U.S. STATE CONSUMER PRIVACY LAWS DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms a part of that Master Subscription and Services Agreement or other written or electronic agreement (individually and collectively, the “Agreement”) between W Energy Software, LLC (“Provider”) and Customer pursuant to which Provider will be processing Personal Information on behalf of Customer in the course of performing the Subscription Services. Any capitalized terms not otherwise defined in this DPA shall have the meaning given to them in the Agreement.
1. Definitions. For purposes of this DPA, the following definitions apply:
1.1. “Consumer” means a natural person.
1.2. “Consumer Privacy Laws” means any U.S. privacy or data protection law that applies to Provider’s Processing of Personal Information, including, without limitation, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and any regulations promulgated thereunder (collectively, the “CCPA”), the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and other analogous international, U.S. federal, state, or local privacy, data protection, information security, marketing, and related laws or regulations.
1.3. “Personal Information” means any information owned or provided by or on behalf of Customer that Provider has access to, obtains, uses, maintains, or otherwise Processes in connection with its performance of services to Company and that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identifiable individual.
1.4. “Process” or “Processing” means any operation or set of operations performed, whether by manual or automated means, on Personal Information or on sets of Personal Information, including but not limited to collection, use, storage, retention, security, disclosure, analysis, deletion, or modification.
1.5. “Profiling” means any form of automated processing performed on Personal Information to evaluate, analyze, or predict personal aspects related to an identified or identifiable Consumer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
1.6. “Sale” or “Sell” means exchanging, disclosing, making available, transferring or otherwise providing or communicating Personal Information to a third party for monetary or other valuable consideration.
1.7. “Share” or “Sharing” means sharing, releasing, disclosing, making available, transferring or otherwise providing or communicating Personal Information to a third party for cross-context behavioral advertising, as defined in the CCPA, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-contextual behavioral advertising for the benefit of a business in which no money is exchanged.
1.8. “Targeted Advertising” means displaying to a Consumer an advertisement selected based on Personal Information obtained or inferred from that Consumer’s activities over time and across nonaffiliated websites, applications, or online services.
2. Restrictions on Processing. Provider will Process Personal Information only on Customer’s behalf and in accordance with the business purpose set forth in the Agreement, or Customer’s instructions as documented in the Agreement, this DPA, and any associated statements of work/contracts. For clarity, and without limiting the generality of the foregoing, in no event may Provider: (a) Sell or Share Personal Information; (b) disclose Personal Information to any third party for the commercial benefit of Provider or any third party; (c) retain, use, disclose, or otherwise Process Personal Information outside of its direct business relationship with Customer or for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by the Consumer Privacy Laws; or (d) combine Personal Information with personal information that Provider receives from, or on behalf of, other persons, or collects from its own interaction with a Consumer, except and solely to the extent expressly permitted under the Consumer Privacy Laws.
3. Description of Processing. The following describes the scope of Provider’s Processing:
3.1. Nature and Purpose. Compute, storage, and such other services as described in the Agreement and initiated by Customer from time to time.
3.2. Categories of Consumers. Consumers may include Customer’s customers, employees, suppliers, and end users.
3.3. Types of Personal Information. Customer data uploaded to the services under Customer’s Provider accounts, such as log-in credentials and contact information.
3.4. Duration of Processing. As between Provider and Customer, the duration of the Processing under this DPA is determined by Customer pursuant to the terms of the Agreement.
4. Assistance to Customer. Provider will provide all necessary information to enable Customer to conduct and document data protection and risk assessments.
5. Subcontracting. In the event that Provider subcontracts the Processing of Personal Information to an affiliated or third-party subcontractor and/or allows such a subcontractor to further subcontract the Processing of Personal Information to a sub-subcontractor, Provider will notify Customer of such engagement(s). Prior to engaging a subcontractor to Process Personal Information, Provider will provide Customer at least thirty (30) days’ prior notice and the opportunity to object to such engagement. If Customer makes such an objection and Provider is unable to modify its services to prevent engagement of such subcontractor, Customer will have the right to terminate the relevant Processing. Provider will ensure that all such engagement(s), whether between Provider and a subcontractor or between a subcontractor and a sub-subcontractor, are pursuant to a written contract that binds each such subcontractor and sub-subcontractor to obligations that are at least as restrictive and protective of Personal Information as those set forth in this DPA.
6. Consumer Rights and Requests. At Customer’s request, Provider will promptly, and in any event within ten (10) business days of Customer’s request, assist Customer with fulfilling Customer’s obligations to respond to Consumers’ requests to exercise their rights under the Consumer Privacy Laws, by appropriate technical and organizational measures, insofar as it is possible, including without limitation by: (a) on Customer’s instructions, accessing, correcting, securely deleting, opting out of Sale, opting out of Sharing, opting out of Targeted Advertising, opting out of Profiling, or providing copies of any Personal Information identified by Customer; and (b) as applicable, directing any affiliated entity or third-party subcontractor that Processes Personal Information to access, correct, securely delete, opt out of Sale, opt out of Sharing, opt out of Targeted Advertising, opt out of Profiling, or provide copies of any Personal Information identified by Customer. Within five (5) business days of receipt, Provider will send to Customer any request or inquiry related to Personal Information received by Provider or by Provider’s affiliated or third-party subcontractor.
