This Data Processing Addendum (this "DPA") supplements and forms part of the Policy Pulse Subscription Terms between Customer and Policy Pulse, Inc (“Policy Pulse”) ("Agreement") when Data Protection Law applies to Customer’s access and use of the Services to process Customer Personal Data (defined below).Customer enters into this DPA on behalf of itself and, to the extent required under applicable law, in the name of and on behalf of its Data Controller Affiliates (defined below) ("Customer"). For the purposes of this DPA only, and except as otherwise indicated, the term "Customer" shall include Customer and Data Controller Affiliates.
This DPA applies when Customer Personal Data is processed by Policy Pulse under applicable Data Protection Law. In this context, where the law provides for the roles of "controller" and "processor," Customer is the Controller of the Customer Personal Data covered by this DPA, and Policy Pulse shall be a Processor Processing Customer Personal Data on behalf of Customer.
Subject Matter. The subject matter of the data Processing under this DPA is Customer Personal Data.
Duration. The duration of the Processing under this DPA shall continue during the term of the Agreement and for a period of up to thirty (30) days after the expiration or termination of the Agreement.
Purpose. The purpose of the processing under the DPA is the provision of the Services by Policy Pulse to Customer as specified in the Agreement.
Nature of the Processing. Customer Personal data is processed by Policy Pulse in connection with the Services under the Agreement and/or any applicable Order.
Categories of Data Subjects. Customers’ Authorized Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Customer for use in connection with the Services.
Categories of Data. Name, email and IP address and other Personal Data that Customer or its Authorized Users elect to submit to the Services.
Special Categories of Data. None
Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.
If and to the extent the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations apply to the processing of personal data by Policy Pulse on behalf of Customer under the Agreement, this section applies and prevails over any conflicting term of the Agreement, including the DPA.
Policy Pulse’s obligations to Customer under the DPA are only those express obligations imposed by the CCPA that require that a "Business" and a "Service Provider" have in place. Each party is responsible for fulfilling its respective obligations set out in the CCPA.
Policy Pulse will not collect, sell, share, retain, disclose or use the Personal Information of the Consumer for any purpose other than to perform the Services specified in the Agreement, or as otherwise permitted by CCPA. Policy Pulse certifies that it understands and will comply with the restrictions set forth herein.
The terms used in the applicable provisions of the DPA shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer" (collectively, the "replaced terms"). Further, the replaced terms shall have the definitions ascribed to them in the CCPA.
Customer shall, in its use of the Services, at all times provide documented instructions to Policy Pulse for the Processing of Customer Personal Data, in compliance with applicable Data Protection Law and shall obtain proper and lawful authorization to enable Policy Pulse to Process such data. Policy Pulse will Process Customer Personal Data solely in accordance with Customer’s documented instructions provided that Policy Pulse may aggregate and anonymize such data solely as it relates to the usage of the Services and Policy Pulse may use such de-identified data for its internal business purposes.
Policy Pulse will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). If compelled to disclose Customer Personal Data to a governmental body, then Policy Pulse will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Policy Pulse is legally prohibited from doing so.
Policy Pulse shall ensure that all persons authorized to Process Customer Personal Data on behalf of Policy Pulse are made aware of the confidential nature of the Customer Personal Data, and have contractually committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
Customer hereby generally authorizes Policy Pulse to engage Subprocessors in accordance with this Section. Customer approves the Subprocessors currently listed below as Appendix A. If Customer transfers Customer Personal Data to Policy Pulse under the SCCs, the above authorization will constitute Customer's prior written consent to the subcontracting by Policy Pulse of the Processing of Customer Personal Data if such consent is required under the SCCs. Policy Pulse may remove, replace, or appoint suitable and reliable Subprocessors, provided that Policy Pulse shall maintain an up-to-date list of its Subprocessors on Policy Pulse’s website at as an appendix to this DPA. Policy Pulse will provide Customer with an opportunity to object to any change in its Subprocessors where required under applicable Data Protection Law.
If the Customer reasonably objects to the engagement of a new Subprocessor, Policy Pulse shall have the right to cure the objection through one of the following options (to be selected at Policy Pulse’s sole discretion): (a) Policy Pulse cancels its plans to use the Subprocessor with regard to Customer Personal Data; (b) Policy Pulse will take the corrective steps requested by Customer in its objection (which removes Customer's objection) and proceed to use the Subprocessor with regard to Customer Personal Data; (c) Policy Pulse may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such Subprocessor with regard to Customer Personal Data; and (d) Policy Pulse provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Policy Pulse, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, Policy Pulse and Customer may terminate this DPA with prior written notice, or suspend the affected Services. Termination shall not relieve Customer of any fees or charges owed to Policy Pulse for Services provided up to the effective date of the termination under the Agreement. In the event that Policy Pulse elects to suspend Customer’s access to and use of affected Services, such suspension shall relieve Customer of any fees or charges owed to Policy Pulse for such Services after the effective date of the suspension. If Customer does not object to a new Subprocessor's engagement within ten (10) days of notice by Policy Pulse, that new Subprocessor shall be deemed accepted.
Where Policy Pulse authorizes a Subprocessor as described herein:
Policy Pulse will restrict the Subprocessor’s access to Customer Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Policy Pulse will prohibit the Subprocessor from accessing Customer Personal Data for any other purpose;
Policy Pulse will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs the same data processing services provided by Policy Pulse under this DPA, Policy Pulse will impose on the Subprocessor the same contractual obligations that Policy Pulse has under this DPA; and
Policy Pulse will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Policy Pulse to breach any of Policy Pulse obligations under this DPA.
Policy Pulse's provision of the Services will be consistent with commercially reasonable security measures.
