Book 15 Mins

CLIENT DATA PROCESSING ADDENDUM


This Data Processing Addendum (the “DPA”) governs the processing of Personal Data by Social Factor on behalf of a Client in connection with Social Factor’s performance (e.g., provision of services) under the terms of its contract with the Client, unless Social Factor and the Client mutually agree to alternate data protection terms. By executing a master agreement or related purchase ordering document,  such as a Statement of Work (SOW) or Change Order, referencing this DPA or commencing work under a Statement of Work, the Client identified on the relevant master terms and the applicable ordering documents (collectively, the “Agreement”) enters into this DPA with Social Factor, Inc. 


This DPA reflects the Parties’ agreement regarding the Processing of Personal Data, in accordance with the requirements of Applicable Data Privacy Law and shall be incorporated into and form part of the Agreement.  This DPA will terminate in accordance with the termination provisions of the Agreement.  In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail.  Capitalized terms not defined herein are as defined in the Agreement.


  1. Definitions. The following definitions and rules of interpretation apply in this Agreement:

 

  1. “Applicable Data Privacy Law” means all applicable United States federal, state and local laws and regulations pertaining to the Processing of Personal Data under or in connection with the Agreement, which are currently in effect and as they become effective or amended, including but not limited to the California Consumer Privacy Act (“CCPA”), Colorado Privacy Act, Connecticut Personal Data Privacy Act, Virginia Consumer Data Protection Act, Oregon Consumer Privacy Act, Texas Data Privacy and Security Act, and Utah Consumer Privacy Act.


  1. “Controller” means any person or entity that determines the purposes and means of Processing Personal Data, and on whose behalf, Social Factor, in its capacity as a Processor or Subprocessor, as well as any contractors who may be engaged by Social Factor, act in relation to the Processing of Personal Data.  The Controller, for purposes of this DPA, may be the Customer, a Customer client, or a Customer client’s end user.  A Controller may also sometimes be a “Business” as such term is defined under the CCPA.


  1. ”Data Subject” means the persons or categories of persons whose Personal Data is provided, made accessible to Social Factor, or collected by Social Factor for the purpose of performing the Services for Customer, and includes the categories of data subjects described in Exhibit A to this DPA.  


  1. “Personal Data” shall include “personal data,” “personal information,” or an equivalent term used by Applicable Data Privacy Law to the extent such data or information is accessed, collected, stored, transmitted, processed, hosted, used, handled, or disposed of by Social Factor in connection with the Agreement.  This includes both Personal Data which belongs to Customer, as well as Personal Data that belongs to and/or is provided by a Customer’s client, and/or such Customer client’s end user(s), and Sensitive Personal Data as defined in this DPA. 


  1. “Personal Data Breach” means any actual or reasonably suspected breach of security that has resulted or is reasonably likely to result in the accidental, unlawful or unauthorized acquisition, modification, destruction, loss, alteration, encryption, disclosure, Processing of, or access to, Personal Data.


  1. “Personnel” shall mean a person or entity’s employees, agents, consultants or contractors.


  1. “Processing” means any operation or set of operations which is performed upon Personal Data by or on behalf of Customer or Customer’s own clients and/or their end users in connection with the Agreement, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.


  1. “Processor” or “Subprocessor” means any entity which Processes Personal Data on behalf of a Controller, either directly or indirectly as a subcontractor.  This definition also incorporates all elements of the CCPA definition of “Service Provider.”  Customer may be a Processor for a Controller, in which case Social Factor shall be serving as Subprocessor, or Social Factor may be the direct Processor to Customer who is serving as the Controller, depending on the circumstances.  In either case, Social Factor shall only ever be considered a Processor (or Service Provider) under Applicable Data Privacy Law, and shall never be considered nor have any of the legal obligations of a Controller (or Business).


  1. “Processing Instructions” means the written instructions provided by Customer to Social Factor stating how the Personal Data shall be Processed and may include specifications regarding Data Subjects, Personal Data type and category.


  1. “Sensitive Personal Data” means Personal Data identified in Social Factor’s Privacy Policy as Sensitive Personal Information, such as that which reveals a Data Subject’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password or credentials allowing access to an account; a precise geolocations; racial or ethnic origin, religious or philosophical beliefs, or union membership; and the contents of mail, email, and text messages unless the Controller is intended recipient of the communication; or processing biometric data for the purpose of identifying the Data Subject and Personal Data collected and analyzed concerning health status; sex life or sexual orientation.  


