Book 15 Mins

Consulting Services Data Processing Addendum

This Data Processing Addendum (“DPA”) is the DPA referred to and incorporated by that certain Consulting Services Agreement between the Parties, as described in the signature block below (“Agreement”).  This DPA reflects the Parties’ agreement regarding the Processing of Personal Data, in accordance with the requirements of Applicable Data Privacy Law and shall be incorporated into and form part of the Agreement. This DPA will terminate in accordance with the termination provisions of the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail. Capitalized terms not defined herein are as defined in the Agreement.

  1. Definitions. The following definitions and rules of interpretation apply in this Agreement:


  1. “Applicable Data Privacy Law” means all applicable United States federal, state and local laws and regulations pertaining to the Processing of Personal Data under or in connection with the Agreement, which are currently in effect and as they become effective or amended, including but not limited to the California Consumer Privacy Act (“CCPA”), Colorado Privacy Act, Connecticut Personal Data Privacy Act, Virginia Consumer Data Protection Act, Oregon Consumer Privacy Act, Texas Data Privacy and Security Act, and Utah Consumer Privacy Act.


  1. “Controller” means any person or entity that determines the purposes and means of Processing Personal Data, and on whose behalf, Social Factor, in its capacity as a Processor or Subprocessor, as well Consultant and any other contractors who may be engaged by Social Factor, act in relation to the Processing of Personal Data.  The Controller, for purposes of this DPA, may be Social Factor’s customer (“Customer”), such Customer’s client, or a Customer client’s end user.  A Controller may also sometimes be a “Business” as such term is defined under the CCPA.  Social Factor.  Social Factor shall only be the Controller for data that is internal to Social Factor (i.e., data utilized by Social Factor for Social Factor’s own business purposes, and not that of Social Factor Customers).


  1. ”Data Subject” means the persons or categories of persons whose Personal Data is provided, made accessible to Consultant, or collected by Consultant for the purpose of performing under its Agreement with Social Factor, and includes the categories of data subjects described in Appendix A to this DPA.  


  1. “Personal Data” shall include “personal data,” “personal information,” or an equivalent term used by Applicable Data Privacy Law to the extent such data or information is accessed, collected, stored, transmitted, processed, hosted, used, handled, or disposed of by Consultant in connection with the Agreement.  This includes both Personal Data which belongs to Social Factor if Social Factor is the Controller, as well as Personal Data that belongs to and/or is provided by a Social Factor Customer, or such Customer’s client, and/or such Customer client’s end user(s), and Sensitive Personal Data as defined in this DPA.  The Parties intend that only US Personal Data shall be Processed pursuant to this DPA. 


  1. “Personal Data Breach” means any actual or reasonably suspected breach of security that has resulted or is reasonably likely to result in the accidental, unlawful or unauthorized acquisition, modification, destruction, loss, alteration, encryption, disclosure, Processing of, or access to, Personal Data.


  1. “Personnel” shall mean a person or entity’s employees, agents, consultants or contractors.


  1. “Processing” means any operation or set of operations which is performed upon Personal Data by or on behalf of Social Factor, Social Factor’s Customer or such Customer’s own clients and/or their end users in connection with the Agreement, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.


  1. “Processor” or “Subprocessor” means any entity which Processes Personal Data on behalf of a Controller, either directly or indirectly as a subcontractor.  This definition also incorporates all elements of the CCPA definition of “Service Provider.”  Social Factor may be a Processor for a Customer who is the Controller, in which case Social Factor and Consultant shall be serving as Subprocessors, or Consultant may be the direct Processor to Social Factor as Controller, depending on the circumstances (i.e., depending on whether Consultant is Processing Social Factor’s Customer data, or Social Factor’s own data).  In either case, Consultant is intended to be a Processor (or Service Provider) under Applicable Data Privacy Law, and should not, unless Consultant breaches its obligations herein with respect to the treatment of Personal Data, be considered nor have any of the legal obligations of a Controller (or Business).


  1. “Processing Instructions” means the written instructions provided by Social Factor to Consultant (including, as applicable, those Processing Instructions of Social Factor Customers) stating how the Personal Data shall be Processed and may include specifications regarding Data Subjects, Personal Data type and category.


  1. “Sensitive Personal Data” means Personal Data that reveals a Data Subject’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password or credentials allowing access to an account; a precise geolocations; racial or ethnic origin, religious or philosophical beliefs, or union membership; and the contents of mail, email, and text messages unless the Controller is intended recipient of the communication; or processing biometric data for the purpose of identifying the Data Subject and Personal Data collected and analyzed concerning health status; sex life or sexual orientation.  


