rights in any third parties. 

(e)                The parties agree that, to the extent required under Data Privacy Laws, such as due to legislative changes, court decisions and/or to reflect measures or guidance from supervisory authorities, including, without limitation and only where applicable, the adoption of standards for contracts with processors according to GDPR Article 28(7) or (8) or the invalidation, amendment, replacement or repeal of a decision adopted by the EU Commission or ICO in relation to international data transfers on the basis of GDPR Article 45(3) or Article 46(2) GDPR or on the basis of Article 25(6) or 26(4) of EU Directive 95/46/EC, such as, in particular, with respect to the Data Privacy Framework or similar transfer mechanisms, Controller may request reasonable changes or additions to this DPA to reflect applicable requirements.  If Controller makes a request to change or supplement this DPA pursuant to this Section 14(d), Controller and Processor shall in good faith negotiate such changes and additions (including, where applicable, providing for Controller’s reimbursement of Processor’s costs and expenses for undertaking additional obligations) and Processor shall not unreasonably withhold or delay agreement to any variations to this DPA.

(f)                 Controller and Processor hereby accept and agree to, and where and as applicable shall adhere to, the clauses that appear in the following attachments:

·         Attachment 1 – Compliance with U.S. State Consumer Privacy Laws

·         Attachment 2 – Compliance with the Federal Act on Data Protection of the Swiss Confederation (FADP)

(g)                Based on Your Data that Controller will process using the Services or that is otherwise collected by or provided to Processor or its Subprocessors under and in connection with the Services, if and to the extent Data Privacy Laws require additional clauses to be executed by Processor beyond those set forth in this DPA, then Controller shall notify Processor in writing of such requirement and Processor will in good faith review, negotiate and consider adding such clauses as an additional addendum to the Agreement.  In the absence of such notice, Controller represents and warrants that no additional clauses are required.

Attachment 1

This U.S. State Consumer Privacy Law Addendum (this “Addendum”), effective as of the effective date of the Agreement (the “Effective Date”), forms part of the Enterprise Subscription and Services Agreement (the “Agreement”) between the Controller identified in the DPA (the “Customer”) and HRTMS Incorporated, d/b/a JDXpert (“Vendor”).  This Addendum applies where, and to the extent that, Vendor processes personal information of consumers on behalf of the Customer when providing the Platform, Support Services and/or Professional Services under the Agreement (“Services”).  All capitalized terms not defined in this Addendum shall have the meanings set forth in the DPA or the Agreement. 

 

Notwithstanding anything to the contrary elsewhere in the DPA, where the CCPA applies, the terms “business,” “combine,” “commercial purpose,” “consumer,” “contractor,” “personal information,” “processing,” “sell” (and its corresponding “sale”), “share” and “service provider” shall have the meanings given to such terms in CCPA; and where any of the state privacy laws listed below and their respective implementing regulations (each, an “Other State Law,” and, collectively, the “Other State Laws”) apply, the terms “consumer,” “controller,” “processing,” “processor,” “sell” (and its corresponding “sale”) and “targeted advertising” shall have the meanings given to such terms in the applicable Other State Law, and the term “personal information” shall have the same meaning as the term “personal data” as such term is defined in the applicable Other State Law.  The Other State Laws are:

·         The Virginia Consumer Data Protection Act, effective January 1, 2023 (as amended, restated or supplemented from time to time, the “VCDPA”);

·         The Colorado Privacy Act, effective July 1, 2023 (as amended, restated or supplemented from time to time, the “CPA”);

·         The Connecticut Personal Data Privacy and Online Monitoring Act, effective July 1, 2023 (as amended, restated or supplemented from time to time, the “CPDPOMA”); and

·         The Utah Consumer Privacy Act, effective December 31, 2023 (as amended, restated or supplemented from time to time, the “UCPA”);

·         The Montana Consumer Data Privacy Act, effective July 1, 2024 (as amended, restated or supplemented from time-to-time, the “MCDPA”);

·         The Oregon Consumer Privacy Act, and effective July 1, 2024 (as amended, restated or supplemented from time-to-time, the “OCPA”);

·         The Texas Data Privacy and Security Act, effective July 1, 2024 (as amended, restated or supplemented from time-to-time, the “TDPSA”);

·         The Delaware Personal Data Privacy Act, effective January 1, 2025 (as amended, restated or supplemented from time-to-time, the “DPDPA”);

·         The Iowa Consumer Data Protection Act, effective January 1, 2025 (as amended, restated or supplemented from time-to-time, the “IACDPA”);

·         The Tennessee Information Protection Act, effective July 1, 2025 (as amended, restated or supplemented from time-to-time, the “TIPA”); and

·         The Indiana Consumer Data Protection Act, effective January 1, 2026 (as amended, restated or supplemented from time-to-time, the “INCDPA”).

 

In consideration of the mutual obligations set forth herein, the parties agree to the terms and conditions of this Addendum.

 

1.                   The parties acknowledge and agree that the Customer is a business and Vendor is a service provider or contractor to the Customer under the CCPA, and Customer is a controller and Vendor is a processor under the Other State Laws.  The specific purpose for which Vendor is processing personal information under the Agreement (and the only purpose for which Customer discloses personal information to Vendor under this Agreement) is for Vendor to provide the JDXpert Materials and Services as specifically set forth in the Agreement.

