Data Protection and Use Addendum
This Data Protection and Use Addendum (“Addendum”) is made as of [DATE] between Applied Gratitude Inc. (dba Thnks), Delaware corporation, with a place of business at 712 5th Avenue, New York, NY 10019 and CLIENT NAME (“Client”) with a place of business at ADDRESS. This Addendum applies to the access, collection, processing, access, use, and disclosure of personal data of Client’s employees or Client’s customers by Thnks in connection with its provision of services to Client. The parties have previously entered into a master agreement (“Agreement”) for the provision of services (“Services”) dated [DATE] and wish to amend the agreement to include the following terms and conditions. If there is any conflict between this Addendum and the Agreement, this Addendum shall control to the extent of such conflict.
Therefore, in consideration of the agreements contained herein and for other good and valuable consideration, the receipt and sufficiency whereof is hereby acknowledged, the parties agree as follows:
1. Definitions; Interpretation.
The Platform‚ including features available on or through the Platform‚ may be modified by us‚ in our sole discretion‚ at any time without prior notice. Unless expressly stated otherwise‚ any new features‚ new services‚ enhancements or modifications to the Platform implemented after you first access the Platform shall be subject to these Terms. In particular, price changes may reflect vendor pricing changes that are outside of the control of the Platform.
- Client Personal Data. The term “Client Personal Data” shall mean any Personal Data of a Client employee or Client customer that is shared by Client with Thnks, including, but not limited to, an employee’s or customer’s first and last name, physical address, email address, telephone number, customer number (if applicable), date of birth, and/or payment information (such as credit or debit card numbers).
- Data Protection Laws. The term “Data Protection Laws” shall mean all applicable laws, standards, and regulations governing the Processing, protection or security of Personal Data, as may be amended or enacted from time to time.
- Personal Data. Except as otherwise provided herein, the term “Personal Data” shall mean any information relating to an identified or identifiable nature person where such information is protected as personal data or personally identifiable information under applicable Data Protection Laws; however, the term “Personal Data” shall not mean or include the following transaction data: (i) the fact that a transaction (i.e., the sending of a gift from one party to another party) took place, (ii) the gift sent, (iii) the vendor used to supply a gift, (iv) the cost of any gift sent, (v) the date a gift was sent, (vi) the date a gift was received, (vii) the fact that a gift was opened, redeemed, not redeemed or donated to charity, and (viii) the charity to which a gift was donated, all of which shall be hereafter referred to as “Transaction Data”.
- Personal Data Breach. The term “Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored or otherwise Processed by Thnks.
- Processing. The term “Processing” shall mean any operation or set of operations which is performed on or in connection with Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process”, “Processes”, and “Processed” shall have a corresponding meaning.
2. Client’s Obligations.
Client confirms that any Client Personal Data provided to Thnks by Client or on Client’s behalf has been collected and disclosed to Thnks in accordance with applicable Data Protection Laws. Client shall provide Thnks only with that Client Personal Data which is required in order for Thnks to perform the services under the Agreement, and Client shall take reasonable steps to ensure that the Client Personal Data does not include irrelevant or unnecessary information about its employees or customers.
3. Client’s Instructions.
From time to time, Client may provide instructions in writing to Thnks in addition to those specified in the Agreement with regard to the processing or protection of Client Personal Data. Unless otherwise prohibited by law or contract, and as is practical and appropriate under the circumstances, Thnks will endeavor to comply with all reasonable instructions without additional charge and only to the extent necessary for Thnks to comply with its obligations to Client under the Agreement. The parties will negotiate in good faith with respect to any other change in the Services and/or fees resulting from any additional instructions from Client not covered by the Agreement.
4. Processing and Use of Client Personal Data.
All Client Personal Data provided by Client to Thnks will be Processed by Thnks only as is necessary for Thnks to fulfill its business purposes and/or provide Services to Client under the Agreement (hereafter the “Business Purposes”). Except as set forth in this Addendum or as Client otherwise instructs in writing pursuant to Paragraph 3, Thnks will not: (a) use Client Personal Data for any purpose other than Thnks Business Purposes, (b) sell, as that term is defined under §1798.140(t)(1)-(2) of the California Consumer Privacy Act (“CCPA”), any Client Personal Data, or (c) disclose such Client Personal Data to third parties other than authorized third party Thnks subcontractors (as set forth in Paragraph 12 below) or as unless so permitted or required under the Agreement or as instructed by the Client or as otherwise permitted in accordance with Data Protection Laws.
5. Data Security Safeguards.
Thnks warrants and represents that it has implemented reasonable and industry standard technical and organizational security measures for the Processing of Client Personal Data and appropriate and industry standard security safeguards to protect against unauthorized access to, acquisition, use, disclosure, destruction, or alteration of Client Personal Data. This includes Thnks’ written information security program designed to assess and control identified security and privacy risks as appropriate for the sensitivity of the Client Personal Data being Processed by Thnks, and which includes measures relating to physical security and access controls, system authentication access controls, data authentication and access controls, input controls, secure transmission and encryption measures, data backup procedures, data segregation, secure destruction and disposal of Personal Data, information security training for Thnks employees, and regular and routine security and vulnerability testing and audits.