  1. “Consultant Subcontractor” means a subcontractor of Consultant engaged pursuant to the terms of this DPA. 


  1. “Commercial Purpose,” “Sell,” and “Share”, when capitalized, shall have the respective meanings given thereto in the CCPA. 


  1. Consultant Obligations  


  1. Consultant shall not: (i) Sell or Share any Personal Data; (ii) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of Processing pursuant to the Agreement and in accordance with the Agreement and this DPA, including retaining, using, or disclosing Personal Data for a Commercial Purpose other than the provision of the services under the Agreement; or (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between Social Factor and Consultant.


  1. Consultant will Process Personal Data in accordance with the Processing Instructions, including any specific instructions regarding Sensitive Personal Data.

 

  1. Consultant will not collect, use, retain, disclose, Sell, Share, Process, or otherwise make Personal Data available for its own Commercial Purposes or in a way that does not comply with Applicable Data Privacy Law. If Consultant is legally required to disclose Personal Data for a purpose unrelated to the Agreement, Consultant must first inform Social Factor of the legal requirement and give Social Factor an opportunity to object or challenge the requirement, unless such notice is legally prohibited.


  1. Consultant will limit Personal Data collection, use, retention, Processing and disclosure to activities to those reasonably necessary and proportionate to achieve the Commercial Purpose of the Agreement or another compatible operational purpose.


  1. Consultant will cooperate with any request or instruction from Social Factor or the Controller to provide, amend, transfer, return, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorized Processing, to the extent required by Applicable Data Privacy Law.


  1. If the Agreement requires the collection of Personal Data from individuals on a Controller’s behalf, Consultant will provide a notice compliant with Applicable Data Privacy Law at collection as mutually agreed between Social Factor and Consultant.  The agreed upon language of such notice shall be included in the Processing Instructions.  Consultant will not modify or alter the agreed upon notice without Social Factor’s prior written consent.


  1. Consultant will not attempt to or actually re-identify data that is already aggregated, deidentified, or anonymized and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.


  1. Consultant will not combine Personal Data it Processes pursuant to this DPA with other Personal Data it receives from, or on behalf of, another person or persons or collects from its own separate interaction with Data Subjects.


  1. Consultant shall promptly notify Social Factor if Consultant determines it is no longer able to meet its obligations under Applicable Data Privacy Law and shall, upon notice, allow the Social Factor and/or the Controller to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.


  1. Consultant will reasonably cooperate and assist Social Factor to comply with Social Factor and/or a Controller’s requests and directions related to Personal Data disclosed, the Controller’s Applicable Data Privacy Law compliance obligations, and responses to Applicable Data Privacy Law inquiries, including responding to verifiable Data Subject requests.  Notwithstanding anything to the contrary in this DPA, should Consultant receive a Data Subject request directly from a Data Subject or its authorized agent as to Personal Data collected solely in its role as a Service Provider/Processor, Consultant may inform the Data Subject that its request cannot be acted upon because the request was sent to a Service Provider, and inform Social Factor of such communication.


  1. Consultant will provide necessary information to enable  Social Factor, its Customer or other applicable Controller to conduct and document data protection assessments as required by Applicable Data Privacy Law.


  1. Consultant will notify any downstream recipients of Personal Data who have accessed such Personal Data from or through Consultant of a verifiable Data Subject request for deletion, unless such Personal Data was accessed at the direction of the Controller, or doing so proves impossible or involves disproportionate effort.


  1. Consultant will inform Social Factor if Processing Instructions violate Applicable Data Privacy Law.


  1. Consultant will notify Social Factor if it receives a complaint, notice, or communication that directly or indirectly relates to either Party’s compliance with Applicable Data Privacy Law. 


This Section 2 shall survive termination of the Agreement.


  1. Audits and Inspections


  1. Consultant shall provide information and assistance requested by Social Factor, Social Factor’s Customer, and/or the applicable Controller to demonstrate Consultant’s, Social Factor’s, and/or a Customer client’s, and/or Customer client end user’s compliance, as applicable, with this DPA and Applicable Data Privacy Law.


  1. Consultant shall allow for and contribute to audits by Social Factor, its Customer, any applicable Controller, or an independent third party auditor mutually agreed to by all parties in relation to Consultant’s Processing of Personal Data, compliance with the obligations under this DPA and/or Applicable Data Privacy Law.  Such audits may require Consultant to complete questionnaires and/or make certain relevant available documentation for review, or to grant access to relevant Consultant and/or Consultant Subcontractor Personnel for interviews. 


  1. If it is established during an audit, inspection, or report that Consultant has failed to comply with its obligations under this DPA or Applicable Data Privacy Law, Social Factor shall notify Consultant and Consultant shall take all measures necessary to ensure its compliance as soon as practicable.


