GDPR Data Processing Addendum

This Data Processing Addendum (“DPA“) is by and between the business customer purchasing, requesting, use of, or using the Services (“Company”) and Review Trackers, Inc. (“Provider”) pursuant to the Master Services Agreement (“Agreement”). This DPA forms part of the Agreement between the parties under which Provider has agreed to provide to Company services (“Services“).

In performing the Services, Provider may be required to Process certain Personal Data that is subject to the EU General Data Protection Regulation (“GDPR“), and all applicable data protection laws in the United States, including but not limited to, the California Consumer Privacy Act as amended (“CCPA”), the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), and the Colorado Privacy Act (“CPA”).

The parties desire to enter into this DPA in order to address those certain obligations of the respective parties set forth under Applicable Laws.

In consideration of the mutual obligations set out herein, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

  1. Definitions.  The capitalized terms in this DPA shall have the meanings set forth below and otherwise throughout this DPA.  Any capitalized terms not defined herein shall have the meanings set forth in the Agreement.

    Controller“, “Data Subject“, “Personal Data“, “Personal Data Breach“, “Processing“,

    Processor” and “Supervisory Authority” shall have the same definitions as set forth under the Applicable Laws.

    “Service Provider”     and “Business” have the meaning given in Applicable Laws.

    Affiliate” means an entity of a party, whether incorporated or not, that controls, is controlled by, or is under common control with such party, where “control” means the ability, whether directly or indirectly, to direct the affairs of another by means of ownership, contract or otherwise.

    Applicable Laws” means the CCPA, CPRA, VCDPA, CPA, the GDPR and any regulations or laws of the Member States implementing the GDPR, as well as any Member State derogations.

    EEA” means the European Economic Area.

    Member State” refers to a country that is a member of the European Economic Area.

    Subprocessor” means any other Processor that is engaged by Provider (e.g. such as an Affiliate or subcontractor) for the performance of the Services on behalf of the Controller.

