DATA SECURITY AND PRIVACY RIDER AND DATA PROCESSING AGREEMENT (DPA)

Last Modified: March 28, 2024

1. Introduction

This Rider sets out the additional terms, requirements, and conditions on which the Customer will obtain, handle, process, disclose, transfer, secure, or store Personal Information obtained through its use of the Product.

NOW, THEREFORE, the Parties hereby agree as follows:

1.        Definitions. Capitalized terms used herein shall have the meanings set forth in this Section 1. 

 “Authorized Employees” means Customer’s employees who have a need to know or otherwise access Personal Information to enable it to utilize the Product for its intended purpose. 

“Authorized Persons” means (i) Authorized Employees; and (ii) Customer’s contractors, agents, who have a need to know or otherwise access Personal Information to enable Customer to utilize the Product for its intended purpose, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Information in accordance with this Rider. 

“Sensitive Personal Information”  means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or         debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; or (e) other information that falls within the definition of “special categories of data,” “sensitive personal information” and equivalent terms as such terms may be defined by the Privacy and Data Protection Laws. 

“Processing, Processes, or Process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Laws may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data, including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties. 

“Privacy and Data Protection Laws” means all applicable laws and regulations relating to the processing, protection, security, or privacy of Personal Information, including, where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 -1798.199) (“CCPA”), California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 et seq.) (“CPRA”), and any other applicable data privacy or data security laws of any other jurisdiction, each as amended, repealed, consolidated, or replaced from time to time. 

“Security Incident” means, with respect to Customer, any act or omission that compromises or is reasonably expected to have compromised the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by Customer (or any Authorized Person), or by Randall Reilly should Customer have access to Randall Reilly’s systems, that relate to the protection of the security, confidentiality, or integrity of Personal Information; or (ii) receipt of a complaint in relation to the privacy and data security practices of Customer (or any Authorized Person) or a breach or alleged breach of the Agreement or this Rider relating to such privacy and data security practices. Without limiting the foregoing, a Security Incident caused by Customer’s or Authorized Persons’ acts or omissions shall include any unauthorized access to or disclosure or acquisition of Personal Information whether or not the incident rises to the level of a security breach as defined under the Privacy and Data Protection Laws. 

The terms “Business,” “Business Purpose,” “Collect,” “Consumer,” “Service Provider,” “Data Subject,” “Share,” and “Sell” shall have the meaning given to them under applicable Privacy and Data Protection Laws or if not defined thereunder, the CPRA.  

2. Data Processing and Restrictions on Use

• 2.1. Customer acknowledges and agrees that, in the course of its use of the Product, it may obtain, receive, or have access to Personal Information for the Business Purpose.
• 2.2. Randall Reilly Obligations.
  • 2.2.1. Randall Reilly agrees that it shall comply with its obligations under applicable Privacy and Data Protection Laws in respect of its Processing of Personal Information and any Processing instructions it issues.
• 2.3. Customer Obligations.
  • 2.3.1. Customer shall comply with the terms and conditions set forth in the Agreement and this Rider in its collection, receipt, transmission, storage, disposal, Processing, use, and disclosure of such Personal Information and be responsible for any unauthorized collection, receipt, transmission, access, storage, disposal, processing, use, or disclosure of Personal Information under its control or in its possession. Customer shall be responsible for, and remain liable to, Randall Reilly for the actions and omissions of all Authorized Persons that are not Authorized Employees concerning the treatment of Personal Information as if they were Customer’s own actions and omissions.
  • 2.3.2. In recognition of the foregoing, Customer agrees and covenants that it shall:
    • 2.3.2.1. keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, or disclosure;
    • 2.3.2.2. not collect, receive, access, Process or use Personal Information in violation of law;
    • 2.3.2.3. not combine Personal Information with personal data it receives from or on behalf of another entity, person or persons or collects from its own independent interaction with Data Subject unless explicitly permitted under Privacy and Data Protection Laws;
    • 2.3.2.4. process, use, and disclose Personal Information solely and exclusively for the Business Purposes for which the Personal Information, or access to it, is provided pursuant to the terms and conditions of the Agreement, and not Process, use, Sell, Share, rent, transfer, distribute, or otherwise disclose or make available Personal Information for the benefit of any other person or entity without Randall Reilly’s prior written consent; and
    • 2.3.2.5. not, directly or indirectly, disclose Personal Information to any person other than its Authorized Persons (an “Unauthorized Third Party”), without Randall Reilly’s prior written consent unless and to the extent required by governmental authorities or as otherwise, to the extent expressly required, by applicable law, in which case, Customer shall (A) to the extent permitted by applicable law notify Randall Reilly before such disclosure or as soon thereafter as reasonably possible; (B) be responsible for and remain liable to Randall Reilly for the actions and omissions of such Unauthorized Third Party concerning the treatment of such Personal Information as if they were Customer’s own actions and omissions; and (C) require the Unauthorized Third Party that has access to Personal Information to execute a written agreement agreeing to comply with the terms and conditions of this Rider; and
    • 2.3.2.6. obtain Personal Information only in compliance with all applicable federal and state regulations and laws.
  • 2.3.3. Customer certifies that it understands its obligations in Section 2.3 and will comply with them.
  • 2.3.4. Customer is responsible for its compliance with its obligations under this Rider and for compliance with its obligations under the CCPA/CPRA and other applicable Privacy and Data Protection Laws respectively. Customer shall notify Randall Reilly if it determines that it cannot meet its obligations under applicable Privacy and Data Protection Laws.