 

2.                   In its processing of personal information of consumers that the Customer has transferred to Vendor for processing, that Vendor may have access to, or that Vendor has collected on the Customer’s behalf, in each case in connection with the Services, Vendor shall comply with all requirements of the CCPA that are applicable to service providers and contractors and all requirements of the applicable Other State Laws that are applicable to processors.  Without limiting the foregoing, during the term of the Agreement and thereafter, Vendor shall: (i) not retain, use or disclose the personal information for any purpose (including any commercial purpose) other than for the specific purpose of performing the Services contemplated by the Agreement; (ii) not retain, use or disclose the personal information outside of the direct business relationship between Vendor and the Customer; (iii) not sell or (where CCPA applies) share the personal information to or with any third parties; (iv) not combine the personal information that Vendor receives from, or on behalf of, Customer with personal information that Vendor receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that Vendor may combine such personal information (1) for the specific purpose of providing the Services contemplated by the Agreement or (2) to perform any other permitted business purpose under CCPA and/or the Other State Laws, as applicable; (v) taking into account the nature of processing and the information available to Vendor, by appropriate technical and organizational measures and insofar as this is reasonably practical, promptly comply with Customer’s reasonable written instructions associated with responding to any consumer’s request to exercise the consumer’s rights under CCPA or the Other State Laws, as applicable; (vi) taking into account the nature of processing and the information available to Vendor, reasonably assist Customer in meeting its obligations in relation to the security of processing personal information and in relation to providing for legally required notifications of breaches involving personal information; (vii) at Customer’s direction, delete or return to Customer all personal information as requested at the end of the Agreement, subject to Section 7(e) of the Agreement and unless retention of the personal information is otherwise permitted or required by law; and (viii) notify Customer after Vendor makes a determination that it can no longer meet its obligations under the DPA or this Attachment 1.  Customer has the right, upon notice to Vendor, to take reasonable and appropriate steps to stop and remediate Vendor’s unauthorized use of personal information.  Vendor certifies that it understands and will comply with the restrictions, duties and obligations set forth in this Section 2.

 

3.                   Where not prohibited by applicable law, nothing in this Addendum shall prohibit Vendor from retaining, using or disclosing the personal information in connection with: (i) retaining or employing another service provider, processor, contractor or subcontractor (as applicable), provided the service provider, processor, contractor or subcontractor meets the requirements for a service provider, processor, contractor or subcontractor under the CCPA or Other State Law, as applicable; (ii) internal use by Vendor to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles for use in providing services to another business, or correcting or augmenting data acquired from another source; (iii) detecting data security incidents, or protecting against fraudulent or illegal activity; (iv) complying with federal, state or local laws; (v) complying with a civil, criminal or regulatory inquiry, investigation, subpoena, or summons by federal, state or local authorities; (vi) cooperating with law enforcement agencies concerning conduct or activity that the Customer, Vendor or a third party reasonably and in good faith believes may violate federal, state or local law; or (vii) exercising or defending legal claims.

 

4.                   If Vendor authorizes any subcontractor (each, a “Vendor Subcontractor”) to process, retain or use any personal information received from the Customer, accessed in connection with the Services or collected on the Customer’s behalf in connection with the Services, then prior to any disclosure of such personal information to such Vendor Subcontractor, Vendor shall enter into a written agreement with such Vendor Subcontractor that (i) includes all required or necessary terms to ensure that such Vendor Subcontractor is deemed a service provider or contractor within the meaning of the CCPA or a processor, subprocessor or subcontractor within the meaning of any applicable Other State Law; and (ii) requires the Vendor Subcontractor to be bound by terms that are substantially equivalent to the restrictions, duties and obligations under this Attachment 1.  Vendor maintains a list of its service providers / subprocessors at https://jdxpert.com/subprocessors.

 

5.                   Upon Customer’s reasonable written request, and at Customer’s expense, Vendor will make available to Customer all information in Vendor’s possession necessary to demonstrate Vendor’s compliance with the obligations in this Attachment 1 and (solely to the extent required by applicable law) to enable Customer to conduct and document data protection assessments.  Additionally, at Customer’s expense, Vendor will allow for, and cooperate with, reasonable assessments by Customer or its designated assessor; alternatively, Vendor may (at no additional charge to Customer) arrange for a qualified and independent assessor to conduct an assessment of Vendor’s policies and technical and organizational measures in support of the obligations under this Attachment 1 using an appropriate and accepted control standard or framework and assessment procedure for such assessments and provide a report of such assessment to Customer upon request.  Customer acknowledges and agrees that any information, reports or assessments made available to Customer under this paragraph shall be Vendor’s Confidential Information and shall be subject to all confidentiality obligations set forth in the Agreement.

 

6.                   To the extent this Attachment 1 is not governed exclusively by CCPA or an Other State Law (as applicable), it shall be governed by and construed in accordance with the laws set forth in the governing law section of the Agreement.  If there is any conflict between this Attachment 1 and the DPA, the Agreement or any other data protection agreement(s) between the parties, this Attachment 1 shall prevail to the extent of that conflict with respect to the personal information of consumers only.

Compliance with the Federal Act on Data Protection of the Swiss Confederation (“SW”),
as Revised Effective September 1, 2023 (“FADP”)