THIS DATA PROCESSING ADDENDUM (this “DPA”) forms part of the Agreement by and between Premier Disability Services, LLC (including all Affiliates, “Company”) and You (“Vendor” or “Processor”) as identified in the Agreement or Order form (the “Agreement”) and will be effective on the later of (i) the effective date of the Agreement; or (ii) the date the Vendor processes any Company Personal Data (defined below). All capitalized terms not defined in this DPA have the meanings set forth in the Agreement. 

         WHEREAS, pursuant to the Agreement, the Parties have agreed that it may be necessary for Vendor to Process certain Personal Data on behalf of Company; and

         WHEREAS, in light of this Processing, the Parties have agreed to enter into this DPA to address the compliance obligations imposed by Applicable Data Protection Laws. 

         NOW, THEREFORE, in consideration of the mutual agreements contained herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereto agree to the following amendments to the Agreement:

1.                   Defined Terms.  Capitalized terms used herein but not defined, such as “Controller,” “Data Subject,” “Personal Data Breach,” and “Personal Information” shall have the same meaning as set forth in Applicable Data Protection Laws. 

1.1               “Company Personal Data” means any Personal Data Processed by Vendor, or a Subprocessor, on behalf of Company pursuant to the Agreement.

1.2               “Applicable Data Protection Laws” means all statutes, laws, rules, regulations, ordinances, and the like of any federal, international, city, state, provincial, or local government or governmental agency applicable with respect to the Processing of Personal Data under the Agreement, including but not limited to the California Consumer Protection Act (CCPA), and the amending California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CDPA), European Area Law (defined below), the Virginia Consumer Data Protection Act (VCDPA) and any subsequent supplements, amendments, or replacements to the same (as each is effective, and where applicable). 

1.3 “European Area Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”); or (iv) any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law), or (v) any other law relating to the data protection, security, or privacy of individuals that applies in the European Area. Should there be a conflict between the Agreement and/or the DPA and the Standard Contractual Clauses (“SCCs”) the DPA and SCCs shall control.

1.4 “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household or with a particular individual’s or household’s device; or any inferences drawn therefrom. Personal Data shall include Personal Information. 

1.5 “Process, processed, or processing” means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling of Personal Data. 

1.5 “Security Incident” means any unauthorized, unlawful or accidental loss, misuse, destruction, alteration, access to, disclosure of, or damage to Company Personal Data, or any other unauthorized Processing or unauthorized access to Company Personal Data. 

1.6     “Sell or selling” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Data to another business or a third party for monetary or other valuable consideration.  

1.7     “Share or sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party, whether or not for monetary or other valuable consideration.

1.8              “Services” means the services and other activities to be provided or carried out by or on behalf of Vendor for Company pursuant to the Agreement.

1.9      “Subprocessor(s)” means any person or entity appointed or engaged by Vendor to process Company Personal Data in connection with the Agreement.

1.10              “Supervisory Authority” means an independent public authority which, pursuant to the GDPR, is established and authorized by a Member State of the European Union.

1.11          “Transfer” means disclosing, transmitting, or otherwise making available Personal Data to a third party, including to an affiliate or a Subprocessor, either by physical movement of the Personal Data to such third party or by providing such third party access to the Personal Data by other means.

2.                   Roles and Scope.

2.1               The terms in this DPA apply to the Processing of Company Personal Data, by Vendor on behalf of Company.

2.2               For the purposes of this DPA, the parties hereby agree and acknowledge that with regard to the Processing of Company Personal Data, Company is the Controller and Vendor is the Processor, except when Company acts as a processor of Personal Data, in which case Vendor is a subprocessor.  

2.3               The terms in this DPA do not limit or reduce any data protection commitments Vendor has made to Company in the Agreement or other agreements between Company and Vendor.

3.                   Term.  This DPA shall commence on the Effective Date and shall continue in full force and effect until the later of (a) the termination or expiration of the Agreement; or (b) completion of the last of the Services to be performed pursuant to the Agreement. 

4.                   Processing of Personal Data; General Obligations 

4.1               Vendor shall comply with all Applicable Data Protection Laws in the Processing of Company Personal Data.

4.2               Vendor shall only Process Company Personal Data in accordance with documented instructions it has received from Company, including with regard to transfers of Company Personal Data to a third country or an international organization, unless Processing is required by Applicable Data Protection Laws to which Vendor is subject to, in which case Vendor shall, to the extent permitted by Applicable Data Protection Laws, inform Company of the legal requirement before Processing that Personal Data.

