ABC IGNITE DATA PROCESSING ADDENDUM
This ABC IGNITE DATA PROCESSING ADDENDUM, including its Appendices, (collectively, the “DPA”) will become part of your Master Subscription Agreement (“MSA”) with ABC Fitness Solutions, LLC (“ABC,” “we,” “us” or “our”) and, in addition to the MSA, will govern the processing of Personal Data (defined below) pursuant to the MSA between ABC and you (“Customer,” “you,” or “your”) (ABC and Customer each individually, a “Party”, and collectively, the “Parties”). If you are organized in Canada, then this DPA is between you and 3287646 Nova Scotia Company (the “Nova Scotia Company”) and all references herein to ABC shall mean the Nova Scotia Company. The DPA shall be effective as of the Effective Date of the MSA (the “Effective Date”).
- ABC and Customer are parties to one or more written agreements, including the MSA, pursuant to which ABC provides Customer with certain fitness club payment processing and/or business management software and services (the “Services Agreement(s)”).
- ABC and Customer now wish to amend the Services Agreement(s) to ensure that such Customer Data is processed in compliance with applicable data protection principles, legal requirements, due respect for the rights and freedoms of individuals whose Personal Data is processed.
- The purpose of the DPA is to set out the terms that apply when Personal Data (defined below) is processed by ABC under the Agreement.
- Accordingly, unless context requires otherwise, the Services Agreement(s) between the parties are hereby amended, supplemented by, and subject to any and all new provisions included in this DPA.
In consideration of the mutual obligations contained in this DPA, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
1. DEFINITIONS.
For the purpose of interpreting this DPA, the following terms (and their applicable cognates) shall have the meanings set out below:
“ABC Account Data” refers to data that relates to Customer’s business relationship with ABC, including to access Customer’s account and billing information, maintain or improve performance of the Platform and Payment Services, provide support, investigate and prevent abuse on the Platform, or to fulfil legal obligations. ABC Account Data does not include Customer Data.
“ABC Fitness Affiliate” refers to any Affiliate or subsidiary of ABC, including ABC Fitness Solutions, LLC and its Affiliates and their respective Affiliates and subsidiaries.
“Affiliate” refers to any entity within a controlled group of companies that directly or indirectly, through one or more intermediaries, is controlling, controlled by, or under common control with one of the Parties.
“Applicable Data Protection Laws” refers to all laws and regulations applicable to ABC’s processing of Personal Data under the Services Agreement(s), including but not limited to the laws and regulations identified in Appendix II hereto as may be amended, superseded, or replaced from time to time, as applicable.
“CCPA” refers to the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
“Contracted Processor” refers to any third party appointed by or on behalf of ABC to Process Customer Data in connection with the Services.
“Controller” or “controller” refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Customer Data” means the information, materials, data, and other content (including data belonging to End Users, which may include End User payment card data), entered, uploaded, or inputted into the Platform or used in the Payment Services and tied to a Customer’s ABC account or business location. Customer Data only includes Personal Data that ABC processes on behalf of Customer. Customer Data does not include information necessary for ABC to carry out its independent obligations as a payment processor, for which it shall be an independent controller.
“Data Exporter” refers to a Party that is sending (exporting) Personal Data to another Party.
“Data Importer” refers to a Party that is receiving (importing) the Personal Data from another Party.
“Data Subject(s)” refers to the individual(s) to whom the Personal Data relates.
“Jurisdiction Specific Terms” refers to all terms applicable to the processing of Customer Data that apply to the extent that Customer Processes Personal Data originating from, or protected by, Applicable Data Protection Laws in one of the jurisdictions identified in these terms.
“Personal Data” means any information, including personal information, processed by or on behalf of ABC to provide the Services in accordance with the Services Agreement(s) that is related to an identified or identifiable Data Subject, or as defined in and subject to Applicable Data Protection Laws.
“Personally Identifiable Information” means Customer Data that would constitute the type of information that would reasonably give rise to an obligation to notify regulators and/or Data Subjects in the event of a breach of security under applicable laws, such as PIPEDA and/or provincial laws throughout Canada and the United States addressing security breaches (e.g., California’s Information Practices Act of 1977, Sections 1798-1798.78), and excludes definitions of Personal Data that would otherwise not meet this definition under Applicable Data Protection Laws.