3. Information Security

• 3.1. Customer represents and warrants that its collection, receipt, access, Processing, use, storage, disposal, and disclosure of Personal Information does (and will at all times it processes such Personal Information) comply with all applicable Privacy and Data Protection Laws.
• 3.2. Customer shall implement, maintain, and regularly update and train on an industry standard level written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually to ensure they remain current and complete.
• 3.3. Without limiting the Customer’s obligations under Section 3.2, the Customer shall implement administrative, physical, and technical safeguards to protect Personal Information from unauthorized access, acquisition, disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than accepted industry practices such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or other applicable industry standards for information security. Customer shall ensure that all such safeguards, including the manner in which Personal Information is created, collected, accessed, received, Processed, used, stored, disposed of, and disclosed, comply with applicable Privacy and Data Protection Laws, as well as the terms and conditions of this Rider.
• 3.4. During the term of each Authorized Employee’s employment by Customer, Customer shall at all times cause such Authorized Employees to abide by Customer’s obligations under this Rider. Upon the resignation or termination of any Authorized Employee providing services under the Agreement, Customer shall immediately notify Randall Reilly in writing.

4. Security Incident Procedures

• 4.1. Customer Shall:
  • 4.1.1. provide Randall Reilly with the name and contact information for an employee or security operations or other service desk of Customer who or which shall serve as Randall Reilly’s primary security contact and shall be available to assist Randall Reilly throughout all business hours as a contact in resolving obligations associated with a Security Incident;
  • 4.1.2. notify Randall Reilly of a Security Incident as soon as practicable, but no later than forty-eight (48) hours after Customer reasonably suspects or becomes aware of it; and
  • 4.1.3. notify Randall Reilly of any Security Incident by (i) telephone at (800) 633-9404 (2) e-mailing Randall Reilly at privacy@randallreilly.com, and (3) e-mailing Customer’s primary business contact with Randall Reilly.
• 4.2. Immediately following Customer’s notification to Randall Reilly of a Security Incident, the Parties shall coordinate with each other to investigate the Security Incident. Customer agrees to reasonably cooperate with Randall Reilly in Randall Reilly’s handling of the matter, including, without limitation: (i) assisting with any investigation; (ii) providing Randall Reilly with physical access to the facilities and operations affected; (iii) facilitating interviews with Customer’s employees and others involved in the matter; and (iv) making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law, regulation, industry standards, or as otherwise reasonably required by Randall Reilly.
• 4.3. Customer shall, at its own expense, use best efforts to immediately contain and remedy any Security Incident and prevent any further Security Incident, including, but not limited to taking any and all action necessary to comply with applicable privacy rights, laws, regulations, and standards. Customer shall reimburse Randall Reilly for all reasonable costs actually incurred by Randall Reilly in responding to and mitigating damages caused by any Security Incident.
• 4.4. Customer agrees to (i) maintain and preserve all documents, records, and other data related to any Security Incident and (ii) reasonably cooperate at its own expense with Randall Reilly in any litigation, investigation, or other action deemed reasonably necessary by Randall Reilly to protect its rights relating to any Security Incident.

5. Oversight of Security Compliance

• 5.1. Upon Randall Reilly’s written request, to confirm Customer’s compliance with this Rider, as well as any applicable Privacy and Data Protection Laws and industry standards:
  • 5.1.1. Customer grants Randall Reilly or, upon Randall Reilly’s election, a third party on Randall Reilly’s behalf, permission to perform an assessment of all controls in Customer’s physical and/or technical environment in relation to Personal Information being handled and/or services being provided to Randall Reilly pursuant to the Agreement and this Rider. Customer shall reasonably cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Information for Randall Reilly;
  • 5.1.2. Customer shall provide Randall Reilly with the results of any audit by or on behalf of Customer performed that assesses the effectiveness of Customer’s information security program, including any Service Organization Controls (SOC) Type 1, 2, or 3 audit reports; and
  • 5.1.3. Customer shall promptly and accurately complete a written information security questionnaire provided by Randall Reilly, or a third party on Randall Reilly’s behalf, regarding Customer’s business practices and information technology environment in relation to all Personal Information being handled and/or services being provided by Customer to Randall Reilly pursuant to the Agreement and this Rider and Customer shall reasonably cooperate with such inquiries.
• 5.2. Randall Reilly may only make a request in accordance with subclause (5.1.1) or (5.1.3) of Section 5.1 once in any twelve (12) month period.