  1. “Social Factor Subcontractor” means a subcontractor of Social Factor engaged pursuant to the terms of this DPA. 


  1. “Commercial Purpose,” “Sell,” and “Share”, when capitalized, shall have the respective meanings given thereto in the CCPA. 


  1. Customer Obligations 

    Customer shall:


  1. Ensure that only lawfully collected Personal Data is provided to or made accessible for Processing by Social Factor, including by ensuring Customer or the applicable Controller of such Personal Data has: (i) implemented appropriate notices regarding its collection and Processing of Personal Data; (ii) collected the Personal Data from Data Subjects after obtaining any legally required consents for the Processing of such Personal Data (including Processing that permits the sharing of Personal Data with Social Factor for the purposes set forth in any applicable SOW); and (iii) conducted relevant data protection assessments to the extent required by Applicable Data Privacy Law.


  1. Provide Social Factor with Processing Instructions detailing the nature and purpose of the Processing required to accomplish the Services, as applicable to the Personal Data and in conformance with Processing Instructions provided by the applicable Controller, in a manner that complies with Applicable Data Privacy Law; 


  1. Ensure that it has enforceable arrangements in place with any applicable third parties from where any such Personal Data was received adequate for the lawful Processing of the Personal Data by Social Factor in accordance with the Processing Instructions; 


  1. Provide Social Factor with prompt notice of (i) any Controller or Processor directives, instructions, or requests regarding Personal Data disclosed under this DPA; and (ii) verifiable requests from Data Subjects to delete their Personal Data;


  1. Not provide or make accessible to Social Factor any Personal Data of Data Subjects residing in the European Union without first (i) notifying Social Factor in writing; and (ii) executing a mutually agreeable Data Processing Addendum with Social Factor that provides for additional compliance with GDPR specific regulations (separate from this DPA).


The obligations of this Section 2 shall survive any termination of the Agreement.


  1. Social Factor Obligations  

 

  1. Social Factor shall not: (i) Sell or Share any Personal Data; (ii) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services under and in accordance with the Agreement and this DPA, including retaining, using, or disclosing Personal Data for a Commercial Purpose other than the provision of the Services; or (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between Social Factor and Customer.


  1. Social Factor will Process Personal Data in accordance with the Processing Instructions, including any specific instructions regarding Sensitive Personal Data.

 

  1. Social Factor will not collect, use, retain, disclose, Sell, Share, Process, or otherwise make Personal Data available for Social Factor’s own Commercial Purposes or in a way that does not comply with Applicable Data Privacy Law. If Social Factor is legally required to disclose Personal Data for a purpose unrelated to the Services, Social Factor must first inform Customer of the legal requirement and give Customer an opportunity to object or challenge the requirement, unless such notice is legally prohibited.


  1. Social Factor will limit Personal Data collection, use, retention, Processing and disclosure to activities to those reasonably necessary and proportionate to achieve the Commercial Purpose of the Services or another compatible operational purpose.


  1. Social Factor will cooperate with any request or instruction from Customer or the Controller to provide, amend, transfer, return, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorized Processing, to the extent required by Applicable Data Privacy Law.  For clarity, and without limitation, Social Factor shall not be required to comply with a deletion request submitted by a Data Subject directly to Social Factor to the extent Social Factor has collected, used, processed, or retained the Personal Data of the Data Subject solely its role as a Service Provider/Processor.


  1. Social Factor does not ordinarily collect Personal Data for its Client, since it Processes Personal Data to which its Client already has access or collects itself.   If the Services require the collection of Personal Data from individuals on the Controller’s behalf, however, Social Factor will provide a notice compliant with Applicable Data Privacy Law at collection as mutually agreed between Social Factor and Customer.  Otherwise, Social Factor is not responsible for providing notices at points of collection since it is not the Controller initially collecting such Personal Data.  The agreed upon language of a notice Social Factor agrees to be responsible for as the collector of Personal Data shall be included in the Processing Instructions, if applicable.  Social Factor will not modify or alter the agreed upon notice without Customer’s prior written consent.


  1. If Applicable Data Privacy Law permits, Social Factor may aggregate, deidentify, or anonymize Personal Data so it no longer meets the Personal Data definition, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes that do not violate this DPA or Applicable Data Privacy Law. Social Factor will not attempt to or actually re-identify data that is already aggregated, deidentified, or anonymized and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.