“Processor” or “processor” refers to the entity which processes Customer Data on behalf of the Controller.
“Processing” or “processing” (and “Process” or “process”) refers to any operation or set of operations performed upon Customer Data, whether or not by automated means, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Security Breach” or “Security Breaches” refers to a breach of security leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, alteration, or access to Personally Identifiable Information transmitted, stored or otherwise processed by ABC. Security Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
“Sensitive Personal Data” refers to Personal Data that, if disclosed or misused, could result in harm, compromise individual privacy, or identity theft, and includes but is not limited to health data, financial information, authentication credentials, government-issued identification numbers, and any data defined as Sensitive Personal Data under Applicable Data Protection Laws.
“Services” refers to the services and other activities carried out by or on behalf of ABC for Customer pursuant to the Services Agreement(s).
“Sub-processor” or “sub-processor” refers to a direct processor of a processor:
- ABC, when ABC is processing Customer Data and where Customer itself is a processor of such Customer Data; or
- any third-party processor engaged by ABC or its Affiliates to assist in fulfilling ABC’s obligations under the Services Agreement(s) and which processes Customer Data.
- Sub-processors may include third parties or ABC Affiliates but shall exclude ABC employees, contractors or consultants.
- For the avoidance of doubt, Contracted Processors are sub-processors.
“Supervisory Authority” refers to an independent public authority which is established by Applicable Data Protection Laws.
“Third Party Request” refers to any request, correspondence, inquiry, or complaint from a Data Subject, regulatory authority, or third party.
Any capitalized terms used but not defined in this DPA will have the meanings provided to them in the Services Agreement(s).
The terms “Data Protection Assessment”, “Member State”, “Personal Information”, , “Rights of the Data Subjects”, “Sensitive Personal Information”, and “Third Country” shall have the same meanings as under Applicable Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.
2. SCOPE AND APPLICABILITY
2.1 Duration. This Addendum shall take effect on the Effective Date and shall continue concurrently for the duration that Customer Data is processed by ABC pursuant to the Services Agreement(s).
2.2 Scope. This Addendum will apply to the processing of all Customer Data, regardless of country of origin, place of processing, location of Data Subjects, or any other factor.
2.3 Appendices. This Addendum includes the following appendices:
- Appendix I – Details of Processing;
- Appendix II – Technical and Organizational Measures; and
- Appendix III – Jurisdiction Specific Terms
3. STATUS OF THE PARTIES
3.1 ABC as a Processor of Customer Data. The parties acknowledge and agree that Customer is the Controller of Customer Data and, except to the extent described below, ABC will be the Processor of such Customer Data on Customer’s behalf.
3.2 ABC as a Controller of ABC Account Data. The parties acknowledge that with regard to the processing of ABC Account Data, ABC is an independent Controller, not a joint Controller of Personal Data with Customer. ABC will process ABC Account Data as a Controller (a) in order to manage the relationship with Customer; (b) carry out ABC’s core business operations, such as accounting and filing taxes; (c) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Platform or Payment Services; (d) to comply with ABC’s legal or regulatory obligation to retain Customer Data; and (e) as otherwise permitted under Applicable Data Protection Laws and in accordance with the Services Agreement(s).
3.3 ABC as a Controller of Customer’s Usage Data. The parties acknowledge that with regard to the processing of Customer Data associated with its use of the Platform (“Usage Data”), Customer may act either as a controller or processor of Usage Data and ABC is an independent controller, not a joint controller of Usage Data with Customer. ABC will process Usage Data as a controller in order to carry out the necessary functions as a hosted gym management platform and payment processor to owners and operators of gyms and fitness studios, such as (a) ABC’s own accounting, tax, billing, audit, and compliance functions; (b) to provide, optimize, and maintain the Platform; (c) to investigate fraud, misuse or the unlawful use of the Platform or Payment Services; (d) as required by applicable law or regulation; or (e) as otherwise permitted under Applicable Data Protection Laws and in accordance with the Services Agreement(s).
