Effective date: October 17, 2022

Effective date: October 17, 2022

Effective date: October 17, 2022

Effective date: October 17, 2022

Effective date: October 17, 2022

Data Processing Agreement

This Data Processing Agreement (“DPA”) is subject to and forms part of the April Terms of Use (also referred to in this DPA as the “Agreement”), reflecting the parties’ agreement with respect to the Processing of Personal Data by us on your behalf.This DPA forms an integral part of, and is supplemental to, the Agreement and is effective upon its incorporation into the Agreement. As stated in the Agreement, we update our terms from time to time and will notify you. If you don’t agree with the new terms, you are free to reject them, but you will no longer be able to use the Services. If you use the Services in any way after a change to our terms is effective, that means you agree to all of the changes.

1. Definitions

Any capitalized term not defined in this DPA will have the meaning set forth in the Agreement. “Applicable Data Protection Law” means all Law that applies to Personal Data Processing under your Agreement and this DPA, including international, federal, state, provincial and local law relating to privacy, data protection, or data security. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199, and any regulations promulgated thereunder, as amended from time to time, including but not limited to the California Privacy Rights Act of 2020, and any regulations promulgated thereunder. “Data Controller” means the entity which, alone or jointly with others, determined the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA. “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a “Service Provider” as defined under the CCPA. “Data Security Standards” means technical, organizational, and foundational standards and procedures intended to secure Personal Data to a level of security appropriate for the risk of the Processing. “Data Subject” means an identified or identifiable natural person to which Person Data relates. “EEA SCCs” means the Standard Contractual Clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR, as amended or replaced by a competent authority under the Applicable Data Protection Law. “GDPR” means the General Data Protection Regulation (EU) 2016/679. “Instructions” means this DPA and any further written agreement or documentation pursuant to which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data Controller. “Personal Data” has the meaning ascribed to it in the Privacy Policy. “Process” means any operation or set of operations performed on Person Data, or sets thereof, whether or not by automatic means, such as accessing, collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, duplicating, aligning or combining, restricting, blocking, redacting, erasing, or destroying, as described under Applicable Data Protection Law. “Sub-processor” means an entity that a Data Processor engages to Process Personal Data on that Data Processor’s behalf in connection with the Services.

2. Processing of Personal Data

The parties acknowledge and agree that under Applicable Data Protection Law, April may act in various data processing roles. To enable each party to comply with its obligations under Applicable Data Protection Law, each party further agrees to comply with any required provisions of Schedule A (California Consumer Privacy Act) and/or Schedule B (General Data Protection Regulation), to extent applicable, if any.
2.1 Data Processing Roles
‍ To the extent, if any, April processes Personal Data as a Data Processor, it is acting as a Data Processor on behalf of you, the Data Controller. To the extent, if any, April processes Personal Data as a Data Controller, it has the sole and exclusive authority to determine the purposes and means of Processing Personal Data that it received from or through you.
2.2 Data Processing Purposes
‍ The purposes of April’s Processing of Personal Data are if and when April is operating in its capacity as a Data Processor for a Service. For additional details, please refer to the Privacy Policy (“Our Commercial or Business Purposes for Collecting Personal Data”).