For the duration of its processing of Customer Personal Data, Policy Pulse will maintain compliance with security standards designed to protect the security and confidentiality of such information and protect against any anticipated threats or hazards to the security or integrity of such information.
In the event of a Personal Data Breach, except where prohibited by law, Policy Pulse shall notify Customer without undue delay (but within seventy-two hours) and otherwise respond as described herein. In addition, Policy Pulse shall, taking into account the nature of the Processing and the information available to Policy Pulse, assist Customer in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment and, with prior notice, to assist with consultations with the Competent Supervisory Authority (defined below), where required.
Policy Pulse does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which Policy Pulse becomes aware, and, within the scope of the Services, take such steps as Policy Pulse in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Customer without undue delay (but within seventy-two hours) upon confirmation of a Personal Data Breach that is known or reasonably suspected by Policy Pulse to affect Customer Personal Data, and provide Customer with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities. The obligations herein shall not apply to a Personal Data Breach caused by Customer, Customer’s Authorized Users or misuse of Customer’s Access Credentials. Policy Pulse’s obligation to report or respond to a Personal Data Breach under this Section 9 is not and will not be construed as an acknowledgement by Policy Pulse of any fault or liability of Policy Pulse with respect to the Personal Data Breach.
Policy Pulse will inform Customer of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Policy Pulse regarding Customer Personal Data. Customer shall be responsible for handling such requests of Data Subjects. Upon a written request for assistance by Customer, Policy Pulse will reasonably assist Customer with handling such Data Subject request.
Customer acknowledges and agrees that Policy Pulse may transfer and process Customer Personal Data to and in the United States and anywhere else in the world where Policy Pulse, its Affiliates, or its Subprocessors maintain data processing operations. Policy Pulse shall ensure that such transfers are made in compliance with applicable Data Protection Law and this DPA.
Customer shall bear sole responsibility for obtaining its Authorized User’s and/or Data Subjects’ informed and explicit consent prior to the transfer of any Customer Personal Data to Policy Pulse in a manner consistent with the applicable Data Protection Law. If, at any time, an Authorized User and/or Data Subject withdraws any consent given pursuant to this Subsection, Customer shall immediately inform Policy Pulse in writing at privacy@Policy-Pulse.ai and cease use and collection of Customer Personal Data related to such objecting Authorized User and/or Data Subject. Customer shall keep an electronic record of all consents given, and any consents withdrawn, by Authorized Users and/or Data Subjects and shall make such records available to Policy Pulse upon request as required by law.
Upon termination or expiration of the Agreement, Policy Pulse shall (at Customer's written request) anonymize all Customer Personal Data in its possession or control. This requirement shall not apply to the extent Policy Pulse is required by applicable law, regulations, or other contract provisions to retain some or all of the Customer Personal Data.This DPA will continue in force until the termination of the Agreement (the "Termination Date"), provided that the data protection obligations of this DPA and the SCCs shall continue to apply for so long as Policy Pulse processes Customer Personal Data.
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Order of Precedence. Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement provided the limitations of liability provisions in the Agreement shall control.
Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
"Access Credentials" means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual's identity and authorization to access and use the Services.
"Action" means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise.
"Affiliates", "Customer Data", "Policy Pulse", and "Services" shall each have the meaning ascribed to it in the Agreement.
"Competent Supervisory Authority" means, in accordance with Clause 13 of the EU SCCs, (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the "ICO"). With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
"Controller" means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or "data exporter" refers to Customer.
"Customer", as used on this DPA, shall include Customer (as defined in the Agreement) and its Data Controller Affiliates.
"Customer Personal Data" means Customer Data submitted to Policy Pulse for Processing in connection with the Services pursuant to the Agreement, which contains Personal Data.
"Data Controller Affiliates" means any of Customer's Affiliates that have not signed or otherwise accepted their own Order with Policy Pulse and therefore would not be a "customer" as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the Policy Pulse Services pursuant to the Agreement between Customer and Policy Pulse. For the avoidance of doubt, no third-party beneficiaries are intended.
"Data Protection Law" means any data protection and privacy laws and regulations that are applicable to the processing of Customer Personal Data by Policy Pulse, including, where applicable, the laws listed in Policy Pulse’s Jurisdiction Specific Terms, which if any are available at http://Policy-Pulse.ai/jurisdiction-specific-terms, as may be amended, superseded or replaced from time to time.
"Data Subject" means the identified or identifiable person to whom Customer Personal Data relates.
"Documented Instructions" has the meaning ascribed in Subsection 2.1 of this DPA.
"Europe" means the European Economic Area and Switzerland.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation)
"including" and its derivatives mean "including but not limited to."
"Losses" means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
"Personal Data" means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law.
"Personal Data Breach" means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Policy Pulse or Policy Pulse’s Subprocessors.
"Policy Pulse Indemnitee" shall have the meaning ascribed to it in Section 11, above.
"Processing" (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Processor" means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or "data importer" in this DPA refers to Policy Pulse.
"Public Authority Request" means a government agency or law enforcement authority, including a judicial authority request for information.
"Services" means Policy Pulse’s Services as set forth in the Agreement.
"Standard Contractual Clauses" or "SCCs" means : (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC")(the "Swiss SCCs").
"Subprocessor" means any Processor engaged by Policy Pulse to assist in processing Customer Personal Data in connection with the Services per Customer’s Documented Instructions under the terms of the Agreement and this DPA. Subprocessors may include Policy Pulse’s Affiliates, but shall exclude Policy Pulse employees, contractors, and consultants.
"UK GDPR" means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020 and the UK's Data Protection Act 2018.
Appendix A - List of Policy Pulse Subprocessors
A current list of Policy Pulse’s Subprocessors is available at https://www.policy-pulse.ai/sub-processors.
