244 Fifth Avenue Suite,

New York,

NY 10001, USA Privacy and Security Addendum

Last updated April 12, 2024

This Privacy and Security Addendum (this “Addendum”) is a supplement that is incorporated by reference into the Company’s Terms of Service and Privacy Policy (collectively the “Agreement”), as applicable

  • Definitions. In addition to any defined terms set forth in the Agreement, with respect to this Addendum, the following additional defined terms shall apply:
    • “Applicable Law” means any applicable federal, state or foreign law, rule, regulation, ordinance, directive, decision of, or agreement with or by, any legislative, administrative, judicial, or other Government Authority, including, without limitation, those relating to privacy, data protection, marketing, or data security.
    • “Authorized Persons” means (a) Company’s employees who have a need to know or otherwise access Client Data to enable Company to perform its obligations under this Agreement; and (b) Company’s contractors, agents and auditors who have a need to know or otherwise access Client Data to enable Company to perform its obligations under this Agreement, and who, in each case, are bound in writing by obligations no less restrictive than those set forth in this Agreement (subsection (b) hereof, “Subprocessors”).
    • “Government Authority” means any foreign or domestic, federal, state, county, city or local legislative, enforcement, administrative or regulatory authority, agency, department, court, tribunal, instrumentality, commission, body or other governmental or quasi-governmental entity, or political association or subdivision, or other judicial, administrative or arbitral entity, body or instrumentality, in each case, with competent jurisdiction, including, without limitation, any supranational body and any self-regulatory organization.
    • “Client Data” means information, in any form, format or media, accessed or otherwise Processed by Company or any Authorized Person in connection with the performance of Company’s obligations under this Agreement, including, without limitation, all Personal Data and all other confidential information under this Agreement that is Processed in connection with this Agreement and, for clarity, whether such information is that of a Customer or Client.
    • “Personal Data” as to data subjects of the European Union and United Kingdom, has the meaning given to it in the General Data Protection Regulation (“GDPR”), including but not limited to any information relating to a natural person owned or provided by the Client, Customer, or otherwise to the Company, in any form, format or media that Company Processes in connection with the Agreement. As to natural persons who are California residents, Personal Data has the meaning of “Personal Information” given in the California Consumer Privacy Act (“CCPA”). As to natural persons resident in other jurisdictions, the GDPR definition shall apply except as modified by local Privacy and Security Regulations. Personal Data shall include, without limitation, “personally identifiable information,” “personal information,” “personal data,” “nonpublic personal information” or other similar terms as defined by such local Privacy and Security Regulations.
    • “Privacy and Security Regulations” means any and all Applicable Law, industry standards and contracts, in each case, relating to the privacy, protection or Processing of Personal Data including, without limitation: (a) all Applicable Law and binding regulations relating to data protection, information security, cybercrime, Security Breach notification, Social Security number protection, outbound communications and/or electronic marketing, use of electronic data and privacy matters (including online privacy) in any applicable jurisdictions; (b) each contract relating to the Processing of Personal Data to the extent implicated by this Agreement; and (c) each applicable rule, mandatory code of conduct, and applicable industry standards, including, without limitation, to the extent applicable, the Payment Card Industry Data Security Standard (“PCI DSS”) or other requirement of self-regulatory bodies or the requirements set forth in regulations implementing such laws and published by regulatory authorities.
    • “Processing,” “Process” or “Processed” means any operation or set of operations that is performed upon data, whether or not by automatic means, including, without limitation, collection, recording, organization, storage, retention, access, acquisition, protection, maintenance, operation, transmission, adaptation, alteration, retrieval, consultation, use, re-use, disclosure, re-disclosure, dissemination, making available, alignment, combination, modification, blocking, deletion, erasure or destruction.
    • “Security Breach” means: (a) any actual or suspected compromise either of the security, confidentiality, integrity or availability of Client Data or the physical, technical, administrative or organizational safeguards implemented by Company (or any Authorized Persons) that relate to the protection of the security, confidentiality, integrity or availability of Client Data, including, without limitation, any actual or suspected unauthorized access to, acquisition of, or other Processing of Client Data or the keys, passwords or passcodes needed to access Client Data; (b) any actual or suspected incident that may require notification to any person or Government Authority under Privacy and Security Regulations; or (c) receipt of a written notice (including, without limitation, any enforcement notice), letter or complaint from a Government Authority or any person in relation to the privacy or security practices or compliance of Company (or any Authorized Persons) or a breach or alleged breach of this Agreement relating to such privacy or security practices or compliance.
    • “Services” means those services that Company performs and/or provides pursuant to the Agreement.
