This Data Processing Addendum ("DPA") is entered into as of the last date executed below by and between OpsCompanion, Inc., a Delaware corporation having its principal place of business at 20 South Sarah Ave, Saint Louis MO 63110 ("OpsCompanion") and Customer (defined below).
THIS DPA APPLIES BETWEEN THE PARTIES WHERE CUSTOMER CLICKS A BOX INDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO OPSCOMPANION FOR PROCESSING BY MEANS OF THE OPSCOMPANION ASSETS, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA EITHER ON BEHALF OF YOURSELF, OR THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (EACH, A "CUSTOMER"); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CUSTOMER AND ITS AFFILIATES TO THIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO OPSCOMPANION. OPSCOMPANION RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITS SOLE DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) CUSTOMER'S CONTINUED TRANSFER OF PERSONAL DATA.
This DPA forms part of OpsCompanion's "Terms of Service" located at: https://www.opscompanion.ai/terms-of-service (referred to as the "Agreement" hereunder), unless OpsCompanion and Customer have entered into a separate written agreement for the use of the OpsCompanion Assets in which case such agreement is deemed the Agreement. OpsCompanion will provide the OpsCompanion Assets to Customer pursuant to the DPA and this Agreement which involves the Processing of Personal Data subject to Applicable Data Protection Laws (each as defined below). The purpose of this DPA is to set forth the terms under which OpsCompanion Processes Personal Data on behalf of Customer.
This DPA consists of the main body and Schedules 1 through 4. Execution of this DPA shall include signature and acceptance of the Standard Contractual Clauses (defined below) and its Annexes (see Schedule 2 below).
Definitions
Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. The terms controller, data subject, processor and supervisory authority have the meanings set forth in the Applicable Data Protection Laws.
"Authorized Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where "control" refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
"Applicable Data Protection Laws" means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, the United States including the CCPA.
"CCPA" means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time, including the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
"Information Security Incident" means a confirmed breach of OpsCompanion's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in OpsCompanion's possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
"Personal Data" means Customer Data that constitutes "personal data," "personal information," or "personally identifiable information" defined in Applicable Data Protection Laws, or information of a similar character regulated thereby," provided that such data is electronic data and information submitted by or for Customer to the Services.
"Public Authority" means a government agency or law enforcement authority, including judicial authorities.
"Processing" or "Process" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Security Measures" are OpsCompanion's security measures implemented and maintained as administrative, technical and physical safeguards designed to protect the security and integrity of Personal Data and prevent Information Security Incidents, further described in Schedule 2 Annex III hereto and any other measures required by Applicable Data Protection Laws.
"Subprocessors" or "Sub-processor" means any third party processor that OpsCompanion engages to Process Personal Data in relation to the Services.
Duration and Scope of DPA
This DPA will remain in effect so long as OpsCompanion Processes Personal Data, notwithstanding the expiration or termination of the Agreement. Schedule 1 to this DPA applies solely to Processing subject to the CCPA to the extent Customer is a "business" (as defined in CCPA) with respect to such Processing.
Customer Instructions
OpsCompanion will Process Personal Data only in accordance with Customer's instructions to OpsCompanion. This DPA is a complete expression of such instructions, and Customer's additional instructions will be binding on OpsCompanion only pursuant to an amendment to this DPA signed by both parties. Customer instructs OpsCompanion to Process Personal Data via the Services and as authorized by the Agreement. OpsCompanion shall inform Customer immediately: (a) if, in its opinion, an instruction from Customer constitutes a breach of any Applicable Data Protection Laws; (b) if OpsCompanion is unable to follow Customer's instructions for the Processing of Personal Data; or (c) if OpsCompanion has reason to believe that OpsCompanion is subject to changes in Applicable Data Protection Laws contrary to any Customer instructions or terms or requirements of this DPA.
Security of Personal Data
OpsCompanion Security Measures. OpsCompanion may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
Information Security Incidents. OpsCompanion will notify Customer without undue delay of any Information Security Incident of which OpsCompanion becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps OpsCompanion recommends the Customer take to address the Information Security Incident. OpsCompanion's notification of or response to an Information Security Incident will not be construed as OpsCompanion's acknowledgement of any fault or liability with respect to the Information Security Incident.
Audits of Compliance & DPIAs
Customer may audit OpsCompanion's compliance with its obligations under this DPA no more than once per calendar year, including if mandated by Customer's supervisory authority, at Customer's sole cost, on no less than 15 days advanced written notice. Such audit must be conducted at OpsCompanion's principal place of business, during regular business hours, and may not unreasonably interfere with OpsCompanion's business activities.
OpsCompanion will contribute to each audit by providing Customer or Customer's supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, OpsCompanion may object to the auditor if the auditor is, in OpsCompanion's reasonable opinion, not independent, a competitor of OpsCompanion, or otherwise manifestly unsuitable. Such objection by OpsCompanion will require the Customer to appoint another auditor or conduct the audit itself.
If the controls or measures to be assessed in the requested audit are addressed in a OpsCompanion SOC 2 Type 2, ISO, NIST or similar audit report, performed by a qualified third party auditor within twelve (12) months of Customer's audit request and OpsCompanion has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.
Customer will promptly notify OpsCompanion of any non-compliance discovered during the course of an audit and provide OpsCompanion any audit reports generated in connection with any audit under this Section 4(c), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer's regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
Customer shall reimburse OpsCompanion for any time expended by OpsCompanion and any third parties in connection with any audits or inspections under this Section 4(c) at OpsCompanion's then-current professional services rates, which shall be made available to Customer upon request. For clarity, Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
Data Protection Impact Assessments (DPIAs). Upon Customer's written request, OpsCompanion will provide Customer with reasonable cooperation and assistance needed to fulfil Customer's obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to OpsCompanion.
