This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Agreement between Tremendous and Client (together, the “Parties”). This DPA sets forth Client’s instructions for the processing of Personal Data in connection with the services provided pursuant to the Agreement (the “Services”) and the rights and obligations of both Parties. Except as expressly set forth in this DPA, the Agreement shall remain unmodified and in full force and effect. In the event of any conflicts between this DPA and the Agreement, this DPA will govern to the extent of the conflict.
Definitions. For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement. All other terms in this DPA not otherwise defined in the Agreement shall have the corresponding meanings given to them in applicable Privacy Laws.
“EU/UK Privacy Laws” means, as applicable: (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, regulation, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
“Personal Data” means any information Tremendous processes on behalf of Client to provide the Services that is defined as “personal data” or “personal information” under any applicable Privacy Law.
“Privacy Laws” means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
“Processor to Processor Clauses” means the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor).
“Third Country” means, in relation to Personal Data transfers subject to the GDPR, any country or territory outside of the scope of the data protection laws of the European Economic Area, excluding countries or territories approved as providing adequate protection for Personal Data by the European Commission from time to time.
“US Privacy Laws” means, as applicable, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Iowa Consumer Data Protection Act, the Montana Consumer Data Protection Act, the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act.
Roles of the Parties. The Parties acknowledge that for purposes of applicable Privacy Laws, Client is the “service recipient,” “controller,” “business,” or any similar term provided under applicable Privacy Laws, and Tremendous is the “service provider,” “processor,” “contractor,” or any similar term provided under applicable Privacy Laws.
Details of Processing. The Parties agree that the following details of processing describe Tremendous’ processing of Personal Data pursuant to the Services:
Client Obligations. Client shall comply with all applicable Privacy Laws in providing Personal Data to Tremendous in connection with the Services. Client represents and warrants that: (a) the Privacy Laws applicable to Client do not prevent Tremendous from fulfilling the instructions received from Client and performing Tremendous’ obligations under this DPA; (b) all Personal Data was collected and at all times processed and maintained by or on behalf of Client in compliance with all applicable Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Client has a lawful basis for disclosing the Personal Data to Tremendous and enabling Tremendous to process the Personal Data as set out in this DPA. Client shall notify Tremendous without undue delay if Client makes a determination that the processing of Personal Data under the Agreement does not or will not comply with applicable Privacy Laws, in which case, Tremendous shall not be required to continue processing such Personal Data.
Processing of Personal Data. Tremendous shall only process Personal Data under the Agreement for the limited and specific purpose described in Section 3 or as otherwise permitted by Privacy Laws. Tremendous shall comply with applicable sections of Privacy Laws, provide the same level of privacy protection as is required by applicable Privacy Laws and promptly notify Client if Tremendous makes a determination that it can no longer meet its obligations under such Privacy Laws. Upon reasonable written notice that Client reasonably believes Tremendous is using Personal Data in violation of applicable Privacy Laws or this DPA, Client shall have the right to take reasonable and appropriate steps to help ensure that Tremendous uses the Personal Data in a manner consistent with Client’s obligations under applicable Privacy Laws and stop and remediate any unauthorized use of the Personal Data. Tremendous shall require that each employee or other person processing Personal Data is subject to a duty of confidentiality with respect to such Personal Data.
De-Identified Data. Tremendous may aggregate, anonymize, or de-identify Personal Data and process such data for its own purposes and in compliance with applicable law. To the extent Tremendous receives de-identified data from Client under the Agreement, Tremendous shall: (i) take commercially reasonable measures to ensure that the data cannot be associated with an identified or identifiable individual; (ii) maintain and use the data only in a de-identified fashion; and (iii) not attempt to re-identify the data.
Prohibitions. Tremendous agrees that it shall not, unless otherwise permitted by applicable Privacy Laws:
Use of Subcontractors. Tremendous shall only engage subcontractors to process Personal Data on its behalf after providing Client with an opportunity to object and pursuant to a written contract that requires the subcontractor to materially comply with Tremendous’ obligations with respect to the Personal Data. In the event Tremendous engages a subcontractor to carry out specific processing activities on behalf of Client pursuant to EU/UK Privacy Laws, where that subcontractor fails to fulfil its obligations, Tremendous shall remain fully liable under applicable EU/UK Privacy Laws to Client for the performance of that subcontractor’s obligations. At Tremendous’ choice, Tremendous may notify Client of new subcontractors by adding the subcontractor to a list of subcontractors maintained on Tremendous’ public-facing website. Following the addition of a new subcontractor to such list, Client shall have ten days to object to Tremendous’ use of such subcontractor.
Assistance. Taking into account the nature of the processing, Tremendous shall reasonably assist Client through appropriate technical and organizational measures in:
Security Measures. The Parties shall, taking into account the context of the processing, implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement such measures. Tremendous shall notify Client of any actual breach in security that results in the destruction, loss, alteration, disclosure of, or access to, Personal Data.
Access and Audits. Upon reasonable request of Client, Tremendous shall make available to Client all information in its possession necessary to demonstrate Tremendous’ compliance with its obligations under applicable Privacy Laws. Tremendous shall allow and cooperate with reasonable assessments by Client or Client’s designated auditor, at Client’s expense, of Tremendous’ compliance with its obligations under this DPA and applicable Privacy Laws. Client shall be permitted to conduct such an assessment no more than once every twelve (12) months, upon thirty (30) days’ advance written notice to Tremendous, and only after the Parties come to agreement on the scope of the audit. As an alternative to an audit performed by or at the direction of Client, Tremendous may arrange for a qualified and independent auditor to conduct, at Tremendous’ expense, an assessment of Tremendous’ policies and technical and organizational measures in support of its obligations under applicable Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and will provide a summary of such assessment to Client upon reasonable request. Notwithstanding the foregoing, in no event shall Tremendous be required to give Client access to information, facilities, or systems to the extent doing so would cause Tremendous to be in violation of confidentiality obligations owed to other customers or its legal obligations.
Deletion of Personal Data. At Client’s written direction, Tremendous shall delete or return all Personal Data to Client as requested at the end of the provision of the Services, unless retention of the Personal Data is required by law.
Data Transfers. To the extent EU/UK Privacy Laws apply to the processing of Personal Data, Client acknowledges and agrees that Tremendous may appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, in which case, Tremendous shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Client.