Respona – Data Processing Addendum

1Introduction

This Data Processing Addendum (“DPA”) forms a part of the Terms and Conditions (the “Principal Agreement”) between HindSite Interactive, Inc., doing business as Respona (“Processor”) and you (sometimes herein referred to as the “Controller”) available at https://respona.com/terms-of-use/ that governs use of the services provided by Processor (hereinafter the “Agreement”), each hereinafter a “Party” and collectively the “Parties.” 

2Definitions

  1. Data Protection Laws and Regulations” means all applicable laws and regulations relating to data protection and privacy, including (without limitation) (i) the EU General Data Protection Regulation 2016/679 (“GDPR”); (ii) the EU (Data Protection) Directive 95/46/EC and the EU (ePrivacy) Directive 2006/24/EC, as transposed into domestic legislation of each Member State, and/or any successor data protection or processing legislation, directive, or regulation (together, “EU Data Protection Laws”); and (iii) any other data protection laws applicable to either party, including the California Consumer Protection Act, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code (“CCPA”).
  2. Controller” means an entity that determines the purposes and means of the processing of Personal Data.
  3. Contacts” means personal data relating to residents of the European Economic Area shared or exposed to Processor under this Agreement that consists of email addresses, contact information, or other similar information on Party provides to the other. 
  4. Personal Data” means personally identifiable information relating to an individual or identifiable natural person. 
  5. Processor” means an entity that processes Personal Data as instructed by another party.
  6. Supervisory Authority” means either (as applicable): (i) an independent public authority which is established by an EU Member State pursuant to Article 51 of the GDPR; (ii) the California Attorney General; or (iii) any other public authority as set out in Data Protection Laws.
  7. Terms capitalized but not defined herein have the meanings given in the Agreement.

3Details of Processing

  1. To provide the Services to Controller, Processor will share Contacts with Controller in accordance with the Principal Agreement and Processor will independently process such data for Controller, subject to the Principal Agreement. 
  2. Each party determines in its sole discretion the means and purposes for processing Contacts in its control. For the avoidance of doubt, with respect to Contacts that have been shared with Controller, Processor does not determine the means or purpose of Controller’s processing after Controller receives or accesses such data.

4No Joint Controllership

  1. Controller and Processor are not Joint Controllers of any Contacts.
  2. Processor and Controller are each independent controllers of Contacts.

5Contact Sharing

  1. Controller represents and warrants that it (i) has obtained sufficient rights, title, interest, and consents necessary to provide such Contacts to Processor in compliance with Data Protection Laws and Regulations and for Processor to process such Contact information in accordance with Controller’s instructions.
  2. Controller will implement appropriate technical and organizational measures that meet minimum requirements under Data Protection Laws and Regulations. Such measures are designed to protect the security, integrity, and confidentiality of Contacts and to protect against unauthorized processing, loss, use, disclosure, acquisition of, or access to, such data.
  3. Processor will process Contacts in compliance with applicable Data Protection Laws and Regulations.

6Data Subjects and Supervisory Authorities

  1. Controller and Processor are each separately responsible for fulfilling all requests from data subjects and Supervisory Authority with respect to the Contacts in their control.
  2. If either party receives a request from a Supervisory Authority designated in Data Protection Laws and Regulations involving or affecting the other party’s processing of the Contacts, the receiving party will promptly forward such request to the other party unless prohibited by law.

7Order of Precedence

In the event of a conflict between this exhibit and the Principal Agreement, the provisions of this exhibit will control. Except as modified herein, all terms and conditions of the Principal Agreement remain in full force and effect.