  1. Social Factor will not combine Personal Data it Processes pursuant to this DPA with other Personal Data Social Factor receives from, or on behalf of, another person or persons or collects from its own separate interaction with Data Subjects.


  1. Social Factor shall promptly notify Customer if Social Factor determines it is no longer able to meet its obligations under Applicable Data Privacy Law and shall, upon notice, allow the Customer or Controller to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.


  1. Taking into account the nature of Social Factor’s Processing and the Personal Data available to Social Factor (including whether or not such Personal Data is within Social Factor or a Social Factor Subcontractor’s control), Social Factor will reasonably cooperate and assist Customer to comply with a Controller’s requests and directions related to Personal Data disclosed, the Controller’s Applicable Data Privacy Law compliance obligations, and responses to Applicable Data Privacy Law inquiries, including responding to verifiable Data Subject requests.  Notwithstanding anything to the contrary in this DPA, should Social Factor receive a Data Subject request directly from a Data Subject or its authorized agent as to Personal Data collected solely in its role as a Service Provider/Processor, Social Factor may inform the Data Subject that its request cannot be acted upon because the request was sent to a Service Provider.


  1. Social Factor will provide necessary information to enable Customer or other applicable Controller to conduct and document data protection assessments as required by Applicable Data Privacy Law.


  1. Social Factor will notify any downstream recipients of Personal Data who have accessed such Personal Data from or through Social Factor of a verifiable Data Subject request for deletion, unless such Personal Data was accessed at the direction of the Controller, or doing so proves impossible or involves disproportionate effort.


  1. Without obligating Social Factor to proactively investigate Processing Instructions, and to the extent required by Applicable Data Privacy Law, Social Factor will inform Customer if it becomes aware that Processing Instructions violate Applicable Data Privacy Law.


  1. Social Factor will notify Customer if it receives a complaint, notice, or communication that directly or indirectly relates to either Party’s compliance with Applicable Data Privacy Law. 


Notwithstanding anything herein to the contrary, Social Factor shall never be required to: (1) reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Data; (2) retain any Personal Data if, in the ordinary course of business, it would not be retained; (3) maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable Data Subject request with Personal Data; or (4) assist Customer or other applicable Controller after termination of the Agreement and any applicable return or deletion of Personal Data by Social Factor, unless required by Applicable Data Privacy Law.


  1. Audits and Inspections


During the Term:


  1. Social Factor shall provide information and assistance reasonably requested by Customer or the applicable Controller to demonstrate its and/or a Customer client’s, and/or Customer client end user’s compliance, as applicable, with this DPA and Applicable Data Privacy Law.


  1. Social Factor shall allow for and contribute to audits by Customer, any applicable Controller, or an independent third party auditor mutually agreed to by all parties in relation to Social Factor’s Processing of Personal Data, compliance with the obligations under this DPA and/or Applicable Data Privacy Law.  Such audits may require Social Factor to complete questionnaires and/or make certain relevant available documentation for review, or to grant access to relevant Social Factor and/or Social Factor Contractor Personnel for interviews. 


  1. Audits shall be conducted no more than once every twelve (12) months for no more than one (1) business day, and Social Factor shall be provided with thirty (30) days advanced written notice of any audit or inspection to be conducted under this Section, unless (i) such an audit needs to be conducted on an emergency basis where Customer or Controller can demonstrate genuine concerns about material non-compliance with this DPA and/or Applicable Data Privacy Law, or (ii) Customer or any Controller is required to carry out an audit under Applicable Data Privacy Law. 


  1. If it is established during an audit, inspection, or report that Social Factor has failed to comply with its obligations under this DPA or Applicable Data Privacy Law, Customer shall notify Social Factor and Social Factor shall take reasonable measures necessary to ensure its compliance as soon as reasonably practicable.


  1. Social Factor may procure an annual audit by an independent third party to verify that Social Factor has implemented and maintains controls, safeguards, information security program and other requirements described in this DPA and may provide Customer with the results of such audit upon request in lieu of the other audit obligations of this Section 4(a) – 4(d). If such audit reveals one or more material vulnerabilities, Social Factor will correct each such vulnerability at its own cost and expense and certify in writing that it has done so.  


  1. Security and Other Supplementary Measures 


During the Term, and taking into account the nature of Processing and information available to Social Factor:



  1. Social Factor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, damage, or unauthorized disclosure or access, including the measures described in the Social Factor Information Security Policy detailed in Exhibit B of the Agreement.