7. Retention and Deletion. Upon termination of the Agreement for any reason or at any time upon Customer’s request, Provider will cease Processing Personal Information and will return such Personal Information in a format retained by Processor or, if specifically directed by Customer, will securely destroy all Personal Information in Provider’s possession, power, or control, except to the extent Provider is required by applicable law to retain such Personal Information. If Provider has a legal obligation to retain Personal Information, Provider will notify Customer in writing of that obligation, to the extent permitted by applicable law, and will return or destroy the Personal Information in accordance with this Section 7 as soon as possible after such legally required retention period has ended. Upon request, Provider will provide Customer with a written certification that Personal Information has been returned or securely destroyed in accordance with this Section 7.
8. De-identification and Aggregation. In the event the Agreement permits or instructs Provider to Process information in de-identified and/or aggregated form, Provider will ensure that any such information qualifies and remains qualified as de-identified information, de-identified data, and/or aggregate information as defined by applicable Consumer Privacy Laws. Provider will make no attempt to re-identify any Consumer to whom such information relates, will publicly commit to maintaining and using such information without attempting to re-identify it, and will take reasonable measures to prevent such re-identification.
9. Audits. Customer may take reasonable and appropriate steps to ensure that Provider Processes Personal Information consistent with Customer’s obligations under the Consumer Privacy Laws, including but not limited to monitoring Provider’s compliance with this DPA through such measures as manual reviews, automated scans, assessments, questionnaires, audits, or other testing no more than once every twelve (12) months. Without limiting the foregoing, Provider, at its own expense, will allow, and cooperate with, reasonable audits, assessments and inspections by Customer or Customer’s designated auditor. Alternatively, at least annually and at Provider’s expense, Provider may arrange for a qualified and independent auditor to conduct an assessment of Provider’s policies and technical and organizational measures in light of Provider’s obligations under the Consumer Privacy Laws, using an appropriate and accepted control standard or framework and audit procedure. Provider will provide a written report of such assessment to Customer upon Customer’s written request.
10. Compliance with Consumer Privacy Laws. Provider will comply with all obligations applicable to Provider’s Processing of Personal Information under the Consumer Privacy Laws. Upon the reasonable written request of Customer, Provider will without undue delay make available to Customer all information in its possession necessary to demonstrate Provider’s compliance with its obligations under the Consumer Privacy Laws. Provider will notify Customer in writing if Provider determines that it can no longer meet its obligations under the Consumer Privacy Laws. Customer has the right, upon providing written notice to Provider, to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Personal Information, including where Provider has notified Customer that it can no longer meet its obligations under the Consumer Privacy Laws.
11. Information Security. Provider will ensure that persons authorized to Process Personal Information are subject to a duty of confidentiality with respect to such Personal Information. Provider will implement and maintain an information security program that extends to the Personal Information and that includes appropriate technical and organizational security measures, procedures, and practices, appropriate to the nature of the Personal Information, that are designed to protect Personal Information while it is being Processed by or on behalf of Provider against anticipated threats or hazards to its security, confidentiality, availability, or integrity. Taking into account the nature of the Processing and the information available to Provider, Provider will assist Customer in meeting Customer’s obligations under the Consumer Privacy Laws in relation to the security of Processing Personal Information.
12. Security Breach. Provider will without undue delay notify Customer if Provider learns that there has been any accidental or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of, or damage to Personal Information (each, a “Security Breach”). At Customer’s request, Provider will, at its own expense, provide reasonable assistance and cooperation as requested by Customer, including investigating and remediating any Security Breach and mitigating any potential damage. To the extent the Security Breach resulted from a violation of Provider’s duties under Section 11 or under any agreement between Provider and Customer, Provider will (a) assist Customer with curing any alleged violation and taking steps designed to ensure that no further violations shall occur; and (ii) provide Customer with a written statement confirming such cure.
13. Other. In the event any provision of this DPA is held invalid or unenforceable by any court of competent jurisdiction, such holding will not invalidate or render unenforceable any other provision of this DPA or any other agreement between Provider and Customer. This DPA amends and supplements the Agreement. Unless a provision or obligation in the Agreement is more protective of Company, this DPA will control in the event of any inconsistency between the Agreement and this DPA. Any other provisions of or obligations under the Agreement that are otherwise unaffected by this DPA will remain in full force and effect.
END OF DOCUMENT