Data Processing and Security Agreement

Salty Dot, Inc. Data Processing and Security Agreement

Last updated as of July 7, 2020

This Data Processing and Security Agreement (the “Agreement”) is made pursuant to and a part of your services agreement and all statements of work, exhibits, schedules or other documents under the services agreement (collectively, the “Master Agreement”) by and between Salty Dot, Inc. and its subsidiaries (collectively, the “Customer”) and the independent contractor identified in the Distributor Agreement (the “Provider”). This Agreement is made effective as of the Effective Date specified in the Master Agreement. If there is any conflict between the terms and conditions of this Agreement and the terms and conditions of the Master Agreement, the terms and conditions of this Agreement control. Any capitalized terms not otherwise defined herein have the meanings set forth in the Master Agreement. All Provider obligations set forth in this Agreement also apply to any agent or subcontractor of Provider. Customer may amend this Agreement from time to time upon written notice to Provider.

  1. Definitions and Interpretation
    1. The following definitions and rules of interpretation apply in this Agreement.
      “Business Purpose” means the services described in the Master Agreement or any other purpose specifically identified in Appendix A.
      “California Personal Information” means Personal Information that is subject to the protection of the CCPA.
      “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
      “Consumer,” “Business,” “Sell,” and “Service Provider” have the meanings given to them in the CCPA.
      “Data Subject” means an individual who is the subject of Personal Information.
      “Data Subject Requests” means those requests from Data Subjects to exercise their rights under applicable Privacy and Data Protection Requirements.
      “HIPPA” means the Health Insurance Portability and Accountability Act.
      “PCI DSS” means the Payment Card Industry Data Security Standard.
      “Personal Information” means any information the Provider processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider’s possession or control or that the Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.
      “PHI” means health data created, received, stored, or transmitted by HIPPA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment of healthcare services.
      “Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.
      “Privacy and Data Protection Requirements” means all applicable federal and state laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This may include, but is not limited to, the CPPA, Gramm Leach Bliley Act, and PCI DSS.
      “Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.
    2. This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Agreement.
    3. Appendix A forms part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes Appendix A.
    4. A reference to writing or written includes email.
    5. In the case of conflict or ambiguity between:
      1. any provision contained in the body of this Agreement and any provision contained in Appendix A, the provision in the body of this Agreement will prevail;
      2. the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in Appendix A, the provision contained in Appendix A will prevail; and
      3. any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail.
  2. Personal Information Types and Processing Purposes
    1. The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.
    2. Appendix A describes the general Personal Information categories and Data Subject types the Provider may process to fulfill the Business Purposes of the Master Agreement.
  3. Provider’s Obligations
    1. The Provider will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions. The Provider will not process, retain, use, or disclose the Personal Information for any other purpose or in a way that does not comply with this Agreement or the Privacy and Data Protection Requirements. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Privacy and Data Protection Requirements. This includes:
      1. As Provider has access to credit card information, including but not limited to, the credit card number assigned by a card issuer that identifies a cardholder’s account or other personal information, Provider will comply with PCI DSS and the payment card brands’ rules and regulations, including without limitation
        1. Providing data security reports as may be required by the credit card issuer;
        2. Paying any fines and penalties in the event Provider fails to comply with requirements; and
        3. Fully cooperating with, and providing access to, the credit card issuer or credit card brand to conduct a security review of Provider’s policies and procedures.

        Provider will at its own expense undergo a PCI DSS compliance audit on no less than an annual basis and provide the results of such audit to Customer.

