Last modified: May 4, 2021
This Data Protection Agreement (the “DPA”) is executed as of the latest signed date by both parties below (the “DPA Effective Date”) between Elevated Data Insights LLC (“Elevate”) and Customer defined below (“Customer”). Capitalized terms have the meanings provided in the Agreement (defined below) except as provided here.
WHEREAS, Elevate and Customer are parties to a Master Services Agreement (the “Agreement”) regarding Customer’s subscription to Elevate’s Services; and
WHEREAS, Elevate and Customer wish to enter this DPA, which will supplement certain provisions of the Agreement regarding the parties’ security and data protection obligations.
NOW THEREFORE, the parties agree as follows:
1.1 “Breach” means a breach of security by Elevate that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data stored in the Services.
1.2 “CCPA” means the California Consumer Privacy Act, its associated regulations and their successors.
1.3 “Controller”, “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by EU Data Protection Law and include equivalent terms in the CCPA and other applicable laws, in each case as applicable to the Services provided by Elevate under the Agreement.
1.4 “Customer Data” means all data provided by Customer to Elevate to enable the provision of the Services.
1.5 “EU Data Protection Law” means the General Data Protection Regulation 2016/679 (“GDPR”).
1.6 “Personal Data”: (a) has the meaning provided in EU Data Protection Law in reference to residents of the European Economic Area, (b) means Personal Information as defined in the CCPA in reference to California residents, and (c) in reference to residents of other jurisdictions incorporates equivalents terms under other laws applicable to the Services.
1.7 “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries approved by EC Commission Decision of 5 February 2010 or any successor clauses adopted in accordance with GDPR.
2.1 General Processing Conditions. Elevate will only process Customer Data in order to perform its obligations under the Agreement, to manage its business operations or with Customer’s prior written consent.
2.2 Processing in Accordance with EU Law. Customer may be the controller of Personal Data or a processor. Elevate will act as a processor or sub-processor, as appropriate. Each party will comply with the obligations that apply to it under EU Data Protection Law. Elevate will promptly inform Customer if it becomes aware that processing requested by Customer infringes EU Data Protection Law.
2.3 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Elevate will not “sell” (as defined in the CCPA) any Personal Data; and (b) Elevate will not collect, share or use any Personal Data except as necessary to perform services for Customer.
2.4 Confidentiality of Processing. Elevate will treat Customer Data as Customer’s Confidential Information (as that term is defined in the Agreement). Elevate will protect the Customer Data in accordance with the confidentiality obligations under the Agreement.
2.5 Cooperation and Data Subjects’ Rights. Elevate will provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under EU Data Protection Law or the CCPA (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. If any such request, correspondence, enquiry or complaint is made directly to Elevate, Elevate will promptly inform Customer providing full details of the same.
2.6 Customer Data Return and Disposal. Within 30 days after a written request by Customer or the termination or expiration of the Agreement, Elevate will: (a) if requested by Customer, provide Customer with a copy of any Customer Data in Elevate’s possession that Customer does not already have; and (b) securely destroy all Customer Data in Elevate’s possession in a manner that makes such Customer Data non-readable and non-retrievable. Notwithstanding the foregoing, Elevate may retain copies of Customer Data: (x) to the extent Elevate has a separate legal right or obligation to retain some or all of the Customer Data; (y) that is incorporated into Elevate business records such as email and accounting records, and (z) in backup systems until the backups have been overwritten or expunged in accordance with Elevate’s backup policy.
2.7 International Transfers. Elevate will not transfer Personal Data outside of the EEA unless it takes such measures as are necessary to provide adequate protection for such Personal Data consistent with the requirement of EU Data Protection Law.
2.8 Subprocessing. Customer consents to Elevate engaging Elevate affiliates and third party sub-processors to process Personal Data to carry out Elevate’s obligations under the Agreement.
(a) List of subprocessors:
2.9 Data Protection Impact Assessment. Elevate will provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that Customer may be required to perform under EU Data Protection Law.
3.1 Audit. The requirements of GDPR Article 28 and Clauses 5(f) and 12(2) of the Standard Contractual Clauses will be satisfied as follows. Not more than once per year, Elevate will respond to a Customer security questionnaire and meet by teleconference or in person (at Customer’s expense) to address follow up questions. In addition, Customer may contact Elevate to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Customer and Elevate shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Elevate incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Elevate. Customer shall promptly notify Elevate with information regarding any non-compliance discovered during the course of an audit.
3.2 Elevate Security Responsibilities. Elevate will use procedural, technical, and administrative safeguards on its Services designed to ensure the confidentiality, security, integrity, availability, and privacy of Customer Data.
4.1 Breach Notice. Elevate will notify Customer via email of any confirmed Breach by email to the notice email address on the signature page below, or Customer’s principal contact for the Services if none is provided, without undue delay after Elevate’s discovery or notification of a Breach. Elevate will further take reasonably necessary measures to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.
4.2 Cooperation. Elevate will provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable law.
5.1 Construction; Interpretation. This DPA is not a standalone agreement and is only effective if an Agreement is in effect between Elevate and Customer. This DPA is part of the Agreement and is governed by its terms and conditions, including limitations of liability set forth therein. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.
5.2 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.
5.3 Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.
5.4 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.
5.5 Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by EU Data Protection Law.
5.6 Counterparts. This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.