4. CUSTOMER OBLIGATIONS
4.1 Compliance. Customer is responsible for ensuring that (a) all notices have been given, and all such authorizations have been obtained, as required under Applicable Data Protection Laws, for ABC (and its Affiliates and sub-processors) to process Customer Data as contemplated by the Services Agreement(s) and this DPA; (b) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Applicable Data Protection Laws; and (c) it has, and will continue to have, the right to transfer, or provide access to, Customer Data (including any Personal Data) to ABC for processing in accordance with the terms of the Services Agreement(s) and this DPA.
5. PROCESSING OF CUSTOMER DATA
5.1 Details of Processing. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects processed under this DPA are further specified in Appendix I (Details of Processing).
5.2 Appointment; Customer Instructions. Customer appoints ABC as a Processor to process Customer Data (including, without limitation, Personal Data) on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Services Agreement(s), this DPA, and as otherwise necessary to provide the Payment Services and Platform to Customer (which may include investigating security incidents and detecting and preventing exploits or abuse); (b) as necessary to comply with applicable law, including Applicable Data Protection Laws; and (c) as otherwise agreed in writing between the parties (collectively, “Permitted Purposes”).
5.3 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Laws. Customer acknowledges that ABC is neither responsible for determining which laws are applicable to Customer’s business nor whether the Payment Services or the Platform meet or will meet the requirements of such laws. Customer will ensure that ABC’s processing of Customer Data (including Personal Data), when done in accordance with Customer’s instructions, will not cause ABC to violate any Applicable Data Protection Laws.
5.4 Additional Instructions. Additional instructions outside the scope of the Services Agreement(s) or this DPA will be mutually agreed to between the parties in writing.
6. ABC PERSONNEL
6.1 Confidentiality. ABC will require that its personnel with authorized access to Customer Data have committed themselves to confidentiality or are under an appropriate obligation of confidentiality. ABC will require all new hires at the company enter into confidentiality agreements and that such confidentiality obligations survive the termination of the personnel engagement.
6.2 Data Protection Officer. ABC will appoint a data protection officer (“DPO”) where such appointment is required by Applicable Data Protection Laws. ABC’s DPO may be reached at [email protected].
7. SUB-PROCESSORS
7.1 Authorization for Sub-Processing. Customer agrees that (a) ABC may continue to engage its sub-processors, which ABC or its Affiliates may update from time to time; and (b) such Affiliates and sub-processors may engage third-party processors to process Customer Data on ABC’s behalf.
7.2 General Authorization for Onward Sub-Processors. Customer provides a general authorization for ABC to engage onward sub-processors provided that the following conditions are met: (a) ABC will restrict the onward sub-processor’s access to Customer Data only to what is strictly necessary to provide Payment Services/Platform and ABC will prohibit the sub-processor from processing Customer Data for any other purpose; (b) ABC agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect Customer Data on any sub-processor it appoints to help ensure that the sub-processor will not Process Customer Data beyond the scope of processing description set out in Appendix I (Details of Processing), requires such sub-processor to protect Customer Data to the standard required by Applicable Data Protection Laws; and (c) where the engagement involves (or may involve) the cross border transfer of Customer Data, incorporate into the contractual obligations referred to at (b) above.
7.3 Objection Right for New Sub-Processors. ABC may add or replace a sub-processor. Where required by law, ABC will use commercially reasonable efforts to provide Customer notice of any new sub-processors, which may be posted via an accessible web page or communicated via other means. If Customer objects to the appointment within a reasonable notice period, then ABC will work with Customer in good faith to find an alternative solution (which may include changing the Customer’s configuration or use of Payment Services/Platform to avoid processing of Customer Data by the objected-to new sub-processor). If ABC is unable to make available such change within a reasonable period of time and only if Applicable Data Protection Laws or other laws in the applicable jurisdiction require, Customer may terminate the Order Form with respect only to those Payment Services/parts of the Platform which cannot be provided by ABC without the use of the objected-to new sub-processor, by providing written notice to ABC 180 days before such termination would take effect.