4.3     Vendor shall use Company Personal Data solely (i) to the extent necessary or appropriate to perform its obligations under the Agreement or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to Company unless such notice is prohibited by law or court order; or (iii) as otherwise expressly authorized by Company. 

4.4   Vendor shall not Sell or Share Company Personal Data with a third party without Company prior written consent, nor use, retain, or disclose Company Personal Data outside of the purposes defined under the Agreement or for any other purpose except required by law.  

4.5   Vendor shall not combine Company Personal Data with any of Vendor’s other data, including Personal Data it receives from other sources and customers, including the information collected from Vendor’s independent interaction with Data Subjects. If Services include advertising or marketing activities, Vendor shall honor Data Subject opt-out requests received from or on behalf of Company by not combining the Personal Data of Data Subjects who have opted out of such Processing. 

4.6              Vendor shall provide to Company such cooperation, assistance, and information as Company may reasonably request to enable Company to comply with its obligations under any Applicable Data Protection Laws and cooperate and comply with the directions or decisions of a relevant Supervisory Authority, in each case (a) solely to the extent applicable to Vendor’s provision of the Services; and (b) within such reasonable time as would enable Company to meet any time limit imposed by the Supervisory Authority.

4.7               Vendor shall maintain all records required by Applicable Data Protection Laws, including Article 30(2) of the GDPR and, to the extent applicable to the Processing of Company Personal Data, make such records available to Company and/or Supervisory Authority upon request.

4.8               If required by Applicable Data Protection Laws, Vendor shall provide in writing accurate details of the Processing, including the subject-matter, duration, nature, and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects Processed, set forth in the attached Schedule A or in an applicable Statement of Work.

4.9 To the extent that Vendor is acting as a Service Provider, the Service Provider Addendum set out in Exhibit A shall apply. 

4.10 To the extent that Vendor is acting as a Third Party under CPRA, Exhibit A shall not apply and Vendor shall fully comply with all applicable obligations under CPRA, including the same level of privacy protection as required by Company. In the event Vendor is unable to meet any of its obligations as a Third Party under CPRA it shall provide immediate notification to Company. Upon notification that Vendor is unable to meet obligations under CPRA, Company shall be permitted to take reasonable and appropriate steps to stop and remediate unauthorized Personal Information use. Additionally, Vendor shall grant Company the rights to take reasonable and appropriate steps to help ensure Vendor uses Personal Information transferred in a manner consistent with Company’s obligations under CPRA. Vendor shall ensure any personnel with access to Personal Information under the Agreement shall agree to protections no less strict than as provided in this DPA.  

5.                   Vendor Personnel.  Vendor shall take reasonable steps to guarantee the reliability of any employee, agent, or contractor who may have access to Company Personal Data, ensuring that: (a) access to Company Personal Data is strictly limited to personnel who need to access Company Personal Data for the purposes of the Agreement; (b) such personnel are properly trained regarding obligations under this DPA and Applicable Data Protection Laws, and comply with Applicable Data Protection Laws; and (c) such personnel are subject to written confidentiality agreements that provide substantially the same level of protection for Company Personal Data as provided in this DPA and as required by Data Protection Laws.

6.                   Subprocessors.

6.1               Vendor shall not engage a Subprocessor or disclose any Company Personal Data to a Subprocessor without prior specific or general written authorization of Company. In the case of general written authorization, Vendor shall notify Company, by way of formal written notice, of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Company the opportunity to object to such changes.  Such notice shall include the full name and registered office or principal place of business of the Subprocessor. 

6.2               Vendor shall provide to Company details (including categories) of the Processing to be carried out by each Subprocessor in relation to the Services; and such other information as may be requested by Company in order for Company to comply with Applicable Data Protection Laws, including notifying the relevant Supervisory Authority.

6.3               Vendor shall ensure that each of its Subprocessors are bound by written agreements that require such Subprocessors to provide the same level of data protection for Company Personal Data as those set out in this DPA.  

6.4               Vendor shall be liable for the acts and omissions of its Subprocessors to the same extent that Vendor would be liable if performing the Services of each Subprocessor directly under the terms of this DPA.

