Certain Defined Terms. Capitalized terms used in this DPA but not otherwise defined in this DPA or the Agreement have the following meanings:
“Applicable Law” means all laws, rules, regulations, rulings, decrees, directives, or other requirements of any governmental authority, and all current industry self-regulatory principles that (a) apply to this DPA; (b) relate to the Parties’ rights and obligations in this DPA; or (c) apply to the collection, processing, and storage of Personal Data.
“Data Protection Laws” means all Applicable Laws, self-regulatory rules and guidelines, and your policies relating to or impacting the processing, privacy, or security of Personal Information, including the California Privacy Rights Act of 2020.
“Personal Information” means information processed by Acceptd on behalf of you through the Service that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly to, a natural person. “Personal Information” does not include Usage Data.
“Usage Data” means data and information related to your and your users’ use of the Service through system logging and other tools that automatically collect information on events that occur through use of the Service.
Scope. This DPA only applies to the extent that Acceptd processes Personal Information on behalf of you in the course of providing the Service. This DPA does not apply to the processing of Personal Health Information (as defined in Data Protection Laws). In the event Acceptd processes Personal Health Information on behalf of you, the Parties will enter into a Business Associate Agreement (as defined in Data Protection Laws) that will govern such processing. To the extent Usage Data is considered Personal Information under applicable Data Protection Laws, Acceptd is the “controller” or “business” with respect to such Usage Data.
Compliance with Laws. Each Party shall comply with its obligations under applicable Data Protection Laws. you may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information by Acceptd. If applicable Data Protection Laws related to the processing of Personal Information change, Acceptd may make any necessary amendments to this DPA.
Instructions. Acceptd shall process your Personal Information in accordance with your documented lawful instructions as set forth in this DPA and the Agreement and as otherwise necessary to provide the Service (together “Processing Instructions”). You will ensure that your Processing Instructions comply with Applicable Laws. If, in Acceptd’s opinion, your Processing Instructions violate applicable Data Protection Laws, Acceptd will notify you. Acceptd, may without penalty, refuse further processing of Personal Information under this DPA that it believes to be in violation of any Applicable Law, including any applicable Data Protection Laws.
Use of Personal Information. Acceptd may process Personal Information to provide the Service and as otherwise provided in the Agreement and this DPA. Acceptd shall not:
sell, share (as such terms are defined under applicable Data Protection Laws) or otherwise disclose any Personal Information to any third party other than its duly authorized subcontractors for purposes of performing the Service;
collect, retain, use, or otherwise disclose or process Personal Information, including Personal Information, for any purpose other than as necessary to provide the Service specified in the Agreement or outside of the direct business relationship between Acceptd and you; provided that Acceptd may retain, use and disclose Personal Information obtained during the course of providing Service to retain and employ a Subprocessor (as defined below), for internal purposes to build or improve the quality of its services, to detect data security incidents or protect against fraudulent or illegal activity, or as otherwise permitted by Data Protection Laws; or
combine Personal Information with Personal Information Acceptd receives from, or on behalf of, another person or persons, or which Acceptd collects from its own interactions with an individual, in each case except as expressly agreed by you and permitted by Applicable Laws.
Acceptd certifies that it understands the restrictions in this Section 5 and will comply with them.
Security. Acceptd will implement and maintain appropriate technical and organizational security measures designed to preserve the security and confidentiality of User Content processed through the Service. Acceptd may update its security measures, provided that any updates shall not materially diminish the overall security of Personal Information or the Service.
Subprocessors. You generally authorize Acceptd to engage third parties to assist in the processing of Personal Information on behalf of you (each, a “Subprocessor”), including the Subprocessors listed on Schedule 1 to this DPA. Acceptd shall require that each person processing Personal Information on its behalf be subject to a duty of confidentiality with respect to such Personal Information. If Acceptd engages a Subprocessor, Acceptd shall provide notice to you of that engagement by way of updating Schedule 1. You shall have thirty (30) days to object to such engagement by providing written notice to Acceptd as provided in the Agreement.
Disposition of Personal Information Upon Termination. Upon termination of the Agreement, Acceptd will promptly delete all Personal Information in its custody or control, except for Personal Information retained in Acceptd’s backup files, if any, which will be deleted in the ordinary course of Acceptd’s business in accordance with its standard data retention schedules.
Third Party Communications. Acceptd shall promptly notify you if it receives any communication from a third party (from an individual, a governmental or otherwise) which relates to the processing of Personal Information, or to either Party’s compliance with Data Protection Laws, and shall refer such third party to you.
Compliance and Audit.
Acceptd shall provide all information reasonably necessary to demonstrate compliance with this DPA.
Acceptd shall allow you or an auditor appointed by you to, not more than once every twelve (12) months unless required by Applicable Law, carry out audits or other security assessment (“Security Assessment”) relating to the processing of Personal Information by Acceptd. The scope of any Security Assessment shall be mutually agreed by the Parties in advance. You shall be solely responsible for all costs related to any Security Assessment, including all costs incurred by Acceptd in connection with cooperating with such Security Assessment.
Acceptd may, but is not required to, retain a qualified and independent assessor to perform an annual audit of the physical, technical, administrative, and organizational safeguards put in place by Acceptd that relate to the protection of the security, confidentiality, or integrity of Personal Information using an appropriate and industry accepted control standard or framework and assessment procedure, or documentation of certification of compliance with, industry-accepted information security standards (“Third Party Audit”).
You agree to first review any available Third Party Audit prior to conducting any Security Assessment.
Personal Information Breach. Acceptd will notify you without undue delay of any unauthorized access to, or disclosure or acquisition of, to Personal Information. Acceptd will provide you with information regarding the extent of data exposure, including the number and identity of affected individuals, if known, and the status of remediation efforts.
Conflict. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail.
Limitation of Liability. Notwithstanding anything to the contrary in the Agreement or this DPA and to the maximum extent permitted by Applicable Law, each Party’s liability, in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall remain subject to the limitations on liability section of the Agreement.
Survival. The obligations placed upon each Party under this DPA will survive so long as Acceptd processes Personal Information on behalf of you.