7.4 Liability. ABC shall be liable for the acts or omissions of its sub-processors to the same extent ABC would be liable if performing the services of each sub-processor directly under the terms of this DPA, unless otherwise set forth in the Services Agreement(s).
8. RIGHTS OF DATA SUBJECTS
8.1 Data Subject Requests. ABC will, to the extent legally permitted, promptly notify Customer if ABC receives a request (including, without limitation, a Third-Party request) from a Data Subject to exercise the Data Subject’s rights of access, right to rectification, restriction of processing, erasure (the right to be forgotten), data portability, object to the processing, or its right not to be subject to an automated individual decision making (collectively, “Data Subject Request”). Taking into account the nature of the processing, ABC shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws. In addition, to the extent Customer, in its use of the Platform or Payment Services, does not have the ability to address a Data Subject Request, ABC shall upon Customer’s request use commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent ABC is legally permitted to do so and the response to such Data Subject Request is required by Applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from ABC’s provision of such assistance.
8.2 Data Protection Impact Assessment and Prior Consultation. Upon Customer’s request, ABC shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligations under Applicable Data Protection Laws with regard to any required data protection assessments or prior consultations with Supervisory Authorities.
9. RETURN OR DELETION OF CUSTOMER DATA
9.1 Deletion Upon Termination. ABC shall return Customer Data to Customer and, to the extent permitted by law, delete Customer Data in accordance with the procedures, fees, and timeframes as specified in the Services Agreement(s).
9.2 Retention. Notwithstanding Section 8.1 above, ABC will use commercially reasonable efforts to implement and maintain appropriate retention periods for Customer Data in accordance with Applicable Data Protection Laws and other laws applicable to ABC. ABC will delete Personal Data as soon as retention of such data is no longer necessary for the purposes of processing under this DPA, subject only to situations where a longer period is required by Applicable Data Protection Laws or such other laws applicable to ABC.
10. SECURITY
10.1 Security Measures. ABC has implemented and will maintain for the duration of the Services Agreement(s), appropriate technical and organizational measures designed to protect Personal Data against Security Breaches. Customer acknowledges that ABC may change or update the security measures currently in place as new threats to Personal Data are identified or evolve.
10.2 Security Breach Notification. Upon becoming aware of a Security Breach involving Personally Identifiable Information, ABC will, without undue delay (and in any event within the timeframes required under Applicable Data Protection Laws), notify Customer at Customer’s email address associated with Customer’s ABC account.
10.3 ABC Response to Security Breach. ABC will make reasonable efforts to identify the source of a Security Breach, and to the extent the Security Breach is caused by ABC’s violation of this DPA, remediate the cause of such incident. ABC will provide Customer with such assistance and information about the Security Breach as may be reasonably necessary for Customer to be able to fulfil its breach reporting obligations under Applicable Data Protection Laws. Any ABC notification of or response to a Security Breach shall not be construed as an acknowledgement of fault by ABC, or of ABC liability with respect to such Security Breach.
10.4 Customer’s Security Obligations. Customer is solely responsible for its and its Authorized Users’ use of the Payment Services, and its/their access to the Platform, including safeguarding all log-in credentials or account passwords and otherwise ensuring a level of security appropriate to the risks associated with its Customer Data.
11. AUDIT RIGHTS
11.1 Audit Rights. The parties acknowledge that Customer must be able to reasonably assess ABC’s compliance with its obligations under Applicable Data Protection Laws and this DPA insofar as ABC is acting as a Processor of Personal Data. Customer’s right to exercise audit rights under this section will be limited to once per year.
11.2 Information Necessary to Demonstrate Compliance. ABC shall make available to the Customer, upon request and provided ABC is provided sufficient and reasonable time to prepare, all information reasonably necessary to demonstrate compliance with its processing obligations laid down in DPA. Examples of information necessary (and, the parties agree, sufficient) to demonstrate compliance, include but are not limited to SOC 2 Type 2 reports and ISO 27001 certification, or the reasonable equivalent of either.
