U.S. STATE PRIVACY LAW DATA PROCESSING ADDENDUM (11.07.2023)
Pursuant to the written agreement between Flip GmbH, on behalf of itself and its affiliates (“Company”), and [Vendor, Inc.] (“Vendor”) (each a “Party” and collectively the “Parties”) titled General Terms and Conditions (“the Main Agreement” or “Agreement”), the Parties hereby adopt this U.S. State Privacy Law Data Processing Addendum (“U.S. State DPA”) for so long as Vendor processes Personal Data on behalf of Company. This U.S. State DPA prevails over any conflicting terms of the Agreement.
1. Definitions. For the purposes of this U.S. State DPA
1.1. “State Privacy Laws” means, collectively, all U.S. state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals’ Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information). State Privacy Laws include the following:
1.1.1. California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199) (“CPRA”);
1.1.2. Colorado Privacy Act (Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313) (“ColoPA”);
1.1.3. Connecticut Personal Data Privacy and Online Monitoring Act (Public Act No. 22-15) (“CPOMA”);
1.1.4. Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61-404) (“UCPA”); and
1.1.5. Virginia Consumer Data Protection Act (Virginia Code Ann. §§ 59.1-575 to 59.1-585) (“VCDPA”).
1.2. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. Where applicable, Personal Data shall be interpreted consistent with the same or similar term under State Privacy Laws.
1.3. “Share,” “Shared,” and “Sharing” have the meaning defined in the CPRA.
1.4. “Sale” and “Selling” have the meaning defined in the State Privacy Laws.
1.5. “Controller” means “Controller” or “Business” as those terms are defined in the State Privacy Laws.
1.6. “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in the State Privacy Laws.
1.7. “Consumer” has the meaning defined in the State Privacy Laws.
1.8. “Processing,” “Process,” and “Processed” have the meaning defined in the State Privacy Laws.
1.9. “Company Personal Data” means Personal Data provided by Company to, or which is collected on behalf of Company by, Vendor to provide services to Company pursuant to the Agreement.
1.10. In the event of a conflict in the meanings of defined terms in the State Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
2. Scope, Roles, and Termination
2.1. Applicability - This U.S. State DPA applies only to Vendor’s Processing of Company Personal Data for the nature, purposes, and duration set forth in Annex A.
2.2. Roles of the Parties - For the purposes of the Agreement and this U.S. State DPA, Company is the Party responsible for determining the purposes and means of Processing Company Personal Data as the Controller and appoints Vendor as a Processor to Process Company Personal Data on behalf of Company for the limited and specific purposes set forth in Annex A.
2.3. Obligations at Termination - Upon termination of the Agreement, except as set forth therein or herein, Vendor will discontinue Processing and destroy or return Company Personal Data in its or its subcontractors and sub-processors possession without undue delay. Vendor may retain Company Personal Data to the extent required by law but only to the extent and for such period as required by such law and always provided that Vendor shall ensure the confidentiality of all such Company Personal Data.
3.1. Compliance with Obligations - In addition to the representations and warranties set forth in the Agreement, Vendor further represents and warrants that Vendor, its employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the State Privacy Laws, (b) shall provide the level of privacy protection required by the State Privacy Laws, (c) shall provide Company with all reasonably-requested assistance to enable Company to fulfill its own obligations under the State Privacy Laws, and (d) understand and shall comply with this U.S. State DPA. Upon the reasonable request of Company, Vendor shall make available to Company all information in Vendor’s possession necessary to demonstrate Vendor’s compliance with this subsection.
3.2. Compliance Assurance - Company has the right to take reasonable and appropriate steps to ensure that Vendor uses Company Personal Data consistent with Company’s obligations under applicable State Privacy Laws and the Data Security Addendum attached hereto at Annex B and incorporated herein.
3.3. Compliance Monitoring - Company has the right to monitor Vendor’s compliance with this U.S. State DPA through measures, including, but not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other annual technical and operational testing at least once every 12 months. Provided that any such audit will not unreasonably interfere with the normal conduct of Vendor’s business. Unless the audit reveals a breach by Vendor of this U.S. State DPA or applicable State Privacy Laws, Company shall bear the costs of the audit.]
3.4. Compliance Remediation - Vendor shall notify Company no later than five business days after determining that it can no longer meet its obligations under applicable State Privacy Laws. Upon receiving notice from Vendor in accordance with this subsection, Company may direct Vendor to take reasonable steps to remediate unauthorized use of Company Personal Data.
4. Restrictions on Processing
4.1. Limitations on Processing - Vendor will Process Company Personal Data solely as instructed in the Agreement and this U.S. State DPA. Except as expressly permitted by the State Privacy Laws, Vendor is prohibited from (i) Selling or Sharing Company Personal Data, (ii) retaining, using, or disclosing Company Personal Data for any purpose other than for the specific purpose of performing the Services specified in Annex A, (iii) retaining, using, or disclosing Company Personal Data outside of the direct business relationship between the Parties, and (iv) combining Company Personal Data with Personal Data obtained from, or on behalf of, sources other than Company.