7.                   Security of Personal Data.

7.1              Vendor will implement appropriate policies and procedures to minimize the risk of identification of individuals. If Vendor receives or obtains information that reveals the identity of a Data Subject for whom Vendor has no consent to receive that information, Vendor will promptly, within twenty-four (24) hours of discovery, notify both Company and any other relevant third party vendor. Vendor will then cooperate with Company, at its own cost, to remedy the disclosure and minimize the risk of recurrence to the extent such unpermitted identification arose out of the negligence, willful misconduct, or breach of this DPA by Vendor or any other third party having been provided with access to Personal Data by Vendor. 

7.2 Vendor shall, in relation to the Company Personal Data, implement and maintain appropriate technical and organizational measures to ensure protection of the security, confidentiality, and integrity of Company Personal Data, including as appropriate, the measures referred to in Article 32(1) of the GDPR. 

7.3               In assessing the appropriate level of security, Vendor shall take account of the risks that are presented by the Processing, in particular from a Personal Data Breach.

7.4               Vendor shall take steps to ensure that any natural person acting under its authority who has access to Company Personal Data does not process them except upon documented instructions from Company, unless he or she is required to do so by Applicable Data Protection Laws. 

8.                   Personal Data Breach.

8.1               In addition to, and without limiting, any other right or remedy available to Company under this Agreement or at law or equity, Vendor shall notify Company, without undue delay but in any event no later than within forty-eight (48) hours, upon Vendor, or any Subprocessor, becoming aware of a Personal Data Breach or Security Incident affecting Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform Supervisory Authority and/or Data Subjects of the Personal Data Breach or Security Incident under Applicable Data Protection Laws. Such notification shall, at a minimum, include: (a) a detailed description of the Personal Data Breach or Security Incident; (b) the categories and numbers of Company Personal Data records concerned; and (c) the identity of each affected Data Subject (or, where not possible, the categories and numbers of Data Subjects concerned). In addition, Vendor shall (i) provide the name and contact information of Vendor’s data protection officer or other relevant personnel from whom more information may be obtained; (ii) describe the likely consequences of the Personal Data Breach or Security Incident; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach or Security Incident, including measures to mitigate its possible adverse effects.

8.2               Vendor shall take prompt action to investigate the Personal Data Breach or Security Incident and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Personal Data Breach and, subject to Company’s prior written agreement, to carry out any recovery or other action necessary to remedy the Personal Data Breach or Security Incident. Notwithstanding the forgoing, any Personal Data Breach or Security Incident shall be remedied no later than thirty (30) days after discovery of the Personal Data Breach or Security Incident. 

8.3 Vendor agrees to take the foregoing responsive measures, including cost of notice and, if applicable, costs of credit monitoring and repair services at its sole cost and expense if Vendor’s, including Vendor’s authorized representatives’, actions or omissions cause or contribute to the Personal Data Breach or Security Incident. Vendor’s failure to remedy any Personal Data Breach or Security Incident in a timely manner will be a material breach of the Agreement. 

8.3               Unless required to do so under Applicable Data Protection Laws, Vendor shall not release or publish any filing, communication, notice, press release, or report concerning any Personal Data Breach without Company’s prior written approval. 

8.4 Vendor shall maintain cyber liability insurance coverage with a minimum limit equal to the greater of (a) an amount sufficient to cover all costs relating to Personal Data Breaches or Security Incidents caused by Vendor’s acts or omissions; or (b) $1,000,000. 

9.                   Data Protection Impact Assessment and Prior Consultation.  Vendor shall provide Company with reasonable assistance needed to fulfill Company’s obligation under the Applicable Data Protection Laws including (a) to carry out a data protection impact assessment related to the Services; and (b) to conduct prior consultations with a Supervisory Authority, to the extent that Company reasonably believes such prior consultation is required under Applicable Data Protection Laws as a result of a data protection impact assessment. 

10.               Data Subject Rights.  Taking into account the nature of the Processing, Vendor shall assist Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Company’s obligation to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws. Vendor shall, to the extent legally permitted, promptly notify Company if Vendor or its Subprocessor receives a request from a Data Subject under any Applicable Data Protection Law with respect to Company Personal Data (“Data Subject Request”). Further, to the extent that Company, in its use of the Services, lacks the ability to address a Data Subject Request, Vendor shall, upon Company’s request, provide commercially reasonable efforts to assist Company in responding to such Data Subject Request, provided that Vendor is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Laws.  

11.               Return or Deletion of Personal Data.  Upon completion or termination of the Services, or at any time Company shall so request, Vendor shall, at Company’s discretion, promptly return or delete all Company Personal Data (and all copies thereof) in its possession or under its control, including Company Personal Data in the possession of a Subprocessor, unless retention of such Company Personal Data is required by the Applicable Data Protection Laws to which Vendor or Subprocessor is subject to.    