11.3 Right to Audit and Inspections. ABC, acting as a Processor of Customer Data, and if provided 45 days’ written notice accompanied with an agenda, shall allow for and contribute to reasonable audits, including inspections, conducted by the Customer or other independent auditor mandated by the Customer, provided Customer shall cover the costs for any audits and/or inspections beyond reviewing applicable ISO and/or SOC report and shall subject any third parties assisting with audits to strict confidentiality. . ABC may satisfy this obligation by providing access to the applicable ISO and/or SOC reports.
12. JURISDICTION SPECIFIC TERMS
12.1 Jurisdiction Specific Terms. To the extent ABC processes Personal Data originating from and protected by Applicable Data Protection Laws in one or more of the jurisdictions listed below, terms for each jurisdiction shall apply as set forth in Appendix III (Jurisdiction Specific Terms).
13. LIMITATION OF LIABILITY
13.1 Liability Limits. Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Services Agreement(s).
13.2 Party Limitation. Any claim made against ABC or its Affiliates under or in connection with this DPA shall be brought solely by Customer that is a party to the Services Agreement(s).
13.3 No Limitation on Individual Data Subject Rights. In no event shall any party limit its liability with respect to any individual Data Subject’s rights under Applicable Data Protection Laws.
14. GENERAL PROVISIONS
14.1 Conflict; Order of Precedence. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will prevail. If there is a conflict between the Services Agreement(s) and this DPA, the terms of this DPA will prevail. The order of precedence will be: (a) this DPA; (b) then the Order Form; and (c) then the Terms. In the event (and to the extent only) of a conflict (whether actual or perceived) among Applicable Data Protection Laws, the parties (or relevant party as the case may be) shall comply with the more onerous requirement or standard which shall, in the event of a dispute in that regard, be solely determined by ABC.
14.2 Modification. Notwithstanding anything else to the contrary in the Services Agreement(s), ABC reserves the right to make any modification to this DPA as may be required to comply with Applicable Data Protection Laws.
14.3 Services Agreement(s). Except as amended by this DPA, the Services Agreement(s) will remain in full force and effect. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Services Agreement(s).
14.4 Notice. The Parties shall use the Data Protection Contact provided in Appendix I (Details of Processing) as contact points for all matters related to this Addendum, including notice of a Security Breach and inquiries pursuant to Rights of the Data Subjects.
14.5 Severability. Should any provision of this Addendum be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision, and the remainder of this Addendum will continue in effect.
14.6 Non-Compliance. Where required by applicable laws, if ABC determines that it can no longer meet any of its obligations set out within this Addendum and/or Applicable Data Protection Laws, it shall (i) promptly notify Customer of that determination and (ii) cease the processing, if requested by Customer, or immediately take other reasonable and appropriate steps to remediate the lack of compliance.
14.7 Ambiguity. ABC may amend this Addendum without notice to or consent of Customer for the purposes of a) curing any ambiguity, b) curing, correcting or supplementing any defective provision contained herein, or c) making any other provisions with respect to matters or questions arising under this Addendum; provided that such action shall not materially alter the Addendum.
14.9 Disclosure to Supervisory Authorities. The Parties acknowledge that either Party may disclose this Addendum and any relevant privacy provisions in the Agreement to Supervisory Authorities, or any other judicial or regulatory body, upon their request.
