This Policy was updated on January 1, 2024.
This Data Processing Addendum (“DPA”), forms part of the Terms of Service Agreement (“Agreement”) and is effective as of the Effective Date of the Agreement, by and between Texas Technology Group, LLC (together with its Affiliates, “TTG”) and the undersigned customer of TTG (“Customer”). “Services” means any product or service provided by TTG under the Agreement.
All capitalized terms not defined in this DPA will have the meaning set forth in the Agreement. Each of Customer and TTG may be referred to herein as a “party” and together as the “parties.”
This DPA will apply only if Data Protection Laws and Regulations, as defined herein, are applicable to the Processing of Personal Data.
1. TERMS & DEFINITIONS
1.1. “Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. “Anonymized” means a process where Personal Data has been rendered anonymous in such a manner that the Data Subject is not or no longer identifiable.
1.3. “Business” will have the meaning given in § 1798.140(c) of the CCPA.
1.4. “Business purpose” will have the meaning given in § 1798.140(d) of the CCPA.
1.5. “California Personal Information” means any Customer Data that is Personal information, as defined in § 1798.140(o) of the CCPA.
1.6. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code, § 1798.100 et seq., and its final implementing regulations dated August 14, 2020, § 999.300 et seq.
1.7. “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations.
1.8. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
1.9. “Customer Data” has the meaning set forth in the Agreement.
1.10. “Data Protection Laws and Regulations” means all data privacy and data security laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its states, applicable to the processing of Personal Data.
1.11. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.12. “Data Subject Request” has the meaning set forth in Section 2.1.
1.13. “Deidentified” will have the meaning given in § 1798.140(h) of the CCPA.
1.14. “EU Data Protection Law” means all data privacy and data security laws and regulations of the European Union, the European Economic Area and their member states, including but not limited to the GDPR, Switzerland, and the United Kingdom, applicable to the processing of Personal Data.
1.15. “GDPR” means EU General Data Protection Regulation 2016/679.
1.16. “Objection Period” has the meaning set forth in Section 4.2.
1.17. “Personal Data” means any Customer Data that is information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Personal Data includes, but is not limited to, Personal information as defined in § 1798.140(o) of the CCPA.
1.18. “Process” and “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.19. “Processor” means an entity that Processes Personal Data on behalf of the Controller.
1.20. “Request to Delete” will have the meaning given in the § 999.301(q) of the CCPA.
1.21. “Request to Know” will have the meaning given in § 999.301(r) of the CCPA.
1.22. “Sale” and “Sell”, will have the meaning given in the § 1798.140(t) of the CCPA.
1.23. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
1.24. “Services” has the meaning set forth in the Agreement.
1.25. “Service Provider” will have the meaning given in § 1798.140(v) of the CCPA.
1.26. “Standard Contractual Clauses” means the agreement pursuant to the European Commission’s decision 2010/87/EU of 5 February 2010 (Commission Decision C(2010)593) on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
1.27. “Sub-processor” means any Processor engaged by TTG to assist it in Processing Personal Data for the purposes of providing the Services.
2. PROCESSING OF PERSONAL DATA
2.1. Roles of the Parties. If EU Data Protection Law is applicable to the Processing of Personal Data, the parties agree that Customer is the Controller, and TTG is the Processor acting on behalf of Customer.
2.2. Customer Obligations. Customer, in its use of the Services, will:
(a) Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations;
(b) ensure that its Processing instructions are lawful and that the Processing of Personal Data in accordance with such instructions will not cause TTG to violate any applicable law or regulation, including but not limited to Data Protection Laws and Regulations; and
(c) provide notice and obtain all required consents and rights necessary under Data Protection Laws and Regulations for TTG to Process Personal Data.
Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3. TTG’s Processing of Personal Data. TTG will Process Personal Data as a Processor solely as necessary to perform its obligations and strictly in accordance with the documented instructions of the Customer for: (i) Processing in accordance with the Agreement; and (ii) Processing to comply with other documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. If TTG cannot comply with a Customer instruction or is of the opinion that an instruction infringes Data Protection Laws and Regulations, TTG will notify the customer.
2.4. Details of the Processing. If EU Data Protection Law is applicable to the Processing of Personal Data, the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA will be specified in Exhibit A (Details of the Processing) to this DPA.
3. COOPERATION
3.1. Data Subject Request.
(a) TTG will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure, data portability, objection to further Processing, or its right not to be subject to automated individual decision making (“Data Subject Request”) under EU Data Protection Law. Except to the extent required by applicable law, UCC will not respond to a Data Subject Request without Customer’s prior written consent except to confirm that such request relates to Customer to which Customer hereby agrees.
(b) To the extent Customer does not have the ability to address a Data Subject Request, TTG will upon Customer’s written request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent TTG is legally permitted to do so and provided that such Data Subject Request is exercised in accordance with Data Protection Laws and Regulations. To the extent legally permitted, Customer will be responsible for any costs arising from TTG’s provision of such assistance.
3.2. Data Protection Impact Assessment. Upon Customer’s written request, TTG will provide cooperation and reasonably requested information regarding the Services to enable Customer to comply with its GDPR obligations to perform data protection impact assessments or consult with data protection authorities, so long as Customer does not otherwise have access to the relevant information.