12.               Transfers of Personal Data Outside the European Economic Area or the UK.  Any transfer of Company Personal Data under this DPA originating in the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom to a country that does not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws shall be undertaken by Vendor in accordance with one of the following: (i) the EU Standard Contractual Clauses for Processors pursuant to the European Commission Decision as of 4 June 2021 for Company Personal Data exported from the EEA or Switzerland (“EU SCCs”); or (ii) the EU SCCs as amended by the UK International Data Transfer Addendum, for Company Personal Data exported from the UK (“UK SCCs”) or any other lawful basis permitted by Data Protection Laws which Vendor shall maintain in full force and effect during the term of the Agreement.  

13.               Audit Rights; Assessments. Vendor shall make available to Company all information necessary to demonstrate compliance with its obligations under this DPA, and shall allow for audits and inspections conducted by Company or an auditor selected by Company in relation to the Processing of the Company Personal Data. In addition to audits under this Section 13, Vendor grants Company or, upon Company’s election, a third party on Company’s behalf, permission to perform ongoing assessments, automated scans, examinations or reviews in relation to all Company Personal Data being handled and/or Services being provided pursuant to the Agreement or this DPA. Alternatively, Vendor may arrange for a qualified and independent assessor to conduct an assessment of Vendor’s policies and technical and organizational measures in support of obligations under Applicable Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Vendor shall provide a report of such assessment to Company upon request. 

14.               Limitation of Liability.  Nothing in this DPA will affect any of the terms of the Agreement relating to Company’s limitations of liability, which will remain in full force and effect. In the event there is no such limitation in the Agreement, Company’s liability arising out of or related to this DPA shall not exceed the lower of $1,000,000 or fees paid under the Agreement in the last 12 months to the extent permitted under applicable law. Notwithstanding the foregoing, in no event shall either party exclude or limit its liability with respect to any data subject’s rights under European Area Law or the Standard Contractual Clauses.

15.               Indemnification.  Vendor shall defend, indemnify, and hold harmless Company and its affiliates and their respective shareholders, directors, officers, agents, and employees from and against any and all claims and accompanying liabilities, judgments, assessments, losses, costs, damages, or expenses (including reasonable attorney’s fees) resulting from or arising out of or related to: (a) any breach by Vendor of its representations, warranties, or covenants under this DPA; (b) any breach by Vendor (or any of its employees, Subprocessors, subcontractors, or agents) of the Applicable Data Protection Laws, to the extent that such breach affects Company Personal Data; or (c) Vendor’s (or its employee’s or agent’s) gross negligence, recklessness, or intentional misconduct. This section shall survive the termination of this DPA and the Agreement and is without regard to any limitation or exclusion of damages or liability provision otherwise set forth in this DPA or the Agreement.    

16.              Entire Agreement; Other Agreement Provisions.  This DPA sets forth the entire understanding of the parties relating to the subject matter addressed and supersedes any prior agreements, arrangements, or understandings relating to the subject matter hereof. In the event of any inconsistency between the terms of this DPA and the Agreement, the terms of this DPA will govern. Except as otherwise expressly provided in this DPA, the provisions of the Agreement remain in full force and effect.

17.               Binding Effect.  This DPA shall inure to the benefit of and shall be binding upon the Parties and their respective successors and assigns.

18.               Modifications and Supplementations.  Company may modify or supplement this DPA with notice to Vendor if required to do so by a Supervisory Authority or other government or regulatory entity or if necessary to comply with Applicable Data Protection Laws.

19.               Authority.  The Parties expressly warrant and represent that he/it has full authority to bind itself to this DPA and that its rights hereunder and under the Agreement have not been sold, assigned, gifted, pledged, or otherwise transferred.

20.               Execution of Counterparts.  This DPA may be executed in several counterparts, each of which shall be an original and all of which shall constitute but one and the same instrument. 

SCHEDULE A

DETAILS OF PROCESSING OF COMPANY PERSONAL DATA 

This Schedule A includes certain details of the Processing of Company Personal Data as required by Article 28(3) of the GDPR, unless otherwise specified in the Agreement. 

1.       Subject matter and duration of the Processing of Company Personal Data

 Company Personal Data, duration determined under the Agreement. 