APPENDIX I
DETAILS OF PROCESSING
| Name and Address: | ABC Fitness Solutions, LLC and its relevant Affiliates 2600 N. Dallas Pkwy Suite 590 Frisco, TX 75034 Customer: See Services Agreement |
| ABC Contact as Processor: | Kathleen Kruger Data Protection & Compliance Officer [email protected] |
| Customer Data Protection Contact: | See Services Agreement |
| Controllership Role: | Each Party may serve one or more of the following roles, according to the purposes of the Customer Data being Processed: Controller and Processor Customer as the Controller and ABC as the Processor Customer is the Controller of Customer Data belonging to End Users when Customer is servicing End Users directly, while ABC is Customer’s Processor. Processor and (Sub-)Processor Customer as the Processor and ABC as the (Sub-)Processor Customer is the Processor of Customer Data belonging to End Users when Customer is servicing End Users indirectly on behalf of Customer’s clients, i.e., Customer’s clients are the respective Controllers, whereas ABC is Customer’s Sub-Processor. E.g., If a client hires Customer as Processor and ABC acts as its Sub-Processor in assisting Customer to perform the client contract, then Customer’s client largely determines the purposes and means of processing, to which Customer and ABC are subject. |
| Data Transfer Role: | Each Party may serve one or more role, according to the purposes of the Customer Data being Processed: A Party serves as the Data Exporter when sending (exporting) the Customer Data to another Party. A Party serves as the Data Importer when receiving (importing) the Customer Data from another Party] ABC: Data Importer Customer: Data Exporter |
| Categories of Data Subjects: | The categories of Data Subjects whose Personal Data is processed include: Customer, including (a) Customer company (i.e., the legal entity with licensed rights to access and use the Platform and Payment Services); and (b) Customer’s Authorized Users (i.e., Customer’s employees, Customer’s Affiliates employees, or Customer’s permitted third party agent for whom Customer creates a unique username and password under Customer’s ABC account); and End Users (i.e., Customer’s members, clients or customers with authorization to create an End User account to access and use the Platform). |
| Categories of Personal Data: | Customer may upload, submit, or otherwise provide certain Personal Data to the Platform, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of Personal Data: Identity Data includes company name, email address, phone number, corporate office address, business location address, tax identification information, and company contact information (including name, email address and phone number); Account Data includes Customer’s username, password, communication preferences, feedback and any survey responses; Technical Data includes Customer’s internet protocol (IP) address, login data, browser type and version, time zone settings and location, browser plug-in types and versions, type and version of 14 operating system, hardware version, device settings, software types, device manufacturer and model, language, and other technology on the device Customer uses to access the Platform; Usage Data includes information about how Customer uses the Platform; Marketing & Communications Data includes Customer’s chosen preferences for receiving marketing or other types of communications from ABC or its Affiliates. Transaction Data includes commercial information such as Customer’s bank account, transaction history, and card information needed to complete a purchase or make a transaction; and End User Data includes an End User’s name, email, address, phone number, tokenized payment account information, communication preferences, bookings and purchase history, check-in logs, and other information pertaining to an End User’s profile or use of Customer’s facilities, products or services. |
| Sensitive Personal Data Processed (if applicable): | Other than financial data, ABC does not want to, nor does it intentionally collect or process any Sensitive Personal Data in connection with its provision of Payment Services to Customer. |
| Frequency of Processing: | Continuous, as determined by Customer and End User. |
| Type of Processing: | Electronically. |
| Subject Matter and Nature of Processing: | ABC provides a hosted club management platform to owners and operators of health clubs and fitness studios in the fitness industry, as more particularly described in the Services Agreement(s). The subject matter of the data processing under this DPA is the Customer Data (which includes Personal Data). Customer Data will be processed in accordance with the Services Agreement(s) (including this DPA) and may be subject to the following processing activities: Storage and other processing necessary to provide, maintain and improve the Platform and Payment Services provided to Customer pursuant to the Services Agreement(s); and/or Disclosures in accordance with the Services Agreement(s) and/or as compelled by Applicable Data Protection Laws. |
| Purpose of the Processing: | ABC shall only process Personal Data for the Permitted Purposes, which shall include: as set forth in the Services Agreement(s), this DPA, and as otherwise necessary to provide the Payment Services/Platform to Customer (which may include investigating security incidents and detecting and preventing exploits or abuse); as necessary to comply with applicable law, including Applicable Data Protection Laws; and as otherwise agreed in writing between the parties or as otherwise permitted by applicable law, including Applicable Data Protection Laws. |
| Duration of Processing and Period for Which Personal Data will be Retained: | ABC will process Personal Data as outlined in Section 9.2 (Retention) of the DPA. |