    • “Transfer” means to disclose or otherwise make Personal Data available to a third party (including, without limitation, to any Subprocessor), either by physical movement of the Personal Data to such third party or by enabling access to the Personal Data by other means.
  • Standard of Care; Standard of Processing
    • Company acknowledges and agrees that, in the course of its engagement by Customer, Company may receive or have access to Client Data and that such Client Data is being disclosed for limited and specific business purposes as specified in the Agreement. The discloser has the right to take reasonable and appropriate steps to ensure that Company uses the Client Data provided to or accessed by Company in a manner consistent with discloser’s obligations under Privacy and Security Regulations.
    • Company shall comply with the terms and conditions set forth in this Agreement and all Privacy and Security Regulations in its collection, receipt, transmission, storage, disposal, use, disclosure and other Processing of such Client Data and be responsible for the unauthorized collection, receipt, transmission, access, storage, disposal, use, disclosure and other Processing of Client Data under its control or in its possession, or under the control of or in the possession of any Authorized Persons. Company shall put in place reasonable measures to ensure the reliability of any Authorized Persons with access to Client Data, and Company shall be responsible for, and remain liable to, Customer for the actions and omissions of all Authorized Persons as if they were Company’s own actions and omissions.
    • As between the Parties, Client is the sole owner of all Client Data. For clarity, Client Data is deemed to be confidential information of Client and is not confidential information of Company. In the event of a conflict or inconsistency between this Section 2(c) and the confidentiality provisions of the Agreement, the terms and conditions set forth in this Section 2(c) shall govern and control. Client hereby appoints Company, and Company accepts appointment, as a “Collector” and “Processor” in relation to the obtaining and Processing of Personal Data. The Parties agree to act in accordance with their respective obligations under the Agreement and Privacy and Security Regulations. Company is the “Controller” of all Personal Data.
    • In recognition of the foregoing, Company agrees and covenants that it shall:
      • keep and maintain all Client Data in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, disclosure or other Processing;
      • only Process Personal Data during the term of this Agreement for business purposes as contemplated by Privacy and Security Regulations, on behalf of Customer in accordance with this Agreement;
      • not Transfer, retain, use or disclose Personal Data for any other purpose, including, without limitation, retaining, using or disclosing Personal Data for a commercial purpose other than in accordance with Section 2(d)(ii) above;
      • not Transfer Personal Data to any person or party other than Client, except (A) to the extent necessary for the performance and/or provision of Services for Customer pursuant to this Agreement and in accordance with the requirements of this Agreement, (B) to the extent that such Transfer is required by Privacy and Security Regulations or (C) with the express written consent of Client;
      • not Transfer or Process Personal Data for any purpose outside of the direct business relationship between Company and Client;
      • have no rights to Process Personal Data except for the benefit of Client or for the provision of Services pursuant to the Agreement. For the avoidance of doubt, Company shall have no right to retain, monetize, analyze, Transfer or otherwise utilize Personal Data for its own benefit and the Parties agree that Company shall not sell or Process Personal Data in any manner that would cause its access to same to be defined as a “sale” or “sharing” as defined by Privacy and Security Regulations (including, without limitation, the CCPA, as amended or reenacted by the California Privacy Rights Act of 2020, and any implementing regulations promulgated thereunder) except as authorized or stated in the Agreement. Company shall not combine Personal Data with Personal Data that Company receives from or on behalf of another person or persons, or collects from its own interaction with such person or persons except as authorized in the Agreement. Company certifies that it understands its obligations and restrictions set forth in this Agreement and under Privacy and Security Regulations;
      • make available to Client on request all information reasonably necessary to demonstrate compliance with this Addendum and Privacy and Security Regulations;
      • immediately notify Client if, in Company’s opinion, any Client instruction with respect to the Processing of Customer Personal Data is contrary to any Privacy and Security Regulations; and
      • immediately notify Client after Company makes a determination that Company can no longer meet its obligations under Privacy and Security Regulations.
    • If the Company wishes to appoint any Subprocessor, it shall:
      • notify Client after having provided Client with written notice regarding the appointment which includes full details of the Processing to be undertaken by the Subprocessor;
      • enter into a written agreement with each Subprocessor that binds each Subprocessor to fulfill, and that complies with, in substance, the same obligations on the Client with respect to data protection, security and privacy under this Addendum and Applicable Law; and
      • remain fully liable to Client for any failure by any Subprocessor to fulfill its obligations in relation to Processing Personal Data.