      2. As provider has access to PHI or processes PHI on behalf of Customer, Provider shall enter into a business associate agreement with Customer and Provider will comply with all applicable laws for such information, including HIPPA and the Health Information Technology for Economic and Clinical Health.
    2. The Provider must promptly comply with any Customer request or instruction requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.
    3. The Provider will maintain the confidentiality of all Personal Information, will not sell it to anyone, and will not disclose it to third parties unless the Customer or this Agreement specifically authorizes the disclosure, or as required by law. If a law requires the Provider to process or disclose Personal Information, the Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
    4. The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider’s processing and the information available to the Provider.
    5. The Provider must promptly notify the Customer of any changes to the Privacy and Data Protection Requirements that may adversely affect the Provider’s performance of the Master Agreement.
    6. The Provider will only collect Personal Information for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer’s identity, the purpose or purposes for which their Personal Information will be processed, and any other information that is required by applicable Privacy and Data Protection Requirements. The Provider will not modify or alter the notice in any way without the Customer’s prior written consent.
  4. Provider’s Employees
    1. The Provider will limit Personal Information access to:
      1. those employees who require Personal Information access to meet the Provider’s obligations under this Agreement and the Master Agreement; and
      2. the part or parts of the Personal Information that those employees strictly require for the performance of their duties.
    2. The Provider will ensure that all employees:
      1. are informed of the Personal Information’s confidential nature and use restrictions;
      2. have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
      3. are aware both of the Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this Agreement.
    3. The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Provider’s employees with access to the Personal Information.
  5. Security
    1. The Provider must always implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage. The Provider must document those measures in writing and periodically review them to ensure they remain current and complete.
    2. The Provider will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.
    3. The Provider must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.
    4. The Provider shall have a Written Information Security Program (a “WISP”),which shall apply to all of Provider’s employees, contractors, officers, and directors and which shall be updated annually. The WISP must have physical, administrative, and technical safeguards that are at least as good as Customer’s WISP, in the sole discretion of Customer.Provider will provide a copy of the WISP to Customer upon request.
  6. Security Breaches and Personal Information Loss
    1. The Provider will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Information at its own expense.
    2. The Provider will immediately notify the Customer if it becomes aware of:
      1. any unauthorized or unlawful processing of the Personal Information; or
      2. any Security Breach.
    3. Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:
      1. assisting with any investigation;
      2. providing the Customer with physical access to any facilities and operations affected;
      3. facilitating interviews with the Provider’s employees, former employees and others involved in the matter; and
      4. making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.
    4. The Provider will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent, except when law or regulation requires it.
    5. The Provider agrees that the Customer has the sole right to determine:
      1. whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and
      2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
    6. The Provider will cover all reasonable expenses associated with the performance of the obligations under Section 6.2 and Section 6.3, unless the matter arose from the Customer’s specific instructions, negligence, willful default, or breach of this Agreement, in which case the Customer will cover all reasonable expenses.
    7. The Provider will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in Section 6.5.
  7. Subcontractors
    1. The Provider may only authorize a third party (subcontractor) to process the Personal Information if:
      1. the Customer provides prior written consent after the Provider supplies the Customer with full details regarding such subcontractor;
      2. the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement and, upon the Customer’s written request, provides the Customer with copies of such contracts;
      3. the Provider maintains control over all Personal Information it entrusts to the subcontractor; and
      4. the subcontractor’s contract terminates automatically on termination of this Agreement for any reason.
    2. The Provider must list all approved subcontractors in Appendix A and include any subcontractor’s name and location and contact information for the person responsible for privacy and data protection compliance.
    3. Where the subcontractor fails to fulfill its obligations under such written agreement, the Provider remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.
    4. The Parties consider the Provider to control any Personal Information controlled by or in the possession of its subcontractors.
    5. Upon the Customer’s written request, the Provider will audit a subcontractor’s compliance with its obligations regarding the Customer’s Personal Information and provide the Customer with the audit results.
  8. Complaints, Data Subject Requests, and Third Party Rights
    1. The Provider must notify the Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements.
    2. The Provider must notify the Customer within three (3) working days if it receives a Data Subject Request.
    3. The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject Request.
    4. The Provider must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s request or instruction, permitted by this Agreement, or is otherwise required by law.
  9. Term and Termination
    1. This Agreement will remain in full force and effect so long as:
      1. the Master Agreement remains in effect; or
      2. the Provider retains any Personal Information related to the Master Agreement in its possession or control (collectively, the “Term”).
    2. Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Information will remain in full force and effect.
    3. The Provider’s failure to comply with the terms of this Agreement is a material breach of the Master Agreement. In such event, the Customer may terminate the Master Agreement effective immediately upon written notice to the Provider without further liability or obligation.
