DATA PROCESSING ADDENDUM
Dated as of: August 3, 2018
"Customer" means an entity in a contractual relationship (through the Agreements) with CultureHQ, where Customer's Data Subjects are users of the CultureHQ platform and/or website.
“EU Data Protection Law” means European Directives 95/46/EC and 2002/58/EC, and any legislation and/or regulation implementing or made pursuant to them, or which amends or replaces any of them (including the General Data Protection Regulation, Regulation (EU) 2016/679);
“Data Processor" or "Processor" means the entity which Processes Personal Data on behalf of the Controller.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Subprocessor” means any Processor engaged by Data Processor.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
“Personal Data” means information relating to an identifiable or identified Data Subject who visits or engages in the CultureHQ platform or website. This information is defined as data about a Data Subject that would allow a party to identify and contact him/her, including, but not limited to: (i) his/her name; (ii) mailing address; (iii) telephone number; (iv) financial account information; (v) email address; and (vi) other, similar information.
2. Data Protection
2.1. The parties acknowledge and agree that, with regard to the Processing of Personal Data, Customer is the Controller and CultureHQ is the Processor.
2.2. When CultureHQ Processes Personal Data in the course of providing services, CultureHQ will:
2.2.1. Process the Personal Data as a Data Processor, only for the purpose of providing services in accordance with documented instructions from Customer (provided that such instructions are commensurate with the functionalities of the services), and as may subsequently be agreed to by Customer. If CultureHQ is required by law to Process the Personal Data for any other purpose, CultureHQ will provide Customer with prior notice of this requirement, unless CultureHQ is prohibited by law from providing such notice;
2.2.2. notify Customer if, in the opinion of CultureHQ, instruction from Customer for the processing of Personal Data infringes applicable EU Data Protection Law;
2.2.3. notify Customer promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Data Subject or Supervisory Authority relating to CultureHQ's Processing of the Personal Data;
2.2.4. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
2.2.5. provide Customer, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing CultureHQ's data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable Customer to assess compliance with the terms of this Addendum;
2.2.6. allow Customer to exercise any right it may have to conduct an audit or inspection by instructing CultureHQ to carry out the audit. Before commencement of any such on-site audit, Customer and CultureHQ shall mutually agree upon the scope, timing, and duration of the audit. Customer shall be responsible for the reimbursement rate, which shall be reasonable, taking into account the resources expended by CultureHQ and/or its Subprocessors. Customer shall promptly notify CultureHQ with information regarding any non-compliance discovered during the course of an audit.
2.2.7. notify Customer promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;
2.2.8. ensure that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Personal Data;
2.2.9. upon termination of the Agreements, promptly initiate its purge process to delete or anonymize the Personal Data. If Customer requests a copy of such Personal Data within 60 days of termination, CultureHQ will provide Customer with a copy of such Personal Data.
2.3. In the course of providing the Services, Customer acknowledges and agrees that CultureHQ may use Subprocessors to Process the Personal Data. CultureHQ's use of any specific Subprocessor to process the Personal Data must be in compliance with EU Data Protection Law and must be governed by a contract between CultureHQ and Subprocessor.
3.1. In the event of any conflict or inconsistency between the provisions of the Agreements and this Addendum, the Agreements shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreements. Customer acknowledges and agrees that CultureHQ may amend this Addendum from time to time by posting the relevant amended and restated Addendum on CultureHQ's website, available at https://www.culturehq.com/data-processing-addendum, and such amendments to the Addendum are effective as of the date of posting. Customer's continued use of the Services after the amended Addendum is posted to CultureHQ's website constitutes Customer's agreement to, and acceptance of, the amended Addendum. If Customer does not agree to any changes to the Addendum, it is advised that Customer discontinue use of the Service.
3.2. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.
3.3. The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the State of Massachusetts and the laws of the United States applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the State of Massachusetts with respect to any dispute or claim arising out of or in connection with this Addendum.