Data Processing Agreement
This Data Processing Agreement (“DPA”) forms a part of the legal agreement (“Agreement”), as outlined in the Terms of Service (“Terms”), entered into by and between Subscribfy, Inc. (“Subscribfy”) and the user of the Subscribfy Services (“Customer”), collectively the “Parties.” The purpose of the DPA is to ensure such processing is conducted in accordance with applicable Data Protection Laws (defined below).
This DPA is supplemental to the Agreement and sets out the terms that apply when: (i) Personal Data (defined below) is processed by Customer, who acts as Data Controller, under the Agreement; (ii) Subscribfy acts as Data Processor of Customer Account Data; (iii) the Customer wishes to contract the Services as set forth in the Terms, which imply the processing of Personal Data by the Data Processor. Further details of the Processing are set out in Exhibit A to this DPA.
Customer acknowledges that by agreeing to the Terms, they are also agreeing to this DPA. To the extent that there are any conflicting provisions between the Terms and this DPA with regard to the processing of Personal Data, this DPA shall prevail. The effective date of this DPA is the same date that the Customer agreed to the Terms.
“Sub-Processor” means any person appointed by or on behalf of Data Processor to process Customer Personal Data on behalf of the Customer in connection with the DPA.
“Customer Account Data” means all data (including Personal Data) that relates to Customer’s relationship with Subscribfy. Customer Account Data includes any data Subscribfy may need to collect for the purpose of managing its relationship with Customer, or as otherwise required by applicable laws and regulations.
“Data Exporter” means Customer.
“Data Importer” means Subscribfy.
“Data Protection Laws” means all data protection legislation and regulations applicable to the processing of the Customer’s Personal Data under this DPA and the Terms, including supplementing national legislation, in each case as updated, amended, repealed, consolidated, or replaced from time to time. The terms “processing,” “processor,” “controller,” and “supervisory authority” shall have the meanings set forth under applicable Data Protection Laws.
“Data Subject” means an individual that is protected under any applicable Data Protection Law.
“DPA” means this Data Processing Agreement and all Exhibits.
“EU SCCs” or “Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time).
“ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Controller to the Data Processor (or its premises) outside the European Economic
Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
1.10. “ex-UK Transfer” means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Controller to the Data Processor (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.11.“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and all supplementing legislation, in each case as may be amended, repealed, consolidated, or replaced from time to time.
1.12.“Personal Data” or any such variation of the term (such as “Personal Information” or “Personally Identifiable Information”) shall have the meaning set forth under applicable Data Protection Laws.
1.13. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Account Data, stored or otherwise processed by Subscribfy.
1.14. “Terms” means the terms of service entered into between Subscribfy and Customer, which are available here.
Processing of Customer Account Data
Subscribfy shall not process Personal Data (i) for purposes other than those set forth in the Agreement, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, or (iii) in violation of Data Protection Laws. Customer hereby instructs Subscribfy to process Personal Data in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Services.
Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Subscribfy to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Subscribfy by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Subscribfy regarding the processing of such Personal Data. Customer shall not provide or make available to Subscribfy any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services and shall indemnify Subscribfy from all claims and losses in connection therewith.
The Parties agree that the details of the data processing subject to this DPA are outlined in Exhibit A.
CCPA. The Parties acknowledge that their relationship under the CCPA is governed by the CCPA Addendum to this DPA, listed in Exhibit D.
Deletion or Return of Customer Account Data
Following completion of the Services, at Customer’s choice, Subscribfy shall securely delete Customer Account Data (including Content), unless further storage of such Customer Account Data is required or authorized by applicable Data Protection Laws. If return or destruction is impracticable or prohibited by law, rule, or regulation, Subscribfy shall take measures to block such Customer Account Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule, or regulation) and shall continue to appropriately preserve the confidentiality of the Customer Account Data remaining in its possession, custody, or control. By agreeing to this DPA, Customer authorizes Subscribfy, in accordance with this agreement, to delete information when not reasonably needed for Subscribfy’s Services.
Data Processor Personnel and Confidentiality.