4.2. Confidentiality - Vendor shall ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Company Personal Data.
4.3. Subcontractors; Sub-processors -Vendor’s current subcontractors and sub-processors are [set forth in Annex C ]. Vendor shall notify Company of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Vendor shall ensure that Vendor’s subcontractors or sub-processors who Process Company Personal Data on Vendor’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to Vendor in this U.S. State DPA and the Agreement with respect to Company Personal Data, as well as to comply with the applicable State Privacy Laws.
4.4. Right to Object - Company may object in writing to Vendor’s appointment of a new subcontractor or sub-processor in addition to those pre-approved subcontractors and subprocessors on limited reasonable grounds by notifying Vendor in writing within 30 calendar days of receipt of notice in accordance with Section 4.3. In the event Company objects, the Parties shall discuss Company’s concerns in good faith with a view to achieving a commercially reasonable resolution.
5. Consumer Rights
5.1. Vendor shall provide commercially reasonable assistance to Company for the fulfillment of Company’s obligations to respond to State Privacy Law-related Consumer rights requests regarding Company Personal Data.
5.2. Company shall inform Vendor of any Consumer request made pursuant to the State Privacy Laws that they must comply with. Company shall provide Vendor with the information necessary for Vendor to comply with the request.
5.3. Vendor shall not be required to delete any Company Personal Data to comply with a Consumer’s request directed by Company if retaining such information is specifically permitted by applicable State Privacy Laws; provided, however, that in such case, Vendor will promptly inform Company of the exceptions relied upon under applicable State Privacy Laws and Vendor shall not use Company Personal Data retained for any purpose other than provided for by that exception.
6. Deletion of Company Personal Data
6.1. Upon direction by Company, and in any event no later than 30 days after receipt of a request from Company, Vendor shall promptly delete Company Personal Data as directed by Company, unless Vendor is required by law to retain such data, in which case Vendor shall, on ongoing basis, isolate and protect the security and confidentiality of such Personal Data and prevent any further processing except to the extent required by such law and shall destroy or return to Company all other Personal Data not required to be retained by Vendor by law.
7. Deidentified Data
7.1. In the event that Company discloses or makes available Deidentified data (as such term is defined in the State Privacy Laws) to Vendor, Vendor shall not attempt to reidentify the information. In the event that either Party discloses or makes available Deidentified data (as such term is defined in the State Privacy Laws) to the other Party, the receiving Party shall take reasonable measures to ensure that the information cannot be associated with a Consumer or household.
8.1. Vendor and Company shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect Company Personal Data from unauthorized access, destruction, use, modification, or disclosure.
8.2. Vendor shall fully comply with the Data Security Addendum attached at Annex B.
9. Sale of Data
9.1. The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this U.S. State DPA.
10. Changes to Applicable Privacy Laws.
10.1. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the State Privacy Laws.
Annex A - Processing Details
Nature of the Processing
The subject matter and nature of the processing as determined by the Main Agreement is for the provision of the Flip software as Software-as-a-Service, the Vendor is granted access to the personal data of the Company to a limited extent, namely:
· Receipt of an encrypted data set with the following components:
Title, first name, last name, business email address
· Creation of a user list for user creation
· Set-up of individual users for first login
· Creation of information sheets with user access for first login
· Deletion of individual or multiple users from the system on request in text form
· Hosting of the system with a hosting provider
Purpose(s) of the Processing
On behalf of Company, the Vendor shall process personal data of employees of the Company for the purpose of providing the Flip software as Software-as-a-Service in accordance with the Main Agreement.
Types of Company Personal Data Subject to Processing
· Contact details (e.g. email address or telephone number)
Service and IT (usage) data
· Device identifiers
· Access details
· Identification data/IDs
· Telecommunications data/message content
· Usage and connection data/metadata
· Image/video data (if set up by users)
· Audio/voice data (if set up by users)
· Form data (if form feature is used)
Duration of Processing
As determined by the Main Agreement
Annex B - Data Security Addendum
This Data Security Addendum (“Addendum”) is attached to and made a part of the U.S. State Privacy Law Data Processing Addendum (“DPA”). This Addendum will remain in effect for so long as Vendor maintains Company Information. To the extent the terms and conditions set forth in this Addendum conflict with the DPA or the Agreement, then the term requiring greater protection of information shall control.
The Parties will apply at least the following types of security measures to Customer Personal Data:
1. Measures to ensure confidentiality
a. Training of employees
- All employees receive regular training (at least 1x per year) on awareness and proper handling of customer personal data and on general information security topics.
b. Measures by which unauthorized persons are denied access:
- Access control system with badge scanner.