    4. If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement within one (1) month, they may terminate the Master Agreement upon written notice to the other party.
  10. Data Return and Destruction
    1. At the Customer’s request, the Provider will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format and on the media reasonably specified by the Customer.
    2. On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control, except for one copy that it may retain and use for one (1) year for audit purposes only.
    3. If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Provider may only use this retained Personal Information for the required retention reason or audit purposes.
    4. The Provider will certify in writing that it has destroyed the Personal Information within seven (7) days after it completes the destruction.
  11. Records
    1. The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (collectively, the “Records”).
    2. The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this Agreement.
    3. The Customer and the Provider must review the information listed in Appendix A to this Agreement once a year to confirm its current accuracy and update it when required to reflect current practices.
  12. Audit
    1. The Provider will permit the Customer and its third-party representatives to audit the Provider’s compliance with its Agreement obligations, upon at least seven (7) days’ notice, during the Term and for one (1) year after this Agreement terminates. The Provider will give the Customer and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:
      1. physical access to, remote electronic access to, and copies of the Records and any other information held at the Provider’s premises or on systems storing Personal Information;
      2. access to and meetings with any of the Provider’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and
      3. inspection of all Records and the infrastructure, electronic data, or systems, facilities, equipment, or application software used to store, process, or transport Personal Information.
    2. The notice requirements in Section 12 will not apply if the Customer reasonably believes that a Security Breach occurred or is occurring, or the Provider is in breach of any of its obligations under this Agreement or any Privacy and Data Protection Requirements.
    3. If a Security Breach occurs or is occurring, or the Provider becomes aware of a breach of any of its obligations under this Agreement or any Privacy and Data Protection Requirements, the Provider will:
      1. promptly, conduct its own audit to determine the cause;
      2. produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
      3. provide the Customer with a copy of the written audit report; and
      4. remedy any deficiencies identified by the audit within three (3) days.
    4. At the Customer’s written request, the Provider will:
      1. conduct an information security audit before it first begins processing any Personal Information and repeat that audit on an annual basis;
      2. produce a written report that includes detailed plans to remedy any security deficiencies identified by the audit;
      3. provide the Customer with a copy of the written audit report; and
      4. remedy any deficiencies identified by the audit within seven (7) days.
  13. Warranties
    1. The Provider warrants and represents that:
      1. it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this Agreement and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments;
      2. it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Master Agreement’s contracted services; and
      3. considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
        1. the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and
        2. the nature of the Personal Information protected; and
        3. comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in clause 5.1.
    2. The Customer warrants and represents that the Provider’s expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.
  14. Indemnification
    1. Each party (as the “Indemnifying Party”) agrees to indemnify, keep indemnified, and defend at its own expense the other party (as the “Indemnified Party”) against all costs, claims, damages, or expenses incurred by the Indemnified party or for which the Indemnified Party may become liable due to any failure by the Indemnifying Party or its employees, subcontractors, or agents to comply with any of its obligations under this Agreement or applicable Privacy and Data Protection Requirements.
    2. Any limitation of liability set forth in the Master Agreement will not apply to this Agreement’s indemnity or reimbursement obligations.
  15. Notice
    1. Any notice or other communication given to a party under or in connection with this Agreement must be delivered by electronic mail to:
      For the Customer:
      Salty Dot, Inc.                              
      Attn: Adrian Hummel
      Email: adrian.hummel@wearesalty.com
      For the Provider:  To the address and the party as set forth in the notice provision in the Master Agreement
    2. Section 15.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
  16. Additional Provisions for California Personal Information.
    1. This Section 17 will apply with respect to California Personal Information.
    2. When processing California Personal Information in accordance with Customer’s Instructions, the parties acknowledge and agree that Customer is a Business and Provider is a Service Provider for the purposes of the CCPA.
    3. The parties agree that Provider will process California Personal Information as a Service Provider strictly for the purpose of performing the Business Purposes under the Agreement.  The parties agree that Provider shall not:
      1. Sell California Personal Information (as defined in the CCPA), except as otherwise permitted Customer and Data Subject;
      2. Retain, use, or disclose California Personal Information for commercial purposes other than for the Business Purpose or as otherwise permitted by the CCPA; or
      3. Retain, use or disclose California Personal Information outside of the direct business relationship between Customer and the Provider.

APPENDIX A

Personal Information Processing Purposes and Details

Business Purposes: Providing Services on behalf of the Customer including providing advertising or marketing services, providing analytic services, providing customer service, processing or fulfilling orders and transaction, and maintaining or servicing accounts.

Personal Information Categories: Provider may receive Personal Information from the BusinessPurposes, which may include but is not limited to the following categories:

  • Contact Information
  • Health Information
  • Financial Information
  • Credit Information
  • Other sensitive information such as social security numbers

Data Subject Types: Customers and clients of the Customer, Customer’s employees and contractors, Customer’s suppliers and subcontractors, and individuals attempting to communicate with or transfer Personal Information to the Customer or Customer’s vendors.

Approved Subcontractors: None currently. As approved by Customer in a separate writing.