Subscribfy shall take commercially reasonable steps to ensure that: (i) persons employed by Subscribfy; and (ii) other persons engaged at Subscribfy’s place of business who may have access to the Customer Account Data (including Content), are aware of and comply with the terms set forth in this DPA, ensuring in each case that access is limited to those individuals who need to know or access the relevant Customer Account Data, as necessary for the purposes of the Terms.
Security of Customer Account Data; Security Incidents.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Subscribfy shall maintain reasonable technical and organizational security measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit C sets forth additional information about Subscribfy’s technical and organizational security measures.
Subscribfy shall notify Customer without undue delay upon becoming aware of a Security Incident affecting Customer Account Data and will provide Customer with sufficient information to allow the Customer to meet any obligations to notify, report, or inform Data Subjects and Supervisory Authorities of the Security Incident under the Data Protection Laws.
Subscribfy shall cooperate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Security Incident. The obligations described in 5.1 and 5.2 do not apply to Security Incidents experienced by Customer, nor does compliance with such obligations acknowledge liability on the part of Subscribfy.
Sub-Processing of Customer Account Data.
Customer acknowledges and agrees that Subscribfy may (1) engage or delegate Sub-Processors on the List (defined below) to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. For purposes of this Section, Customer consents to Subscribfy engaging Sub-Processors reasonably required to assist Subscribfy for the purposes of providing the Services.
Subscribfy maintains and provides Customer with a list of Sub-Processors (the “List”) which can be found here. Subscribfy will inform the Data Controller of changes in Sub-Processors in accordance with the procedure for modifying the Terms as described in Section 9(i) therein. Customer may object to the modification of Sub-Processors used by Subscribfy by contacting Subscribfy at firstname.lastname@example.org. However, Customer acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of a Sub-Processor may prevent Subscribfy from offering the Services to Customer.
When Subscribfy does engage Sub-Processors, it will enter into a written agreement with such Sub-Processor imposing on the Sub-Processor data protection obligations comparable to those imposed on Subscribfy under this DPA, with respect to the protection of Customer Account Data. In case a Sub-Processor fails to fulfill its data protection obligations under such written agreement with Subscribfy, Subscribfy will remain liable to Customer for the performance of the Sub-Processor’s obligations under such agreement.
If Customer and Subscribfy have entered into Standard Contractual Clauses as described in Section 7 (Transfers of Personal Data), (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Subscribfy of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the Parties agree that the copies of the agreements with Sub-Processors that must be provided by Subscribfy to Customer pursuant to Clause 9(c) of the EU SCCs or the UK International Data Transfer Agreement (“IDTA”) or UK Addendum (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Subscribfy beforehand, and that such copies will be provided by Subscribfy only upon request by Customer.
Transfers of Personal Data
The Parties agree that Subscribfy may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Subscribfy’s primary processing operations take place in the United States, and that the transfer of Customer Account Data to the United States is necessary for the provision of the Services to Customer. If Subscribfy transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, Subscribfy will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.
Ex-EEA Transfers. The Parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
Module Two (Controller to Processor) of the EU SCCs applies when Customer is a controller and Subscribfy is processing Personal Data for Customer as a processor pursuant to Section 2 of this DPA.
Module Three (Processor to Sub-Processor) of the EU SCCs applies when Customer is a processor and Subscribfy is processing Personal Data on behalf of Customer as a Sub-Processor.
For each module, where applicable the following applies:
The optional docking clause in Clause 7 does not apply.
In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Sub-Processor changes shall be as set forth in Section 6.2 of this DPA;
In Clause 11, the optional language does not apply;
All square brackets in Clause 13 are hereby removed;
In Clause 17 (Option 1), the EU SCCs will be governed by Irish law;
In Clause 18(b), disputes will be resolved before the courts of Ireland;
Exhibit B to this DPA contains the information required in Annex I of the EU SCCs;
Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and
By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
Ex-UK Transfers. The Parties agree that ex-UK Transfers are made pursuant to the provisions set forth in this section, whichever apply.