- Key management/documentation of key allocation
- Video surveillance of entrances
- Visitor regulation
- Collection at the entrance
- Documentation of visiting hours
- Escort after the visit to the exit
- Central authorization process for access cards
- Immediate blocking of access cards if they are lost
c. Measures to prevent unauthorized persons from using the processing systems:
- Personal and individual user log-in when logging into the system.
- State-of-the-art authentication methods (multifactor authentication)
- Authorization process for access permissions
- Limitation of authorized users (need-to-know principle)
- Password specifications (enforcing password parameters in terms of complexity and length)
- Electronic documentation of passwords and protection of this documentation against unauthorized access (password manager)
- Separate administrative account for privileged activities (with hardware authentication)
- Regular account reviews
- Automatic locking of clients after a certain period of time without user activity (also password-protected screen saver or automatic pause)
- Anti-virus software
- Corporate policy for mobile working
- Encryption of mobile devices
d. Measures to ensure that only authorized persons can access processing systems and cannot read, copy, modify or remove personal data without authorization:
- Management and documentation of differentiated authorizations (role-based access).
- Segregation of duties" or dual control principle
- Expert destruction of files and data media in accordance with DIN 66399
- Non-reversible deletion of data media
- Logging of accesses to applications, specifically at the time of entry,
- modification and deletion of data
e. Measures to ensure that data collected for different purposes can be processed separately:
- Separation of customer data at the Tennant Controller level.
- Access authorizations based on functional responsibility
- Separate data processing through differentiating access rules
- Use of test data
- Separation of development and production environment
- Pseudonymization of customer data on systems where possible
- In case of pseudonymization: separation of allocation data and storage in separate and secured system
- Deletion and/or anonymization of customer data at sub-processors in the event of a deletion request/erasure
2. Measures to ensure integrity
- Access rights
- Encrypted transport of data
- System-side logging of accesses and retrievals
- Document management system (DMS) with change history
- Functional responsibilities, organizationally defined responsibilities
- Logging of data transfer or data transport
3. Measures to ensure and restore availability
- Security concept for software and IT applications
- Back-up procedure
- Retention process for back-ups
- Virus protection
- Disaster recovery plan
- Regular data recovery testing and logging of results
4. Procedures for regular review, assessment and evaluation of the effectiveness of technical and organizational measures
- Concept for regular review, assessment and evaluation of TOMs (external and internal audits)
- Regular reporting to management
- Emergency tests
- Annual penetration tests
- Documented incident response process
5. Instruction control/order control
- Contract for commissioned data processing pursuant to Art. 28 (3) DSGVO with regulations on the rights and obligations of the processor and controller
- Process for issuing and/or following instructions
- Designation of contact persons and/or responsible employees
- Obligation of employees to maintain confidentiality
- Designation of a data protection officer pursuant to Art. 37 et seq. DSGVO
- Appointment of an information security officer
- Data protection manager/coordinator
- Maintaining a register of processing activities pursuant to Art. 30 (2) DSGVO
- Documentation and escalation process for personal data breaches
- Guidelines/provisions to ensure technical/organizational measures for security of processing
- Process for forwarding requests from data subjects
- Agreement on effective control rights vis-à-vis the contractor
- Regular review of critical contractors
Annex C - Sub-processor Details
To support delivery of Vendor’s services, Vendor may engage and use third parties as sub-processors to Process certain Company Personal Data. This Annex C provides information about the identity, location, and role of each sub-processor.
Microsoft Ireland Operations Limited, One Microsoft Court, South County Business Park, Leopardstown, Dublin 18, D18 DH6k, Server hosting in Germany
WEBO GROUP ltd, Flandrova 17, 1000 Ljubljana, Slovenia
Nextcloud hosting in EU
Zendesk, Inc., 989 Market Street, San Francisco, CA 94103, United States
Customer support request management platform, hosted in EU
Mailjet GmbH, Alt-Moabit 2, 10557 Berlin, Germany
Provision of an email API for sending reset password links (not applicable when using SSO) in Germany
hibase G, Wildenbruchstr. 88, 12045 Berlin, Germany
Connection of data sources for the provision of system statistics in Germany
Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Irland
Google Cloud Platform for analysis and provision of system statistics in EU
DeepL GmbH, Maarweg 165, 50825 Cologne, Germany
Provision of on-demand machine translations in Germany
Helsinki Systems GmbH, Industriestr. 24, 70565 Stuttgart, Germany
Provision of the “Jitsi” video conferencing service in Germany
Entrecode GmbH, Dornhaldenstr. 6, 70199 Stuttgart, Germany
Interface Development (API), Development of integrations in Germany
Friendventure GmbH, Oskar-Jäger-Str. 173 / K6, 50825 Köln
Provision of forms and static pages (Form and page builder) in Germany
Kombo Technologies GmbH, Lohmühlenstraße 65, 12435 Berlin, Germany
Interface Provider for defined Integrations in Germany