Customer's Responsibilities
Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any data subject, including those that have opted-out from sales or other disclosures of personal data, to the extent applicable under Applicable Data Protection Laws. Without limitation of Customer's obligations under the Agreement, Customer: (a) agrees that Customer is solely responsible for its use of the Services, including (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data, (2) securing the account authentication credentials, systems and devices Customer uses to access the Services, (3) securing Customer's systems and devices that OpsCompanion uses to provide the Services, and (4) backing up Personal Data; and (b) has given all notices to, and has obtained all consents from, including where the Customer is a processor by ensuring that the ultimate controller does so, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for OpsCompanion to Process Personal Data as contemplated by the Agreement.
Compliance with Laws & Data Subject Rights
Customer's Responsibility for Requests. OpsCompanion will not respond to a Data Subject Request itself, except where Customer authorizes OpsCompanion to redirect the Data Subject Request as necessary to allow Customer to respond directly. If OpsCompanion receives a Data Subject Request, OpsCompanion will advise the data subject to submit the request to Customer and Customer will be responsible for responding to the request.
Compliance with Laws. Each party will comply with all Applicable Data Protection Laws. In particular, Customer will comply with its obligations as controller (or on behalf of controller) and OpsCompanion will comply with its obligations as processor.
Personal Data Disclosures & Government Requests. OpsCompanion will not disclose Personal Data to any third party, including any Public Authority, except: (i) as otherwise permitted under the Agreement including this DPA; or (ii) as necessary to comply with Applicable Data Protection Laws including with respect to any valid and/or binding Public Authority court order (e.g., a law enforcement subpoena). If OpsCompanion receives a binding order from a Public Authority requesting access to or disclosure of Personal Data, OpsCompanion will notify Customer of the request unless otherwise legally prohibited.
Data Subject Request Assistance. OpsCompanion will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws ("Data Subject Requests") with respect to Personal Data in OpsCompanion's possession or control. Where permitted under Applicable Data Protection Laws, Customer will compensate OpsCompanion for any such assistance at OpsCompanion's then-current professional services rates, which will be made available to Customer upon request.
Changes in Laws
Changes in Applicable Data Protection Laws. OpsCompanion shall use reasonable efforts to make available to Customer a change in the Services, or recommend a commercially reasonable change to Customer's configuration or use of the Services, to facilitate compliance with changes in Applicable Data Protection Laws without unreasonably burdening Customer. If OpsCompanion is unable to make available necessary changes promptly, Customer may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by OpsCompanion in accordance with the changes in Applicable Data Laws by providing written notice in accordance with the "Notices" section of the Agreement. Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.
Subprocessors
Consent to Subprocessor Engagement. Customer authorizes the following Subprocessors to Process Personal Data: (i) OpsCompanion's Affiliates; and (ii) the Subprocessors set forth in Schedule 2 Annex III hereto (also located here: https://www.opscompanion.ai/sub-processor) as updated by OpsCompanion from time to time, or such other website address as OpsCompanion may provide to Customer from time to time) ("Subprocessor Site").
Requirements for Subprocessor Engagement. When engaging any Subprocessor, OpsCompanion will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. OpsCompanion shall be liable for all obligations under the Agreement subcontracted to the Subprocessor or its actions and omissions related thereto.
Subprocessor Changes. When OpsCompanion engages any new Subprocessor after the Effective Date of the Agreement, OpsCompanion will update the Subprocessor Site (including the name and location of the relevant Subprocessor and the activities it will perform).
Opportunity to Object to Subprocessor Changes. If Customer objects to such engagement in a written notice to OpsCompanion on reasonable grounds relating to the protection of Personal Data, Customer and OpsCompanion will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to OpsCompanion.
Return or Deletion of Personal Data
Upon request by Customer after termination or expiration of this Agreement, OpsCompanion will delete all Customer Data within 30 days. After such 30-day period, OpsCompanion will have no obligation to maintain or provide any Customer Data, and as provided in the Documentation will thereafter delete or destroy all copies of Customer Data in its systems or otherwise in its possession or control, unless legally prohibited.
Miscellaneous
Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect.
In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern.
Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that OpsCompanion's access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by OpsCompanion to Customer under this DPA may be given: (a) in accordance with any notice clause of the Agreement; (b) to OpsCompanion's primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
Schedule 1
The parties acknowledge that Customer discloses Personal Data to OpsCompanion for the limited and specified purposes set forth in the Agreement and DPA, and as instructed by Customer.
Customer shall have the right to take the reasonable and appropriate steps set forth in the Agreement designed to stop and remediate unauthorized use of Personal Data.
OpsCompanion will not retain, use, disclose, sell, or share the Personal Data other than providing the Services specified by Customer's documented instructions. OpsCompanion will not combine Personal Data with information received from, or on behalf of other entities, except to perform the purpose of providing the Services specified by Customer's documented instructions. OpsCompanion shall Process Personal Data in accordance with Data Protection Laws applicable to OpsCompanion's provision of the Services to its customers generally (i.e., without regard for Customer's particular use of the Services), when the Services are used according to this DPA, the Agreement, the Documentation, and the applicable Order Form. OpsCompanion shall inform Customer if OpsCompanion determines it is unable to meet its obligations under the CCPA.
The parties acknowledge that OpsCompanion's retention, use and disclosure of personal information authorized by Customer's instructions documented in the DPA are integral to OpsCompanion's provision of the Services and the business relationship between the parties.