Data Exports from the United Kingdom under the International Data Transfer Agreement. For ex-UK Transfers, the Mandatory Clauses of the Approved IDTA (“Mandatory Clauses”), being the template IDTA A.1.0 issued by the UK Information Commissioner’s Office (“ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses shall apply.
The information required for Table 1 of Part One of the IDTA is set out in Exhibit B of this DPA and below.
The start date of the IDTA is the effective date of this DPA.
The Data Exporter’s full legal name, trading name, official registration number, address, and key contact person details will be as entered in relation to the Agreement.
By entering into the Agreement, the Parties agree to be bound by the IDTA, as applicable.
The information required for Table 2 of Part One of the IDTA is set out in Exhibits A and B of this DPA and below.
The Data Importer (processor or sub-processor) and Data Exporter (controller or processor) are known as the “Parties.”
The law of England and Wales governs the IDTA.
England and Wales are the primary place for legal claims to be made by the Parties.
The UK GDPR applies to the Data Importer’s processing of the transferred data.
The Data Importer may process the transferred data for the period for which the DPA is in force.
The Parties can end the IDTA before the end of the term of the IDTA by serving three months’ written notice in accordance with the Mandatory Clauses set forth in Part 4 of the IDTA.
The Data Importer may end the IDTA when the IDTA changes, in accordance with the Mandatory Clauses set forth in Part 4 of the IDTA.
The Data Importer may transfer on the transferred data to another organisation or person (who is a different legal entity) under the Mandatory Clauses set forth in Part 4 of the IDTA. There are no specific restrictions on when the Data Importer may forward the transferred data.
The Parties must review the security requirements (as set forth in Section 7.4.1(iv) below) each time there is a change to the transferred data, purposes, Data Importer information, transfer risk assessment (TRA), or risk assessment.
The information required for Table 3 of Part One of the IDTA is set out in Exhibits A and B of this DPA and below.
The categories of transferred data, categories of special category and criminal records data, and the categories of Data Subjects will update automatically if the information is updated in the DPA.
The Data Importer may process the transferred data for the purposes set out in Exhibits A and B of this DPA. The purposes will update automatically if the information is updated in the DPA.
The information required for Table 4 of Part One of the IDTA is set out in Exhibit C of this DPA. The security requirements will update automatically if the information is updated in the DPA.
Data Exports from the United Kingdom under the Standard Contractual Clauses. For ex-UK Transfers where the EU SCCs also apply, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses ("Approved Addendum") shall apply. The information required for Tables 1 and 3 of Part One of the Approved Addendum is set out in Exhibits B and C of this DPA, as well as below. The information required for Table 2 of Part One of the Approved Addendum is set out in Sections 7.2 and 7.3 of this DPA. For the purposes of Table 4 of Part One of the Approved Addendum, the Data Importer may end the Approved Addendum when it changes.
The start date of the Approved Addendum is the effective date of this DPA.
By entering into the Agreement, the Parties agree to be bound by the Approved Addendum, as applicable.
Transfers from Switzerland. The Parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
As of the date of this DPA, Subscribfy has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Customer Account Data (“Government Agency Requests”);
If, after the date of this DPA, Subscribfy receives any Government Agency Requests, Subscribfy shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Subscribfy may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer Account Data to a law enforcement or government agency, Subscribfy shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Subscribfy is legally prohibited from doing so. Subscribfy shall not voluntarily disclose Customer Account Data to any law enforcement or government agency. The Parties shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Agency Requests; and
The Parties will meet as needed to consider whether:
the protection afforded by the laws of the country of Subscribfy (Data Importer) to Data Subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
it is still appropriate for Personal Data to be transferred to Subscribfy (Data Importer), taking into account all relevant information available to the Parties, together with guidance provided by the supervisory authorities.
Data Subject Rights.