| Technical and Organizational Measures of Contracted Processors: | When ABC engages a Contracted Processor under the Addendum, ABC and the Contracted Processor shall enter into an agreement with data protection terms substantially similar to those contained in the Addendum where appropriate. ABC shall require that the agreement with each Contracted Processor allows ABC to meet its respective obligations with respect to Customer. In addition to implementing technical and organizational measures designed to protect Personal Data, Contracted Processors must: notify ABC in the event of a Personally Identifiable Information so that ABC may immediately notify Customer; delete Personal Data when instructed by ABC in accordance with Customer’s instructions to ABC; if required by Applicable Data Protection Laws, not engage additional Contracted Processors without ABC’s general or specific authorization; and not process Personal Data in a manner which conflicts with Customer’s instructions to ABC. |
Appendix II
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Throughout the term of the Agreement and for so long as ABC has access to any Personal Data, ABC shall implement and maintain at least the following (or superior) technical and organizational security measures (“TOMs”) designed to safeguard such Personal Data, to the extent necessary taking into account the state of the art, costs of implementation and nature, scope, context and purposes of processing as well as risk of varying likelihood: :
| Type of TOMs | Description of TOMs |
| Measures for pseudonymization and encryption of Personal Data: | Encryption in transit and at rest (sensitive Personal Data) Strong encryption algorithms, reviewed annually, with regular key rotation |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services: | Alignment with ISO 27001 standards ISO 27001 certification in progress Compliance with PCI DSS SOC 1 Type 2 report available |
| Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident: | Encrypted, redundant backups Documented DR plan including RTO/RPO Annual DR testing |
| Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the Processing: | Annual third-party assessments ISO 27001, PCI AOC, SOC 1 Type 2 Risk Register Monthly risk reviews |
| Measures for user identification and authorization: | Centralized identity management Enforcement of password complexity and rotation Regular reviews of access privileges Least privilege access permissions |
| Measures for the protection of Personal Data during transmission: | Encryption with TLS 1.2+ Collection of least data necessary for business purposes Individualized API keys |
| Measures for the protection of Personal Data during storage: | Encryption with strong encryption Regular rotation of encryption keys Encryption of backups |
| Measures for ensuring physical security of locations at which Personal Data are Processed: | Hosting facilities SOC 2 and /or ISO 27001 compliant Office spaces Badge access for doors Camera coverage for entrances/exits and access to sensitive areas Reception and visitor management process |
| Measures for ensuring events logging: | Centralized log aggregation and monitoring (SIEM) Regular review of log sources Hardware onboarding process |
| Measures for ensuring system configuration, including default configuration: | Standardized system images Configuration monitoring |
| Measures for internal IT and IT security governance and management: | Regular risk reviews Regular policy and process reviews Quarterly KPI reviews |
| Measures for certification/assurance of processes and products: | Annual SOC 1 Type 2 report Annual PCI AOC ISO 27001 certification (in progress) |
| Measures for ensuring data minimization: | Process only necessary data as instructed by the Data Controller Purpose-driven data handling as instructed by the Data Controller or as a Joint Controller when relative to billing information where applicable. Role-based access Data audits and reviews |
| Measures for ensuring data quality: | Process data as instructed by the Data Controller Provide mechanisms whereby the Data Controller and the Data Subject may correct/update data where applicable Secure data transmission and storage Assist the Data Controller with Data Subject Requests |
| Measures for ensuring limited data retention: | Once the Retrieval Period has ended all Customer Data is generally removed from ABC systems per the terms in the Agreement, unless noted otherwise in the Service Agreement(s) during which ABC may reserve the right to retain a copy of your Customer Data at our cost for the duration of our internal record retention policies, or for such longer periods as may be necessary to comply with our legal obligations, maintain accurate financial and other records, resolve disputes and enforce our agreements. |
| Measures for ensuring accountability: | Compliance with data processing obligations Record keeping and documentation Technical and organizational security measures Auditing and assessments Employee training and awareness Incident response and notification where applicable Cooperation with Data Controllers and Authorities where applicable |
| Measures for allowing data portability and ensuring erasure: | Upon the Data Controller’s request, ABC will facilitate the export of Customer Data in a format reasonably agreed upon by the Controller and ABC as the Data Processor. |
| Other: | |
| Information about Contracted Processors’ TOMs: | Set forth in Appendix I. |
APPENDIX III
JURISDICTION SPECIFIC TERMS
1. Canada.
Wherever the Processing pursuant to the Addendum falls within the scope of Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”), the provisions of the Addendum and this Section shall apply to such Processing.