  2. Scope.  This DPA governs each party’s respective rights and obligations with respect to the Processing of Personal Data pursuant to Applicable Laws.  
  3. Roles of the Parties.  The parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, Company is the “Controller” or “Business” and Provider is the “Processor” or “Service Provider.”
  4. DPA Term & Duration of Processing.  This DPA begins on the date you sign up for the Sanity Services and will end coterminous with the Agreement.  Any terms and conditions herein that by their nature are intended to survive the termination or expiration of this DPA shall survive.  Provider will Process Personal Data until the earlier of: (1) the Agreement is terminated or expires, or (2) until notified in writing by Controller to discontinue Processing Personal Data.
  5. Rights and Obligations of Company
    1. Compliance with Applicable Laws.  Company shall comply with Applicable Laws.
    2. Lawful Means For Processing.  Company is responsible for ensuring that it has a lawful means for Processing Personal Data under Article 6 (Lawfulness of processing) of the GDPR.  Company represents and warrants that it will comply with Article 6 of the GDPR and obtain any and all necessary consents from data subjects prior to transferring the Personal Data to Provider. Company shall indemnify, defend and hold harmless Provider and its Affiliates for any claims, suits, damages, losses, liabilities, fines, penalties, attorneys’ fees and court costs that Provider incurs arising from Company’s violation of Applicable Laws. 
    3. The Means for Processing.  Company has the right and the obligation to determine the purposes for which Personal Data is Processed by Provider.  
  6. Obligations of Provider
    1. No Sale of Personal Data.  Company and Provider hereby acknowledge and agree that in no event shall the transfer of Personal Data from Company to Provider pursuant to the Agreement constitute a sale of Personal Data or transfer of Personal Data for valuable consideration to Provider, and that nothing in the Agreement shall be construed as providing for the sale or transfer for valuable consideration of Personal Data to Provider. Provider may not (and must ensure its subprocessors do not) retain, sell, use or disclose Personal Data for any purpose other than for the specific purpose of performing the Services for which Company has engaged Provider (including retaining, using, or disclosing Personal Data for any commercial purpose other than providing such Services).  Provider expressly may not sell, rent, disclose, release, transfer, make available, or otherwise communicate Personal Data to any third party for monetary or other valuable consideration.  “Sell” and “sale” have the definitions set forth in Applicable Laws. Provider hereby certifies that it understands the foregoing restrictions and will comply with them.
    2. Compliance with Applicable Laws.  Provider shall comply with Applicable Laws.
    3. Processing on Written Instructions. Provider shall only Process Personal Data on the express written instructions of Company, including with regard to the transfer of Personal Data to a third country, unless otherwise required by Applicable Laws.  For the avoidance of doubt, providing the Services as expressly set forth in the Agreement constitutes complying with Company’s written instructions.
      Where Provider is relying on Applicable Laws as the basis for Processing Personal Data, Provider shall promptly notify Company of such Processing prior to Processing unless Applicable Laws prohibit such prior notice.
    4. Notice of Violation of Law.  Provider shall immediately notify Company if, in Provider’s opinion, any instruction given by Company violates Applicable Laws or other applicable data protection laws of the EEA (“Challenged Instruction“).  The parties will work together in good faith to promptly address any Challenged Instruction.  
    5. Duty of Confidentiality.  Provider shall ensure that all persons processing Personal Data on its behalf, including Provider’s and its Subprocessor’s employees, agents and contractors, are subject to a duty of confidence or are under an appropriate statutory obligation of confidentiality.    
    6. Appropriate Security Measures.  Before Processing Personal Data on behalf of Company, Provider shall implement technical and organizational measures to ensure a level of security appropriate to the risk. Provider shall comply with all applicable requirements of Article 32 of the GDPR.  Provider shall consider the following when implementing such security measures, as appropriate:  (i) pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the Processing.
    7. Records and Audits.  Provider shall maintain complete and accurate records regarding the Processing it performs under the Agreement and this DPA, including as necessary to demonstrate its compliance with the data privacy and security obligations of the DPA and Applicable Laws (including without limitation Article 28 (Provider) of the GDPR).  Provider shall promptly provide Company with such aforementioned records and information upon reasonable request.  Upon request, Provider shall permit Company or its designated agent to audit any such records and perform any such other audits required in order for Company to establish both Company’s and Provider’s compliance with Applicable Laws.
    8. Notice Requirements. 
      1. Government Request.  Provider shall notify Company, without undue delay, of any request for disclosure of Personal Data by law enforcement or governmental authorities, unless prohibited by Applicable Laws.
      2. Data Subject Request.  Provider shall notify Company, without undue delay, of any complaints or requests received from a Data Subject affiliated with Company, such as requests for access, rectification, erasure, restriction of Processing, data portability, objection to Processing, or objection to automated-decision making.  If Provider receives any requests from a Data Subject and can reasonably identify the Data Subject as affiliated with Company, Provider shall not respond to the Data Subject directly unless authorized to do so by Company or required by Applicable Laws, but shall instead permit Company to respond directly to the Data Subject.  If Provider is unable to affiliate the Data Subject with Company, Provider may respond to the Data Subject, provided Provider will refer the Data Subject to Company if and as Provider becomes aware of Data Subject’s affiliation with Company.  