Taking into account the nature of the Processing, Subscribfy shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
Subscribfy has provided Customer with the tools necessary to correct, amend, or delete inaccurate data, and Customer may use these tools to comply with Data Subject requests related to the right to correct, amend, or delete inaccurate data.
promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect to Customer Account Data.
advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Subscribfy, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which Customer is subject, in which case Subscribfy shall to the extent permitted by applicable laws inform Customer of that legal requirement before Subscribfy responds to the request.
Actions and Access Requests; Audits.
Subscribfy shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA.
Upon Customer’s written request at reasonable intervals (no more than every 12 months), and subject to reasonable confidentiality controls, Subscribfy shall, either (i) make available for Customer’s review copies of certifications or reports demonstrating Subscribfy’s compliance with prevailing data security standards applicable to the processing of Customer’s Personal Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer’s independent third party representative to conduct an audit or inspection of Subscribfy’s data security infrastructure and procedures that is sufficient to demonstrate Subscribfy’s compliance with its obligations under Data Protection Laws, provided that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Subscribfy’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Subscribfy for any time expended for on-site audits. The scope of such an audit will be agreed in advance and shall not involve physical access to the servers on which Customer Content and Personal Data is hosted.
Subscribfy shall, taking into account the nature of the processing and the information available to Subscribfy, provide Customer with reasonable cooperation and assistance where necessary for Customer to:
Comply with its obligations under Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information.
Cooperate and/or consult with any supervisory authority where necessary and where required by Data Protection Laws.
Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance provided by Subscribfy as described in 9.3.1 and 9.3.2.
Details of Processing
Nature and Purpose of Processing: Subscribfy will process Customer Account Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.
Categories of Data Subjects: Customer may submit Personal Data to Subscribfy for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
Individuals who enter into commercial relationships with Customer (i.e., the customers of Customer).
Other individuals whose Personal Data Customer processes through the Services.
Categories of Personal Data: Customer may submit Customer Account Data, which includes Personal Data, to Subscribfy for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
Sensitive Data or Special Categories of Data: No sensitive personal data from any user will be processed under this arrangement.
The following includes, among other things, the information required by Annex I and Annex III of the EU SCCs, as well as the UK IDTA and UK Addendum (collectively, for purposes of Exhibit B, the “Clauses”).
Data Exporter(s): [Identity and contact details of the data controller(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Full legal name: [__________]
Trading name (if different): [__________]
Official registration number (if any) (company number or similar identifier): [__________]
Key contact’s name, job title, and contact details (including email): [__________]
Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.
Signature and date: mm/dd/yyyy
Role (controller/processor): Controller
Data Importer(s): [Identity and contact details of the data processor(s), including any contact person with responsibility for data protection]
Full legal name: Subscribfy, Inc.
Trading name (if different): [__________]
Official registration number (if any) (company number or similar identifier): 92-2803110
Address: 401 Broadway, 12th Fl. New York, NY 10013
Key contact’s name, job title, and contact details (including email): [__________]:
Data Importer data subject contact’s job title and contact details (including email): [__________]:
Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.
Signature and date: 06/21/2023
Role (controller/processor): Processor
Description of the Transfer
The Data Exporter may submit Personal Data to the Data Importer through its software, services, systems, products, and/or technologies, the extent of which is determined and controlled by the Data Exporter in compliance with applicable Data Protection Laws and regulations, and which may include but is not limited to Personal Data relating to the following categories of Data Subjects:
Categories of Personal Data
The Personal Data transferred concern the following categories of data:
Special Category Personal Data (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved
Nature of the Processing
Purposes of Processing
To fulfill each party’s obligations under the Agreement.
Duration of Processing and Retention (or the criteria to determine such period)
During the term of the Agreement.
Frequency of the transfer
During the term of the Agreement on a periodic basis throughout the day and/or at the discretion of Customer.
Recipients of Personal Data Transferred to the Data Importer
Subscribfy provided Customer with a list which outlines Subscribfy’s Sub-Processors in the DPA. Subscribfy’s relationship with Sub-Processors is described in Section 6 of the DPA.
Competent Supervisory Authority
The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13.
Description of the Technical and Organizational Security Measures implemented by the Data Importer
The following includes the information required by Annex II of the EU SCCs, as well as the UK IDTA and UK Addendum.