“Applicable Data Protection Laws” includes the Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Alberta Personal Information Protection Act, SA 2003, c P-6.5, British Columbia Personal Information Protection Act, SBC 2003, c 63, the Quebec Act Respecting the Protection of Personal Information in the Private Sector.
(i) ABC’s sub-processors are third parties under Applicable Data Protection Laws with whom ABC has entered into a written contract that includes terms substantially similar to this DPA. ABC has conducted appropriate due diligence on its sub-processors.
(ii) ABC will implement technical and organizational measures as set forth in Section 10 (Security) of this DPA.
2. United States of America.
Wherever the processing pursuant to the Addendum falls within the scope of United States Data Protection Laws (defined below), the provisions of the Addendum and this Section shall apply to such processing.
“Business Purpose”, “Commercial Purpose”, “Sell”, and “Share” shall have the same meanings as under applicable United States Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.
“United States Data Protection Laws” include, individually and collectively, enacted state and federal laws, acts, and regulations of the United States of America that apply to the processing of Personal Data, as may be amended from time to time. Such laws include, without limitation:
- the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.)., (“CCPA”) and the California Privacy Rights Act (“CPRA”), together with all implementing regulations.
- The definition of “Applicable Data Protection Laws” includes the CCPA and the CPRA.
- The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Laws and, for clarity, includes any Personal Information contained within ABC Account Data, Customer Data, and Usage Data.
- The definition of “Data Subject” includes “Customer” as defined under Applicable Data Protection Laws. Any data subject rights, as described in Section 7.1 (Data Subject Requests) of this DPA, apply to Customer rights.
- With regard to data subject requests, ABC can only verify a request from Customer and not from any of Customer’s End Users or any third party.
- The definition of “Controller” includes “Business” as defined under Applicable Data Protection Laws.
- The definition of “Processor” includes “Service Provider” as defined under Applicable Data Protection Laws.
- ABC will process, retain, use, and disclose personal data only as necessary to provide the Payment Services and Platform under the Services Agreement(s), which constitutes a business purpose.
- ABC agrees not to (A) sell (as defined by the CCPA and CPRA) Customer’s Customer Data (including Personal Data) or Customer’s End User’s Personal Data; (B) retain, use, or disclose Customer’s Personal Data for any commercial purpose (as defined by the CCPA and CRPA) other than providing the Payment Services/Platform; or (C) retain, use, or disclose Customer’s Personal Data outside of the scope of the Services Agreement(s).
- ABC certifies that its sub-processors are Service Providers under Applicable Data Protection Laws with whom ABC has entered into a written contract that includes terms substantially similar to this DPA. ABC conducts appropriate due diligence on its sub-processors.
- ABC will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data it processes as set forth in Section 9 (Security) of this DPA.
- the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations;
- the Connecticut Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015;
- the Utah Consumer Privacy Act, Utah Code Ann. S 13-61-101 et seq.; and
- the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.
Processing of Personal Data. Customer discloses Personal Data to ABC solely for: (i) valid Business Purposes; and (ii) to enable Customer to perform the Services. Customer shall not: (i) Sell or Share Personal Data; (ii) retain, use or disclose Personal Data for a Commercial Purpose other than providing the Services specified in the Services Agreement(s) or as otherwise permitted by United States Data Protection Laws; (iii) retain, use, or disclose Personal Data except where permitted under the Services Agreement(s) between ABC and Customer; nor (iv) combine Personal Data with other information that Customer Processes on behalf of other persons or that Customer collects directly from the Data Subject, with the exception of processing for Business Purposes. Customer certifies that it understands these prohibitions and agrees to comply with them.
Termination. Upon termination of the Services Agreement(s), ABC shall, as soon as reasonably practicable, destroy all Personal Data it has Processed on behalf of Customer after the end of the provision of Services relating to the processing and destroy all copies of the Personal Data unless applicable law requires or permits storage of such Personal Data.