This Section 3 shall survive termination of the Agreement.


  1. Security and Other Supplementary Measures 


Without limiting the requirements of the Agreement related to security and access to Social Factor systems:

  1. Consultant shall implement and maintain necessary technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, damage, or unauthorized disclosure or access, including practices and policies that are at all times as protective as those security measures found in Social Factor’s security policy and procedures document attached to the Agreement as Exhibit B, as such may be amended from time to time upon written notice to Consultant.


  1. Consultant agrees not to allow, unless required by law, regulations, order of a court or any regulatory, judicial, governmental or similar body or authorized by Social Factor, access to Personal Data (excluding any publicly available data) by any administrative body, authority or agency. Before Consultant discloses any such Personal Data, Consultant shall (to the extent permitted by law) inform Social Factor of the circumstances of the required disclosure and the Personal Data that must be disclosed.  Consultant agrees to reasonably and promptly work with Social Factor to determine the legal requirements for disclosure.


  1. Consultant represents and warrants that it has not purposefully created “backdoors” or other similar programming that could permit access, including access by any governmental authority, law enforcement agency, or public body, to systems that store or otherwise Process Personal Data.


  1. Personal Data will be restricted to only those Consultant Personnel with a need to know such information in connection with the Agreement.


  1. Consultant will not commingle or combine Personal Data with any other information other than for the purpose of fulfilling Consultant obligations under the Agreement.


  1. Consultant will immediately notify Social Factor of a Personal Data Breach.


  1. Notwithstanding anything to the contrary in this DPA, Consultant may use Personal Data to detect data security incidents or protect against fraudulent or illegal activity.


  1. Subcontracting by Consultant


  1. Consultant may only engage Consultant Subcontractors with access to Personal Data so long as (i) they are engaged pursuant to a written contract that requires compliance with Applicable Data Privacy Law and that contains terms that are at least as protective as the requirements of this DPA; and (ii) Social Factor is notified of their engagement and provides advanced written consent.


  1. Written notice to Social Factor requesting consent for the use of Consultant Subcontractors shall include (i) name, address, and contact information, (ii) Type of services provided, (iii) Personal Data categories to be disclosed.  Social Factor acknowledges notification of the Consultant Subcontractor list contained in Exhibit A hereto, and consents to their utilization by Consultant.


  1. Social Factor may request Consultant provide the information enumerated in subsection 5(b) above for any Consultant Subcontractors in the preceding 12-months.


  1. Consultant shall at all times be liable to Social Factor for Consultant Contractor’s acts, errors, and omissions as if they were Consultant’s own acts, errors or omissions.


  1. Upon Social Factor or a Controller’s written request, Consultant will audit a Consultant Contractor’s compliance with its Personal Data obligations and provide Social Factor and/or Controller with the audit results.


  1. Affiliates.  The Parties have entered into this DPA each for itself and on behalf of, and for the benefit of, any current or future Affiliates.  The Parties acknowledge and agree that all references to a Party herein shall, where the context permits and requires, refer to each such Party’s Affiliate(s).  The Parties expressly agree that Affiliate(s) will have the right to enforce the provisions of this DPA.


  1. Representations and Warranties; Modifications for Compliance with Applicable Data Privacy Law.  Consultant represents and warrants that it understands the restrictions and prohibitions on selling Personal Data, and retaining, using, or disclosing Personal Data outside of the Parties’ direct business relationship, both as found in this DPA and Applicable Data Privacy Law, and it will comply with them. Both Parties represent and warrant that they have no reason to believe any Applicable Data Privacy Law requirements or restrictions prevent the lawful Processing of Personal Data under the Agreement and this DPA, as such Processing is described herein and any SOW. The Parties agree to promptly notify each other regarding changes to Applicable Data Privacy Law requirements that may impact this DPA and thereafter endeavor in good faith to amend the DPA in order to achieve legal compliance.  This Section 7 shall survive termination of the Agreement.



Exhibit A: Personal Data Processing Purposes and Details

Services: As outlined in the applicable Statement of Work

Data Subject Type/Description: [Data Subjects include individuals collaborating and communicating with Client’s customers, followers, fans, and other Internet users who use social networks, currently including, but not limited to, Twitter, Facebook, YouTube, LinkedIn, Instagram, and TikTok.

Nature & Duration of Processing: In accordance with SOW

Personal Data Categories: This Agreement could involve, but is not limited to, the following types of Personal Data: Identifiers, Internet or other similar network activity.

Social Factor Subcontractors: Social Factor list of Subcontractors available upon request.