Technical and Organizational Security Measure
Measures of pseudonymization and encryption of Personal Data
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
To ensure ongoing security and reliability of data processing systems and services, Subscribfy employs the following measures:
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
To restore availability and access to personal data promptly after incidents, Subscribfy takes the following measures:
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Measures for user identification and authorization
To ensure secure access to systems, Subscribfy employs the following measures for user identification and authorization:
Measures for the protection of data during transmission
To protect data during transmission, Subscribfy implements the following measures:
Measures for the protection of data during storage
To protect data during storage, Subscribfy implements the following measures:
Measures for ensuring physical security of locations at which Personal Data are processed
To ensure physical security at data processing locations, Subscribfy implements these measures:
Measures for ensuring events logging
Measures for ensuring system configuration, including default configuration
Measures for internal IT and IT security governance and management
Measures for certification /
assurance of processes and product
Measures for ensuring data minimization
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and ensuring erasure
Technical and organizational measures of Sub-Processors
This California Consumer Privacy Act Addendum ("CCPA Addendum") is incorporated as part of the DPA and sets out the terms that apply when Personal Data is processed by Subscribfy under the DPA. The purpose of the CCPA Addendum is to ensure such processing is conducted in accordance with the California Consumer Privacy Act and the California Privacy Rights Act (collectively, the “CCPA”).
Definitions. Any capitalized term in this Addendum that is not otherwise defined in the DPA shall have the meaning given to that term in the CCPA.
Representations and Warranties
Subscribfy represents and warrants that it is a Service Provider or Contractor for the purposes of the services it provides to Customer pursuant to the DPA and the Agreement.
Subscribfy Processing of Customer Account Data (including Personal Data)
Subscribfy shall process Personal Data it receives pursuant to the Agreement only for the limited and specified purposes of providing the agreed upon services to Customer (as outlined in Exhibit A) and is prohibited from using Personal Data for any other purpose.
Subscribfy shall comply with all applicable sections of the CCPA, including by providing the same level of protection to Personal Data as required by Customer under the law.
Subscribfy agrees that Customer has the right to take reasonable and appropriate steps to ensure that Subscribfy uses Personal Data that it receives from or processes on behalf of Customer in a manner consistent with Customer’s obligations under the CCPA.
Subscribfy agrees that Customer has the right to take reasonable and appropriate steps to stop and remediate Subscribfy’s unauthorized use of Personal Data.
Subscribfy shall notify Customer as soon as possible after Subscribfy determines that it can no longer meet its obligations under the CCPA.
If Subscribfy engages Sub-Processors in relation to providing services to Customer pursuant to the Agreement, Subscribfy shall have a contract with the Sub-Processor that complies with the CCPA and has the same restrictions on the processing of Personal Data as outlined in this Addendum.
Restrictions on Subscribfy’s Use of Personal Data
Subscribfy shall not Sell or Share Personal Data it receives from or processes on behalf of Customer, for purposes outside of those outlined in the DPA and exhibits incorporated by reference in the DPA.
Subscribfy shall not retain, use, or disclose Personal Data it receives from or processes on behalf of Customer for any purpose (including any Commercial Purpose) other than for the purposes specified in the Agreement, DPA, and except as otherwise permitted by the CCPA.
Subscribfy shall not retain, use, or disclose Personal Data it receives from or processes on behalf of Customer outside of the direct business relationship between Subscribfy and Customer, except as otherwise permitted under the CCPA.
Subscribfy shall not combine the Personal Data it receives from or processes on behalf of Customer with Personal Data it receives from or on behalf of another person or which it collects from its own interaction with another individual, provided that Subscribfy may combine Personal Data to perform any Business Purpose, such as to analyze how users interact with Services, or as otherwise permitted under the CCPA.
Customer agrees to: (i) inform Subscribfy of any consumer request made pursuant to the CCPA that they must assist Customer to comply with and (ii) provide the information necessary for Subscribfy to comply with the request.