Boostly
Data Processing Addendum
This Data Processing Agreement (“DPA”) amends and forms part of the Agreement, as defined by the Standard Terms and Conditions by and between Boostly, Inc. (“Boostly”) and the entity identified in the applicable order form referencing such Standard Terms and Conditions (“Customer”). In the event of a conflict between this DPA and the Agreement with respect to the subject matter of this DPA, this DPA will prevail to the extent of such conflict.
Definitions. Capitalized terms used in this DPA and not defined herein will have the meanings given to them by the Agreement. As used in this DPA –
1.1 “CCPA” means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020.
1.2. “Consumer” means a natural person. Where applicable, Consumer will be interpreted consistent with the same or similar term under the U.S. Privacy Laws.
1.3. “Controller” means a person or entity that collects individuals’ Personal Information and alone, or jointly with others, determines the purposes and means of the Processing of such Personal Information. Where applicable, Controller will be interpreted consistent with the same or similar term under the U.S. Privacy Laws.
1.4. “Customer Personal Information” means Customer Data that constitutes Personal Information subject to U.S. Privacy Laws.
1.5. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. Where applicable, Personal Information will be interpreted consistent with the same or similar term under U.S. Privacy Laws.
1.6. “Process” means any operation or set of operations performed on Customer Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, access, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Where applicable, “Process” will be interpreted consistent with the same or similar term under U.S. Privacy Laws
1.7. “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in U.S. Privacy Laws.
1.8. “Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws.
1.9. “Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA.
1.10. “U.S. Privacy Laws” means, collectively, all United States federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the Processing of individuals' Personal Information and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information), in each case where applicable to the Processing of Customer Personal Information by Boostly pursuant to the Agreement. U.S. Privacy Laws may include, but are not limited to, the CCPA. In the event of a conflict in the meanings of defined terms in U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
Scope, Roles, and Termination.
2.1. Applicability – This DPA applies only to Boostly’s Processing of Customer Personal Information for the nature, purposes, and duration set forth in Appendix A.
2.2. Roles of the Parties – For the purposes of the Agreement and this DPA, Customer is the Party responsible for determining the purposes and means of Processing Customer Personal Information as the Controller and appoints Boostly as a Processor to Process Customer Personal Information on Customer’s behalf for the limited and specific purposes set forth in Appendix A.
2.3. Obligations at Termination – Upon termination of the Agreement, except as set forth therein or herein, Boostly will discontinue Processing and destroy or return Customer Personal Information in its or its subcontractors’ and sub-processors’ possession without undue delay. Boostly may retain Customer Personal Information to the extent required by law .
Compliance.
3.1. Compliance with Obligations – Boostly will take steps to ensure that its employees, agents, subcontractors, and sub-processors: (i) comply with applicable obligations of U.S. Privacy Laws; (ii) provide the level of privacy protection for Customer Personal Information required by applicable U.S. Privacy Laws; and (iii) provide Customer with reasonable assistance to enable Customer to fulfill Customer’s own obligations under applicable U.S. Privacy Laws.
3.2. Compliance Assurance – Customer has the right to take reasonable and appropriate steps to ensure that Boostly uses Customer Personal Information consistent with Customer’s obligations under applicable U.S. Privacy Laws.
3.3. Compliance Monitoring – No more than once per calendar year, Boostly will provide to Customer, upon Customer’s written request, information and documentation in Boostly’s possession and control necessary to demonstrate Boostly’s compliance with its obligations under this DPA.
3.4. Compliance Remediation – Boostly will notify Customer if it determines that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from Boostly in accordance with this subsection, Customer may direct Boostly to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information.
3.5. Security – The Parties will implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, designed to protect Customer Personal Information from unauthorized access, destruction, use, modification, or disclosure.
Restrictions on Processing.
4.1. Limitations on Processing – Boostly will Process Customer Personal Information as instructed in the Agreement. Except as expressly permitted by U.S. Privacy Laws, Boostly is prohibited from: (i) Selling or Sharing Customer Personal Information; (ii) retaining, using, or disclosing Customer Personal Information for any purpose other than for the specific purpose of performing the services specified in Appendix A; (iii) retaining, using, or disclosing Customer Personal Information outside of the direct business relationship between the Parties; and (iv) combining Customer Personal Information with Personal Information obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable U.S. Privacy Laws.
4.2. Confidentiality – Boostly will take steps to ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Customer Personal Information.
4.3. Subcontractors: Sub-processors – Boostly will notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Boostly will take steps to ensure that Boostly’s subcontractors or sub-processors who Process Customer Personal Information on Boostly’s behalf agree in writing to the materially equivalent restrictions and requirements that apply to Boostly in this DPA and the Agreement with respect to Customer Personal Information, as well as to comply with U.S. Privacy Laws.
4.4. Right to Object – Where Customer is expressly provided rights to such objections under applicable U.S. Privacy Laws, Customer may object in writing to Boostly’s appointment of a new subcontractor or sub-processor on reasonable grounds by notifying Boostly in writing within 30 calendar days of receipt of notice and only). In the event Customer objects, the Parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution.
Consumer Rights.
5.1. Boostly will provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to U.S. Privacy Law-related Consumer rights requests regarding Customer Personal Information.
5.2. Where applicable, Customer will inform Boostly of any Consumer rights request made pursuant to U.S. Privacy Laws with which Boostly must comply with. Customer will provide Boostly with the information necessary for Boostly to comply with the request.
5.3. Boostly will not be required to delete any Customer Personal Information to comply with a Consumer’s rights request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, Boostly will not use Customer Personal Information retained for any purpose other than provided for by that exception.
Exemptions.
6.1. Notwithstanding any provision to the contrary in the Agreement or this DPA, the terms of this DPA will not apply to Boostly’s Processing of Customer Personal Information that is exempt from applicable U.S. Privacy Laws.
Changes to Applicable Privacy Laws.
7.1. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations, or other laws pertaining to privacy and information security, including, where applicable, U.S. Privacy Laws.