6. ISO 27001:2013.
Upon request from Client, Thnks will provide a copy of Thnks’ third party provided ISO 27001:2013 certification evidence that the Thnks software development and business processes conform with the requirements of ISO 27001:2013.
7. Rights of Data Subjects and Requests for Access to Client Personal Data.
To the extent not restricted by applicable law or governmental order Thnks shall promptly inform Client in writing: (i) of any request for access to any Client Personal Data received from an individual who is (or claims to be) the subject of the data; (ii) of any request for access to any Client Personal Data received by Thnks from any government official unless it is explicitly prohibited by law from notifying Client of the request; (iii) of any other requests with respect to Client Personal Data received from third parties, other than those set forth in this Addendum. Thnks understands that it is not authorized to respond and not responsible for responding to these requests, unless authorized by Client or the response is legally required under a court order or similar legal document issued by a government agency that compels disclosure by Thnks. Unless directed by its counsel in writing otherwise, Thnks will follow Client’s reasonable and lawful detailed written instructions to meet its obligations pursuant to Data Protection Laws to respond to data subject requests to access, delete, release, correct, or block access to Client Personal Data held in Thnks’ information technology environment. Client agrees to pay Thnks’ reasonable out-of-pocket costs and expenses and standard hourly fees that may be associated with Thnks’ performance of any such access, deletion, release, correction, or blocking of access to Client Personal Data on behalf of Client.
8. Incident Response and Personal Data Breach Notification.
Unless restricted by applicable law or governmental order, Thnks shall notify Client without undue delay and within the timeframe under applicable Data Protection Laws after becoming aware of a Personal Data Breach. Thnks will provide reasonable assistance to Client as may be necessary for Client to satisfy any of Client’s notification obligations imposed under Data Protection Laws in connection with any Personal Data Breach. The obligations herein shall not apply to incidents that are caused by Client.
Upon request by Client and at Client’s cost, Thnks shall:
- Promptly make available to Client all information reasonably necessary to demonstrate compliance with Thnks’ obligations under this Addendum and the applicable Data Protection Laws; and
- Allow for and contribute to audits conducted by Client (or Client’s third-party auditor) in accordance with the Data Protection Laws and relating to Thnks’ Processing activities in relation to the Client Personal Data,
Unless Thnks provides written notification to Client that, in its reasonable opinion, any exercise of Client’s rights under subparagraphs (a) or (b) above would infringe a Data Protection Law.
10. Data Retention and Deletion.
Thnks, upon request by Client and at Client’s cost, will promptly delete or return (at the choice of Client) all Client Personal Data after the end of the provision of Services related to the Agreement and securely delete existing copies of such Client Personal Data unless required by law, regulation, or professional or industry standard to retain the information beyond such term.
11. Cyber-insurance coverage.
Thnks will obtain and maintain at its sole cost and expense during the term of this Agreement, and for one year thereafter on all claims-made policies, cyber-insurance coverage, including coverage for network security liability; privacy liability; privacy regulatory proceeding expenses and fines; PCI DSS Assessment liability; technology professional liability (errors and omissions); privacy breach expense reimbursement; and data/information lass and business interruption; and with a total aggregate limit of not less than $1 million.
Thnks may share with its third party subcontractors Client Personal Data to fulfill its business purposes and/or provide Services to Client under the Agreement. A list of the third party subcontractors with which Thnks may share Client Personal Data can be found on Thnks’ website. Thnks agrees that it will use its best efforts to work with such third party subcontractors to protect and secure any Client Personal Data shared by Thnks with such third party subcontractors.
13. Applicable Law.
Thnks agrees to comply with all applicable Data Protection Laws.
To the extent that the European Union General Data Protection Regulation 2016/679 (“GDPR”) is applicable to Client Personal Data (“EU Client Personal Data”), Thnks will:
- Process EU Client Personal Data in accordance with the Client’s instructions as documented in the Agreement. Generally, Thnks Processes Client Personal Data for the storage and processing of recipient contact information and sender gift selection and gift message, in order to deliver selected gesture of appreciation.
- Thnks shall make available a current list of any third parties who process EU Client Personal Data on Thnks’ behalf. Thnks will inform Client of any additions or replacement of any third parties who process EU Client Personal Data on Thnks’ behalf and provide Client the opportunity to object to any such changes. For each of these third parties, Thnks will enter into a written agreement to ensure sufficient guarantees to implement appropriate technical and organizational measures in such a manner that any processing by a third party will meet the requirements of GDPR.
- Taking into account the nature of Processing and the information available to Thnks, Thnks shall provide assistance to Client (by appropriate technical and organisational measures, insofar as this is possible), as Client may reasonably request and at Client’s cost, in connection with the fulfillment of Client’s obligation to respond to requests for exercising Data Subjects’ rights laid down in Chapter III of the GDPR.
- Taking into account the nature of processing and the information available to Thnks, Thnks shall provide assistance to Client, as Client may reasonably request and at Client’s cost, in connection with (a) performing any data protection impact assessments as required under the Data Protection Laws or (b) communications from, or requests made by supervisory authorities.
- Where Thnks, for the purposes of performing the services or in connection with the provision of the Services to Client, acts as a data controller, Thnks shall Process Client Personal Data only in accordance with the Data Protection Laws and for the purposes of performing the Services or in connection with the provision of the Services under or in connection with the Agreement.