2.       The nature and purpose of the Processing of Company Personal Data

As needed for the purpose of the Processing, to comply with Company’s Processing instructions and in accordance with the Agreement. The Purpose shall be provided under the Agreement. 

3.       The types of Company Personal Data to be Processed

As determined by Company, and shall only include special categories of data or sensitive data if required under the Agreement.  

4.       The categories of Data Subject to whom the Company Personal Data relates

As determined by Company under the Agreement. 

5.       The obligations of Company and Company Affiliates

Company must obtain consents necessary to Process special categories of data, including sensitive data. If consents are not necessary, then Company must have provided the data subject the opportunity to opt out of such processing. 

EXHIBIT A 

SERVICE PROVIDER ADDENDUM TO THE AGREEMENT 

             THIS SERVICE PROVIDER ADDENDUM TO THE AGREEMENT (this “Service Provider Addendum”) is entered into by and between Premier Disability Services, LLC, a Delaware limited liability company (“Company” or “Business”), and You (“Vendor” or “Service Provider”) (each a “Party” and collectively, the “Parties”) and will be effective on the later of (i) the effective date of the Agreement; or (ii) the date the Vendor processes any Company Personal Information as a Service Provider (defined below). All capitalized terms not defined in this Service Provider Addendum have the meanings set forth in the Agreement. 

             WHEREAS, the Parties entered into an Order or Agreement (the “Agreement”) 

             WHEREAS, pursuant to the Agreement, the Parties have agreed that it may be necessary for Vendor to process certain Personal Information on behalf of Company as a Service Provider; and

             WHEREAS, in light of this processing, the Parties have agreed to enter into this Service Provider Addendum to address compliance obligations imposed by the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), as may be amended, replaced, or superseded from time to time.  

             NOW, THEREFORE, in consideration of the mutual agreements contained herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereto agree to the following amendments to the Agreement:

1.                   Defined Terms

1.1               Capitalized terms used herein but not defined, such as “Business,” “Business Purpose,” “Consumer,” “Personal Information,” “Processing,” “Sell,” (and “selling”, “sale”, and “sold”)  “Service Provider,” “Share,” (and “sharing,” “share,” and “shared”) and “Third Party,” shall have the same meaning as set forth in the CCPA and the CPRA and their cognate terms shall be construed accordingly. 

1.2   “California Consumer Privacy Act” or “CCPA” means Title 1.81.5 California Consumer PRivacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), as amended or superseded from time to time. 

1.3       “California Privacy Rights Act” or “CPRA” means the California Privacy Rights Act of 2020, (20202 Cal. Legis. Serv. Proposition 24, codified at Cal. Civ. Code §§ 1798.100 et seq.), and its implementing regulations, as amended or superseded from time to time. 

1.4               “Company Personal Information” means Personal Information of a Consumer Processed by Service Provider, or its subcontractors, on behalf of Company pursuant to the Agreement.

1.5               “Services” means the services and other activities to be provided or carried out by Service Provider for Company pursuant to the Agreement.

2.                   Roles and Scope.  For the purposes of this Service Provider Addendum, the parties hereby agree and acknowledge that with regard to the Processing of Company Personal Information, Vendor is a Service Provider to Company. This Service Provider Addendum applies only where, and to the extent that Vendor processes Company Personal Information that is subject to the CPRA on behalf of Company as a Service Provider in the course of providing Services under the Agreement.  This Service Provider Addendum does not limit or reduce any data protection commitments Service Provider has made to Company in the Agreement or other agreements, including but not limited to a Data Processing Agreement (“DPA”)  between Company and Vendor.

3.                   Term.  This Service Provider Addendum shall commence on the Effective Date and shall continue in full force and effect until the later of: (a) the termination or expiration of the Agreement; or (b) completion of the last of the Services to be performed pursuant to the Agreement. 

4.                   Processing of Personal Information

4.1     Company is a Business and Vendor is a Service Provider permitted to process Company Personal Information for the Business Purpose. Vendor is responsible for its compliance with its obligations under this Service Provider Addendum and for compliance with its obligations as a Service Provider under the CPRA. 

4.2               Vendor shall comply with the CPRA in the Processing of Company Personal Information as a Service Provider and shall provide reasonable assistance to enable Company to comply with its obligations under the CPRA.