3. April Obligations When Acting as a Data Processor

3.1 Obligations
To the extent, if any, April acts as a Data for you, April will:
  • Process Personal Data on your behalf and in accordance with your Instructions. April will not sell, retain, use or disclose Personal Data for any purpose other than for the specific purposes of performing the Services and to comply with applicable law, unless otherwise permitted by the Terms of Use (including this DPA), Applicable Data Protection Law, or any other agreement you enter into with April. April will inform you if, in our opinion, Instructions violate or infringe Applicable Data Protection Law;
  • ensure that all persons April authorizes to Process Personal Data in connection with the Services are committed to respecting the confidentiality of Personal Data and are granted access to Personal Data on a need-to-know basis; and
  • to the extent required by Applicable Data Protection Law:
  • inform you of requests April receives from Data Subjects (including “verifiable consumer requests” as defined under the CCPA) exercising their applicable rights, if any, under Applicable Data Protection Law to (A) access their Personal Data (e.g., “right to know” as defined under the CCPA); (B) have their Personal Data corrected or erased; (C) restrict or object to April’s processing; or (D) data portability. Apart from requesting further information, identifying the Data Subject, and, if applicable, directing the Data Subject to you as Data Controller, April will not respond to these requests unless you so instruct April to do in writing;
  • to the extent required by Applicable Data Protection Law, inform you of each law enforcement request April receives from a regulatory authority requiring April to disclose Personal Data or participate in an investigation involving Personal Data;
  • provide you with reasonable assistance through appropriate technical and organizational measures, at your own expense, to assist you in complying with your obligations under Applicable Data Protection Law. That assistance may include conducting data protection impact assessments and consulting with a supervisory authority, taking into account the nature of the Processing and the information available to April;
  • implement and maintain a written information security program with the Data Security Standards stated in Exhibit A of this DPA. Notwithstanding any provision to the contrary, April may update or modify the Data Security Standards at our discretion, provided that such modification or update does not result in a material degradation in the protection they offer. April also will execute a data security incident response plan that manages how April will address a security incident involving the unlawful or accidental loss, destruction, alteration, or unauthorized disclosure of or access to Personal Data (“Incident”). If Applicable Data Protection Law requires April to notify you of an Incident, April will do so without unreasonable delay or in no event later than any time period prescribed by Applicable Data Protection Law. For incidents affecting Personal Data subject to GDPR or its equivalent under United Kingdom data protection laws, April will notify you no later than forty-eight hours after April becomes aware of the Incident. The response to the Incident may include identification of key partners, investigation of the Incident, regular updates, and discussion of notice obligations. Except as required under Applicable Data Protection Law, April will notify your affected Data Subjects, if any, about an Incident without first consulting you;
  • to the extent required by Applicable Data Protection Law and upon your valid written request, contribute to audits or inspections by making audit reports available to you, which reports are April’s confidential information. Upon your valid written request, and no more than once annually, April will provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding April’s Processing of Personal Data. Any and all documentation provided, including any response to a security questionnaire, is April’s confidential information;
  • engage Sub-processors as necessary to perform the Services on the basis of the general written authorization you provide to April under Section 3.2 of this DPA; and
  • at your valid written request, and subject to April’s rights and obligations under the Terms of Use (including this DPA), return or delete all Personal Data to you after the Term, and delete existing copies April holds, unless April is authorized or required by Applicable Data Protection Law to store Personal Data for a longer period.
3.2 Sub-processors‍
  • You expressly and specifically authorize April to engage its Sub-processors from the agreed list of Sub-processors (April Service Providers and Sub-processors). April reserves the right to maintain its list of Services Providers and Sub-processors through means such as publication of that list online. If you subscribe to the email notification, April will inform you via email of any changes regarding the addition or replacement of other Sub-processors to give you an opportunity to reasonably object on legitimate grounds to such change(s). In the event that you object to April’s change or addition of a Sub-processor, promptly notify April of your objections in writing within 14 days after receipt of notice of such change or addition. You acknowledge that April’s Sub-processors are essential to provide the Services and that if you object to April’s use of a Sub-processor, then notwithstanding anything to the contrary in the Terms of Use (including this DPA), April will not be obligated to provide you the Services for which April uses that Sub-processor.
  • When engaging with a Sub-processor, April will enter into a written agreement that imposes obligations or protections comparable to those imposed on April under this DPA.
3.3 CCPA Certification
‍ If and to the extent applicable to the Services, April certifies that it understands and will comply with the requirements in this DPA relating to the CCPA.
3.4 Disclaimer of Liability
Notwithstanding anything to the contrary in the Terms of Use (including this DPA), April will not be liable for any claim by a Data Subject arising from or related to April’s acts or omissions, to the extent that April was acting in accordance with your Instructions.

4. Your Obligations When Acting as a Data Controller

4.1 Obligations
‍ You must:
  • only provide instructions to April that are lawful;
  • comply with and perform your obligations under Applicable Data Protection Law, including as to Data Subject rights, data security, and confidentiality, and ensure you have an appropriate legal basis for the Processing of Personal Data as described in the Terms of Use (including this DPA); and
  • provide the Data Subjects with any and all necessary information regarding April’s and your respective Processing of Personal Data for the purposes described in the Terms of Use (including this DPA).

5. Data Transfers

Subject to Applicable Data Protection Law, you acknowledge that, in order to perform the Services, April may transfer Personal Data to and in the United States and anywhere else in the world where April or its Sub-processors maintain data processing operations. For additional information regarding Personal Data, see the Privacy Policy (“Personal Data”). April will ensure that any such transfers (including transfer mechanism) are made in compliance with Applicable Data Protection Law, including but not limited to GDPR, EEA SCCs, and United Kingdom data protection laws, if applicable. If April transfers Personal Data under this DPA to a country or recipient not recognized as having an adequate level of protection for Personal Data according to Applicable Data Protection Law, April will comply with its obligations under Applicable Data Protection Law.

6. Miscellaneous

Except as expressly modified by the DPA, the terms of the Agreement remain in full force and Effect. In the event of any conflict or inconsistency between the DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by April to you may be given (a) in accordance with any notice clause in the Agreement; (b) to April’s primary point of contact with your account; or (c) to any email you provided for the purpose of providing you with Services-related communications or alerts. You are solely responsible for ensuring that such email addresses are valid.

Exhibit A: April Data Security Standards

  1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  2. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  3. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  4. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  5. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  6. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  7. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  8. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  9. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  10. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  11. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
  12. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of April’s information security program.
Risk assessment procedures and risk treatment process for the information security program, as well as a post-treatment evaluation. Data security controls that include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks. Incident management procedures designed to allow April to investigate, respond to, mitigate and notify of events related to April’s technology and information assets. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g., granting access on a need-to-know basis, revoking/changing access promptly when employment terminates). Password controls designed to manage and control password strength, expiration, and usage, including the use of at least 8-10 characters with defined complexity, and prevention against the reuse of recent passwords. Monitoring procedures to record user access and system activity. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to April’s technology and information assets. Network security controls designed to protect systems from intrusion and limit the scope of any successful attack. Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.