  1. Social Factor agrees not to allow, unless required by law, regulations, order of a court or any regulatory, judicial, governmental or similar body or authorized by Customer, access to Personal Data (excluding any publicly available data) by any administrative body, authority or agency. Before Social Factor discloses any such Personal Data, Social Factor shall (to the extent permitted by law) inform Customer of the circumstances of the required disclosure and the Personal Data that must be disclosed.  Customer agrees to reasonably and promptly work with Social Factor to determine the legal requirements for disclosure.


  1. Social Factor represents and warrants that it has not purposefully created “backdoors” or other similar programming that could permit access, including access by any governmental authority, law enforcement agency, or public body, to systems that store or otherwise Process Personal Data.


  1. Personal Data will be restricted to only those Social Factor Personnel with a need to know such information in connection with Social Factor’s Services under the Agreement.


  1. Social Factor will not commingle or combine Personal Data with any other information other than for the purpose of fulfilling Social Factor’s obligations under this Agreement.


  1. Social Factor will notify Customer of a Personal Data Breach as soon as reasonably practicable.


  1. Notwithstanding anything to the contrary in this DPA, Social Factor may always use Personal Data to detect data security incidents or protect against fraudulent or illegal activity.


 

  1. Subcontracting by Social Factor

 

  1. Social Factor may engage Social Factor Subcontractors who have access to or Process Customer Personal Data so long as (i) they are engaged pursuant to a written contract that requires compliance with Applicable Data Privacy Law and that contains terms that are at least as protective as the requirements of this DPA; and (ii) Customer is notified of their engagement and has an opportunity to object.  Subcontractors who do not access or Process Customer Personal Data may be utilized without any consent or notice other than as may be provided in the Agreement.


  1. Notifications to Customer regarding the use of Social Factor Subcontractors shall include (i) name, address, and contact information, (ii) Type of services provided, (iii) Personal Data categories to be disclosed.  Customer acknowledges notification of the Social Factor Subcontractor list contained in Exhibit A hereto, and consents to their utilization by Social Factor.


  1. Customer may request Social Factor provide the information enumerated in subsection 6(b) above for any Social Factor Subcontractors in the preceding 12-months.


  1. Social Factor remains liable to the Customer to the same extent provided for in the Agreement for a Social Factor Contractor’s acts, errors, and omissions as if they were Social Factor’s own acts, errors or omissions.


  1. Upon Customer or a Controller’s written request, Social Factor will audit a Social Factor Contractor’s compliance with its Personal Data obligations and provide the Customer or Controller with the audit results.


  1. Affiliates.  The Parties have entered into this DPA each for itself and on behalf of, and for the benefit of, any current or future Affiliates.  The Parties acknowledge and agree that all references to a Party herein shall, where the context permits and requires, refer to each such Party’s Affiliate(s).  The Parties expressly agree that Affiliate(s) will have the right to enforce the provisions of this DPA.


  1. Representations and Warranties; Modifications for Compliance with Applicable Data Privacy Law; Limit of Liability.  Social Factor represents and warrants that it understands the restrictions and prohibitions on selling Personal Data, and retaining, using, or disclosing Personal Data outside of the Parties’ direct business relationship, both as found in this DPA and Applicable Data Privacy Law, and it will comply with them. Both Parties represent and warrant that they have no reason to believe any Applicable Data Privacy Law requirements or restrictions prevent the lawful Processing of Personal Data under the Agreement and this DPA, as such Processing is described herein and any SOW. The Parties agree to promptly notify each other regarding changes to Applicable Data Privacy Law requirements that may impact this DPA and thereafter endeavor in good faith to amend the DPA in order to achieve legal compliance.  Social Factor’s warranties in the Agreement are not altered or otherwise added to, and Social Factor’s limits of liability for any breach of this DPA shall not exceed those agreed to in the Agreement.

 


EXHIBIT A: 


PERSONAL DATA PROCESSING PURPOSES AND DETAILS


Services: Social media community moderation services and analytics outlining the metrics of those services


Data Subject Type/Description: Data Subjects include individuals collaborating and communicating with Client’s customers, followers, fans, and other Internet users who use social networks, currently including, but not limited to, Twitter, Facebook, YouTube, LinkedIn, Instagram, and TikTok.


Nature & Duration of Processing: In accordance with SOW


Personal Data Categories: This Agreement could involve, but is not limited to, the following types of Personal Data: Identifiers, Internet or other similar network activity.


Social Factor Subcontractors: 

  • Social Factor list of Subcontractors available upon request.