4. TTG PERSONNEL
4.1. Confidentiality and Training. TTG will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. TTG will ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2. Limitation of Access. TTG will ensure that TTG’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
5. SUB-PROCESSORS
5.1. Appointment of Sub-Processors. The Customer grants a general authorization to TTG to appoint any other third party as a Sub-Processor to support the performance of the Services. TTG will enter into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this DPA.
5.2. Notification of Sub-Processors. If EU Data Protection Law is applicable to the Processing of Personal Data, TTG will maintain a list of Sub-Processors on the TTG website and will add the names of Sub-Processors to the list prior to them Processing any Personal Data. This website will include a mechanism for Customer to subscribe to notifications of new Sub-Processors. TTG will provide such notification at least (14) days in advance of allowing the new Sub-Processor to Process any Personal Data (the “Objection Period”).
5.3. Customer Right to Object to New Sub-Processors. If Customer has a reasonable objection to any new or replacement Sub-Processor, it will notify TTG of such objections within the Objection period and the parties will seek to resolve the matter in good faith. If Customer does not provide a timely objection to any new or replacement Sub-Processor, Customer will be deemed to have consented to the Sub-Processor and waived its right to object. TTG may use a new or replacement Sub-Processor while the objection procedure in this section 4.3 is in process.
5.4. Liability. If EU Data Protection Law is applicable to the Processing of Personal Data, TTG will be liable for the acts and omissions of its Sub-processors to the same extent TTG would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6. SECURITY AND SECURITY INCIDENTS
6.1. Security Measures. TTG will implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data. TTG regularly monitors compliance with these measures. TTG will not materially decrease the overall security of the Services during a subscription term.
6.2. Customer Responsibilities. Customer is responsible for its secure use of the Services and using available features and functionalities to maintain appropriate security in light of the nature of the data processed by Customer’s use of the Services. Customer is responsible for reviewing the information made available by TTG relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.
6.3. Security Incident Notification. If TTG becomes aware of a Security Incident, TTG will notify Customer without undue delay. To the extent such Security Incident is caused by a violation of the requirements of this Addendum by TTG, TTG will make reasonable efforts to identify and remediate the cause of such Security Incident. TTG will provide reasonable assistance to Customer in the event that Customer is required under Data Protection Laws and Regulations to notify a supervisory authority or any Data Subjects of the Security Incident.
7. AUDITS AND INSPECTIONS
If EU Data Protection Law is applicable to the Processing of Personal Data, upon written request, TTG will make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or any third-party auditors authorized by Customer. Third-party auditors may be required to execute a separate confidentiality agreement with TTG prior to any audit or review of information. Customer will not request information or conduct audits under this section at unreasonable intervals.
8. CCPA
8.1 Applicability of this Section. This Section 8 will apply and bind the Parties only if Customer collects California Personal Information and Customer is a Business.
8.2. TTG is a Service Provider. If Customer is a Busines, the parties agree that TTG is a Service Provider and is Processing California Personal Information on behalf of Customer.
8.3. Customer Compliance. Customer specifically acknowledges that its use of the Services will not violate the rights of any Consumer that has opted-out from Sales or other disclosures of California Personal Information, to the extent applicable under the CCPA.
8.4. Restrictions on Processing. TTG will not retain, use, or disclose California Personal Information received from Customer for any purpose other than for the specific purpose of providing the Services specified in the Agreement, or for the reasons set forth below:
(a) To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a Service Provider under the CCPA;
(c) For internal use by TTG to build or improve the quality of its services, provided that the use does not include (i) building or modifying Consumer profiles to use in providing services to another Business, or (ii) correcting or augmenting data acquired from another source;
(d) To detect data security incidents or protect against fraudulent or illegal activity;
(e) To comply with federal, state, or local laws;
(f) To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities
(g) To cooperate with law enforcement agencies concerning conduct or activity that TTG reasonably and in good faith believes may violate federal, state, or local laws;
(h) To exercise or defend legal claims;
(f) As otherwise permitted by the CCPA.
8.5. Personal Information Collected for Only a Business Purpose. TTG agrees to limit the collection, Sale, or use of California Personal Information received from Customer except as necessary to perform a Business Purpose.
8.6. Selling Data. TTG will not Sell data on behalf of Customer when a Consumer has opted-out of the Sale of their California Personal Information with Customer.
8.7. Responding to a Consumer Request. If TTG receives a Request to Know or a Request to Delete from a Consumer, TTG will either (1) act on behalf of Customer in responding to the request or (2) inform the Consumer that the request cannot be acted upon because the request has been sent to TTG which is a service provider.
9. DELETION OR RETURN OF CUSTOMER DATA
Upon termination or expiration of the Agreement, TTG will, at Customer’s discretion, delete or make available to Customer for retrieval all Personal Data in TTG’s possession, with the exception of any Personal Data that TTG is required to retain by any applicable law. Notwithstanding the foregoing, TTG will not be required to delete or make available to Customer for retrieval any Customer Data that has been Anonymized, Deidentified, and/or aggregated such that it is not Personal Data.
10. INTERNATIONAL DATA TRANSFERS
If TTG transfers any Personal Data originating from the European Economic Area to a country that has not been designated as providing an adequate level of data protection within the meaning of the GDPR, TTG and Customer will execute the Standard Contractual Clauses and, if required, implement any supplementary measures necessary to ensure an adequate level of protection of the Personal Data.
11. TERM
This DPA will remain in effect for as long as the term of the Agreement (and all Personal Data has been returned to Customer or deleted in accordance with Section 9 above).