Effective date: October 17, 2022
Any capitalized term not defined in this DPA will have the meaning set forth in the Agreement.
“Applicable Data Protection Law” means all Law that applies to Personal Data Processing under your Agreement and this DPA, including international, federal, state, provincial and local law relating to privacy, data protection, or data security.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199, and any regulations promulgated thereunder, as amended from time to time, including but not limited to the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
“Data Controller” means the entity which, alone or jointly with others, determined the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a “Service Provider” as defined under the CCPA.
“Data Security Standards” means technical, organizational, and foundational standards and procedures intended to secure Personal Data to a level of security appropriate for the risk of the Processing.
“Data Subject” means an identified or identifiable natural person to which Person Data relates.
“EEA SCCs” means the Standard Contractual Clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR, as amended or replaced by a competent authority under the Applicable Data Protection Law.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Instructions” means this DPA and any further written agreement or documentation pursuant to which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data Controller.
“Process” means any operation or set of operations performed on Person Data, or sets thereof, whether or not by automatic means, such as accessing, collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, duplicating, aligning or combining, restricting, blocking, redacting, erasing, or destroying, as described under Applicable Data Protection Law.
“Sub-processor” means an entity that a Data Processor engages to Process Personal Data on that Data Processor’s behalf in connection with the Services.
2. Processing of Personal Data
The parties acknowledge and agree that under Applicable Data Protection Law, April may act in various data processing roles. To enable each party to comply with its obligations under Applicable Data Protection Law, each party further agrees to comply with any required provisions of Schedule A (California Consumer Privacy Act) and/or Schedule B (General Data Protection Regulation), to extent applicable, if any.
2.1 Data Processing Roles
To the extent, if any, April processes Personal Data as a Data Processor, it is acting as a Data Processor on behalf of you, the Data Controller.
To the extent, if any, April processes Personal Data as a Data Controller, it has the sole and exclusive authority to determine the purposes and means of Processing Personal Data that it received from or through you.
2.2 Data Processing Purposes
3. April Obligations When Acting as a Data Processor
To the extent, if any, April acts as a Data for you, April will:
- ensure that all persons April authorizes to Process Personal Data in connection with the Services are committed to respecting the confidentiality of Personal Data and are granted access to Personal Data on a need-to-know basis; and
- to the extent required by Applicable Data Protection Law:
- inform you of requests April receives from Data Subjects (including “verifiable consumer requests” as defined under the CCPA) exercising their applicable rights, if any, under Applicable Data Protection Law to (A) access their Personal Data (e.g., “right to know” as defined under the CCPA); (B) have their Personal Data corrected or erased; (C) restrict or object to April’s processing; or (D) data portability. Apart from requesting further information, identifying the Data Subject, and, if applicable, directing the Data Subject to you as Data Controller, April will not respond to these requests unless you so instruct April to do in writing;
- to the extent required by Applicable Data Protection Law, inform you of each law enforcement request April receives from a regulatory authority requiring April to disclose Personal Data or participate in an investigation involving Personal Data;
- provide you with reasonable assistance through appropriate technical and organizational measures, at your own expense, to assist you in complying with your obligations under Applicable Data Protection Law. That assistance may include conducting data protection impact assessments and consulting with a supervisory authority, taking into account the nature of the Processing and the information available to April;
- implement and maintain a written information security program with the Data Security Standards stated in Exhibit A of this DPA. Notwithstanding any provision to the contrary, April may update or modify the Data Security Standards at our discretion, provided that such modification or update does not result in a material degradation in the protection they offer. April also will execute a data security incident response plan that manages how April will address a security incident involving the unlawful or accidental loss, destruction, alteration, or unauthorized disclosure of or access to Personal Data (“Incident”). If Applicable Data Protection Law requires April to notify you of an Incident, April will do so without unreasonable delay or in no event later than any time period prescribed by Applicable Data Protection Law.
For incidents affecting Personal Data subject to GDPR or its equivalent under United Kingdom data protection laws, April will notify you no later than forty-eight hours after April becomes aware of the Incident. The response to the Incident may include identification of key partners, investigation of the Incident, regular updates, and discussion of notice obligations. Except as required under Applicable Data Protection Law, April will notify your affected Data Subjects, if any, about an Incident without first consulting you;
- to the extent required by Applicable Data Protection Law and upon your valid written request, contribute to audits or inspections by making audit reports available to you, which reports are April’s confidential information. Upon your valid written request, and no more than once annually, April will provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding April’s Processing of Personal Data. Any and all documentation provided, including any response to a security questionnaire, is April’s confidential information;
- engage Sub-processors as necessary to perform the Services on the basis of the general written authorization you provide to April under Section 3.2 of this DPA; and
- When engaging with a Sub-processor, April will enter into a written agreement that imposes obligations or protections comparable to those imposed on April under this DPA.
3.3 CCPA Certification
If and to the extent applicable to the Services, April certifies that it understands and will comply with the requirements in this DPA relating to the CCPA.
3.4 Disclaimer of Liability
4. Your Obligations When Acting as a Data Controller
- only provide instructions to April that are lawful;
5. Data Transfers
Except as expressly modified by the DPA, the terms of the Agreement remain in full force and Effect. In the event of any conflict or inconsistency between the DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by April to you may be given (a) in accordance with any notice clause in the Agreement; (b) to April’s primary point of contact with your account; or (c) to any email you provided for the purpose of providing you with Services-related communications or alerts. You are solely responsible for ensuring that such email addresses are valid.
Exhibit A: April Data Security Standards
- Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
- Risk assessment procedures and risk treatment process for the information security program, as well as a post-treatment evaluation.
- Data security controls that include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks.
- Incident management procedures designed to allow April to investigate, respond to, mitigate and notify of events related to April’s technology and information assets.
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g., granting access on a need-to-know basis, revoking/changing access promptly when employment terminates).
- Password controls designed to manage and control password strength, expiration, and usage, including the use of at least 8-10 characters with defined complexity, and prevention against the reuse of recent passwords.
- Monitoring procedures to record user access and system activity.
- Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems.
- Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to April’s technology and information assets.
- Network security controls designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.