      3. Notice of a Personal Data Breach.  Provider shall, without undue delay and within the period specified by Applicable Laws, notify Company of any known Personal Data Breach impacting Personal Data processed by Provider in the course of providing Services to Company.
    9. Assistance.  Taking into account the nature of the Processing relating to Provider’s services and the information available to Provider, Provider shall assist Company in meeting Company’s obligations, by having appropriate technical and organizational measures, under:
      1. Article 32 (Security of Processing) of the GDPR to keep data secure;
      2. Article 33 (Notification of personal data breach to the supervisory authority) of the GDPR to notify the Supervisory Authority of a Personal Data Breach;
      3. Article 34 (Communication of a personal data breach to the data subject) of the GDPR to advise Data Subjects when there has been a Personal Data Breach;
      4. Article 35 (Data protection impact assessment) of the GDPR to carry out data protection impact assessments (“DPIA”); and
      5. Article 36 (Prior consultation) of the GDPR to consult with the supervisory authority where Company’s DPIA indicates there is an unmitigated high risk to the Processing.
    10. Personal Data Breach.  In the event of a Personal Data Breach, Provider will promptly investigate such Personal Data Breach and will provide Company with reasonable assistance to satisfy any legal obligations (including obligations to notify data protection authorities or data subjects) of Company in relation to such Personal Data Breach.
    11. Delete and Return of Personal Data.  Anytime upon request, and at the termination or expiration of the DPA, Provider shall promptly (no more than 30 days) return or delete (whichever is requested) all Personal Data Processed on behalf of Company pursuant to this DPA, and confirm compliance with such in writing.  Notwithstanding the foregoing, if Provider is required by Applicable Laws to retain any such Personal Data, Provider may retain Personal Data as required to comply with such Applicable Laws.
  7. Subprocessing
    1. Using a Subprocessor.  Company generally authorizes Provider to engage Subprocessors. Provider shall use good judgement and perform due diligence on any Subprocessor used under this DPA, paying special attention to the Subprocessor’s experience and the suitability of the technical and organizational measures it uses for security.  Where required by Applicable Laws, Provider will promptly notify Company of new Subprocessors.
    2. Requirements of Subprocessing.  Provider shall enter into a written agreement with any Subprocessor that imposes the same obligations imposed under this DPA on Provider to Subprocessor.
    3. Liability for Subprocessor.  Provider is fully liable to Company for:  (i) Subprocessor’s failure to comply with or fulfill its obligations under the DPA or Applicable Laws; and (ii) Subprocessor’s failure to perform the Services.
  8. Data subject rights
    1. Information and Assistance.  Provider shall assist Company, as reasonably requested by Company, in enabling Data Subjects to exercise their rights under Applicable Laws. Taking into account the nature of the Processing and the information available to Provider, Provider shall provide to Company the information and assistance required to fulfill any requests by Data Subject for access, rectification, erasure, restriction of Processing, data portability, objection to Processing, objection to automated-decision making or other rights available to Data Subjects under Applicable Laws.  Company will determine whether or not the Data Subject has the right to exercise the specific demand requested and will give specific instruction to Provider where information and/or assistance is required.
  9. Data Transfer. 
    1. Incorporation of the Standard Contractual Clauses.  The Standard Contractual Clauses (“Clauses“) attached hereto shall apply with regard to the international transfer of Personal Data between the parties.  For the purposes of the descriptions in the Clauses and only as between Company and Provider, Provider agrees that it is a “data importer” and Company is the “data exporter” under the Clauses. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Clauses. Accordingly, if and to the extent the Clauses conflict with any provision of this DPA, the Clauses will prevail.
  10. Miscellaneous.
    1. Governing Law.  This DPA shall be governed by the same law as set forth in the Agreement, except as otherwise required by Applicable Laws. 
    2. Assignment.  The assignment provision in the Agreement shall apply to this DPA as though stated herein.
    3. Change in Law.  In the event of a change in Applicable Laws or in any guidance or interpretation thereof that affects the terms of this DPA, the parties agree to work in good faith to amend this DPA to address any such changes.  Amendments will only be effective upon signed, written agreement of both parties.
    4. Severability.  In the event a court of competent jurisdiction finds any provision of this DPA invalid or unenforceable, such provision will be interpreted to fulfill its intended purpose to the maximum extent permitted by Applicable Law, and if the foregoing is not possible, such provision shall be severed from the Agreement.  All remaining provisions shall continue in full force and effect.
    5. Waiver.  Neither party shall be deemed to have waived any of its rights under this DPA by lapse of time or by any statement or representation other than by an authorized representative in an explicit signed, written waiver.  No waiver of a breach of this DPA by either party will constitute a waiver of any other breach of this DPA.
    6. Counterparts.  This Agreement may be executed in one or more counterparts, each of which will be an original and together all counterparts are a single instrument.
    7. Entire Agreement.  Except as modified by this DPA, the Agreement shall remain in full force and effect.  This DPA and the Agreement contain the entire agreement of the parties regarding the subject matter stated herein, and supersede all prior or contemporaneous negotiations, discussions, understandings or agreements between the parties relating thereto.  The parties agree that any amendment to the DPA must be in writing and signed by the authorized representatives of both parties.  In the event of conflict between this DPA and the Agreement, this DPA shall control with respect to the subject matter herein.