6. Data Privacy Compliance

Customer shall promptly notify Randall Reilly if it receives any complaint, notice, or communication that directly or indirectly relates to either Party’s compliance with any applicable Privacy and Data Protection Law. Customer will reasonably cooperate with and assist Randall Reilly with meeting Randall Reilly’s compliance obligations under any applicable Privacy and Data Protection Law and responding to inquiries, including responding to verifiable Data Subject requests, taking into account the nature of Customer’s processing and the information available to Customer, in each case to the extent Randall Reilly is not reasonably able on its own to meet the compliance obligation.

7. Data Subject Rights

If either Party receives (a) any request from a Data Subject to exercise any of its rights under Privacy and Data Protection Laws (including its rights of access, correction, objection, deletion, and data portability, as applicable) such party will promptly inform the other party in writing. The Parties agree to cooperate, in good faith, as necessary to respond to any Data Subject request and fulfill their respective obligations under Privacy and Data Protection Laws.

8. Third Party Processors

• 8.1. Authorized Third Parties: Each Party agrees that they may each engage a third-party to process Personal Information on their behalf. Each Party shall maintain a list of any such third-party(ies).
• 8.2. Third Party Obligations: The Parties may only authorize a third party to process the Personal Information if:
  • 8.2.1. The contracting party enters into a written contract with the third party that imposes on the third party contractual obligations equivalent to and in no event less than those that Customer has under this Rider; and
  • 8.2.2.  The Parties will restrict the third party’s access to Personal Information exchanged pursuant to Customer’s use of the Product only to what is necessary for Randall Reilly to provide and Customer to utilize the Product in accordance with the Agreement and Rider, and the Parties will prohibit the third party from accessing Randall Reilly data for any other purpose;
• 8.3. Each Party will remain responsible for the acts or omissions of any third party who it retains to process Personal Information to the extent required by Privacy and Data Protection Laws as if the acts or omissions were performed by the Party retaining the third party.

9. Data Transfers

Randall Reilly and Customer will only transfer (including any onward transfers) Randall Reilly Personal Information (including Personal Information of or obtained for Randall Reilly’s Customer) as permitted by Privacy and Data Protection Laws. If applicable Privacy and Data Protection Laws require additional terms to legitimize the transfer, then the Parties shall notify each other, and the Parties will cooperate in good faith to implement the required transfer mechanism.

10. Return or Destruction of Personal Information

At any time during the term of the Agreement at Randall Reilly’s written request or upon the termination or expiration of the Agreement for any reason, Customer shall instruct all Authorized Persons to, promptly and securely dispose of all copies, whether in written, electronic, or other form or media, of Personal Information obtained for the purpose of the Agreement in its possession or the possession of such Authorized Persons, or securely dispose of all such copies, and certify in writing to Randall Reilly that such Personal Information has been disposed of securely. Customer shall comply with all reasonable directions provided by Randall Reilly with respect to the return or disposal of Personal Information. Customer shall not retain Personal Information obtained for the purpose of this Agreement for more than twenty-four (24) months beyond the time at which it was obtained, received, gathered, or otherwise possessed by Security Provider. Notwithstanding the foregoing, Customer may retain, subject to the terms of this Rider, one copy of any Personal Information to the extent required by law or governmental authority.

11. Equitable Relief

Customer acknowledges that any breach of its covenants or obligations set forth in this Rider may cause Randall Reilly irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, Randall Reilly is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance, and any other relief that may be available from any court, in addition to any other remedy to which Randall Reilly may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available at law or in equity.

12. Material Breach

Customer’s failure to comply with any of the provisions of this Rider is a material breach of the Agreement and this Rider.

13. Indemnification

Customer shall defend, indemnify, and hold harmless Randall Reilly, its affiliates, and its and their respective directors, officers, employees, agents, successors, and permitted assigns (each, a “Randall Reilly Indemnitee”) from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against any Randall Reilly Indemnitee arising out of or resulting from a Security Incident; or Customer’s failure to comply with any of its obligations under this Rider or applicable law. Any limitations of liability or waiver of consequential or other damages in the Agreement shall not apply to Customer’s indemnification obligations under this Section 14.

14. Rider Governs

In the event of a conflict or inconsistency between the Agreement and this Rider, the terms and conditions set forth in this Rider shall govern and control, but all other terms of the Agreement shall remain in effect.