4.3                  As a Service Provider, Vendor shall:

a)                  not Sell or Share Company Personal Information; 

b)          not retain, use, or disclose Company Personal Information for any purpose other than for the specific Business Purpose specified in the Agreement or as otherwise permitted by the CPRA;

c)                not retain, use, or disclose Company Personal Information for any commercial purpose other than for the specific Services under the Agreement; and

d)          not retain, use, or disclose Company Personal Information outside of the direct business relationship between Company and Vendor.

e) not process the Personal Information for targeted and/or cross context behavioral advertising 

f) not combine Company Personal Information with any other Personal Information of opted-out consumers that Vendor receives from, or on behalf of, Company with Personal Information that the Vendor receives from, or on behalf of, another person or persons or collects from Vendor’s own interaction with consumers.  

5.                   Vendor’s Subcontractors.  Vendor shall not engage a subcontractor or disclose any Company Personal Information to a subcontractor without (a) providing written notice to Company and (b) entering into a written contract so that such subcontractor is is bound to the same processing obligations no less strict than those required by Vendor.  Vendor shall be liable for the acts and omissions of its subcontractors to the same extent that Vendor would be liable if performing the Services of each subcontractor directly under the terms of this Service Provider Addendum.

6.                   Return or Deletion of Personal Information.  Upon completion or termination of the Services, or at any time Company shall so request, Vendor shall, at Vendor’s discretion, promptly return or delete all Company Personal Information, and all copies thereof, in its possession or under its control, including Company Personal Information in the possession of a subcontractor, unless retention of such Company Personal Information is required by the CPRA or any applicable privacy and data protection law to which Service Provider, or its subcontractor, is subject to.

7. Service Provider Obligations. Vendor shall fully comply with all applicable obligations under CPRA, including the same level of privacy protection as required by Company. In the event Vendor is unable to meet any of its obligations as a Service Provider under CPRA it shall provide immediate notification to Company. Upon notification that Vendor is unable to meet obligations under CPRA, Company shall be permitted to take reasonable and appropriate steps to stop and remediate unauthorized Personal Information use. Additionally, Vendor shall grant Company the rights to take reasonable and appropriate steps to help ensure Vendor uses Personal Information transferred in a manner consistent with Company’s obligations under CPRA. Vendor shall ensure any personnel with access to Personal Information under the Agreement or this Service Provider Addendum shall agree to protections no less strict than as provided in this Service Provider Addendum. 

8.                   Indemnification.  Vendor shall defend, indemnify, and hold harmless Company and its affiliates and their respective shareholders, directors, officers, agents, and employees from and against any and all claims and accompanying liabilities, judgments, assessments, losses, costs, damages, or expenses (including reasonable attorney’s fees) resulting from or arising out of or related to: (a) any breach by Vendor of its representations, warranties, or covenants under this Service Provider Addendum; (b) any breach by Vendor (or any of its employees, subcontractors, or agents) of the CPRA, to the extent that such breach affects Company Personal Information; or (c) Service Provider’s (or its employee’s or agent’s) gross negligence, recklessness, or intentional misconduct.  This section shall survive the termination of this Service Provider Addendum and the Agreement and is without regard to any limitation or exclusion of damages or liability provision otherwise set forth in this Service Provider Addendum or the Agreement.

9. Audits and Monitoring. Vendor shall permit, subject to the Agreement, Company to monitor compliance with this Service Provider Addendum, including through manual reviews, automated scans, regular assessments, audit, technical and operational testing at least once per year. 

10. Security Incident. Vendor shall notify Business immediately after becoming aware of a Security Incident and shall provide information and assistance as reasonably requested by Business. 

11.     Entire Agreement; Other Agreement Provisions.  This Service Provider Addendum sets forth the entire understanding of the parties relating to the subject matter addressed and supersedes any prior agreements, arrangements, or understandings relating to the subject matter hereof.  In the event of any inconsistency between the terms of this Service Provider Addendum and the Agreement, the terms of this Service Provider Addendum will govern.  Except as otherwise expressly provided in this Service Provider Addendum, the provisions of the Agreement remain in full force and effect.

12.          Binding Effect.  This Service Provider Addendum shall inure to the benefit of and shall be binding upon the Parties and their respective successors and assigns.

13.        Authority.  The Parties expressly warrant and represent that it has full authority to bind itself to this Service Provider Addendum and that its rights hereunder and under the Agreement have not been sold, assigned, gifted, pledged, or otherwise transferred.

14.         Execution of Counterparts.  This Service Provider Addendum may be executed in several counterparts, each of which shall be an original and all of which shall constitute but one and the same instrument.

Last updated: April 1, 2025