    • With respect to any Client Data, Company agrees that: (i) Company shall not Transfer Personal Data from any jurisdiction to any other jurisdiction (the European Economic Area constituting a single jurisdiction for this purpose) without the prior written consent of Client and, where required, without putting in place an appropriate Transfer agreement or other mechanism to comply with Privacy and Security Regulations; and (ii) if requested by Client in order to enable it to comply with any Privacy and Security Regulations, Company shall enter into any supplemental terms in order to enable Client to comply with Privacy and Security Regulations, including, without limitation, by executing a version of a model contract deemed by the European Commission or applicable regulator to offer adequate data protection safeguards in relation to the Transfer of Personal Data as Client deems reasonably necessary to comply with Privacy and Security Regulations;
  • Client Requests Regarding Client Data
    • Client shall notify Company of any Consumer Request made pursuant to Privacy and Security Regulations that Company must comply with, and shall provide the information necessary for Company to comply with, such Consumer Request.
  • Information Security
    • Company shall implement and maintain reasonable and appropriate administrative, physical, technical and organizational measures and security procedures and practices, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes for which the Client Data was collected and used, to ensure a level of security appropriate to the risk and nature of the Client Data, establish a clear allocation of responsibilities to implement such measures and protect Client Data from unauthorized or illegal access, destruction, use, modification or disclosure.
    • Without limiting Company’s obligations under Section 4(a), Company represents, warrants and covenants that it has established and implemented and shall continue to maintain a written information security program that includes reasonable administrative, physical and technical security procedures, practices and safeguards designed to protect Client Data and Company’s facilities, systems, networks and assets against external and internal threats and ensure the reliability and integrity of such Client Data and facilities, systems, networks and assets. Such security procedures, practices and safeguards are and shall remain no less rigorous than accepted industry practices and other applicable industry standards for information security. Company shall ensure that all security procedures, practices and such safeguards, including, without limitation, the manner in which Client Data is collected, accessed, used, stored, disposed of, disclosed and otherwise Processed, comply with Applicable Law and the terms and conditions of this Agreement.
    • If, in the course of its engagement by Customer, Company has access to or will collect, access, use, store, dispose of, disclose or otherwise Process credit, debit or other payment cardholder information, Company shall at all times be and remain in compliance with PCI DSS requirements, including, without limitation, remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at Company’s sole cost and expense.
    • At a minimum, Company’s safeguards for the protection of Client Data shall include:
      • limiting access to Client Data to Authorized Persons;
      • securing business facilities, data centers, paper and electronic files, servers, backup systems and computing equipment, including, without limitation, all mobile devices and other equipment with information storage capability;
      • implementing network, device application, database and platform security, including, without limitation, regular penetration testing and automated vulnerability scanning designed to assess the effectiveness of such security;
      • securing systems acquisition, development and maintenance, including, without limitation, supplier relationships; securing information transmission, storage and disposal;
      • implementing authentication and access controls within media, applications, operating systems and equipment based on the principle of least privilege;
      • encrypting Client Data both in transit and at rest;
      • strictly segregating Client Data from information of Company and its other customers so that Client Data is not commingled with any other types of information;
      • implementing appropriate personnel security and integrity procedures and practices, including, without limitation, conducting background checks consistently
      • establishing and maintaining an incident response, planning and management program;
      • establishing and maintaining procedures for business continuity management and disaster recovery;
      • providing appropriate data privacy, cybersecurity and information security training to Authorized Persons; and
      • designating defined organizational roles relating to information security and incident response.
    • During the term of each Authorized Person’s work for Company, Company shall at all times cause such Authorized Persons to abide strictly by Company’s obligations under this Agreement. Company further agrees that it shall maintain a procedure to address any unauthorized access, use, disclosure or other Processing of Client Data by any of Company’s officers, partners, principals, employees, agents or contractors.
  • Return or Destruction of Client Data
    At any time during the term of this Agreement at the Client’s request for any reason or upon the termination or expiration of this Agreement, Company shall, and shall instruct all Authorized Persons to, promptly return to the Client all copies, whether in written, electronic or other form or media, of Client Data in its possession or the possession of such Authorized Persons, or securely dispose of all such copies, and certify in writing to the Client that such Client Data has been disposed of securely, unless retention is required by Applicable Law.