Data Processing Addendum

This Data Processing Addendum ("Addendum") forms part of the Contract for Services under the ProsperStack Terms of Service (the "Principal Agreement"). This Addendum is an amendment to the Principal Agreement and is effective upon its incorporation to the Principal Agreement, which incorporation may be specified in the Principal Agreement or an executed amendment to the Principal Agreement. Upon its incorporation into the Principal Agreement, this Addendum will form a part of the Principal Agreement.

1. Definitions

1.1 "Controller" means the entity responsible for determining the purposes and the means of Processing Personal Information. The term "Controller" includes entities that assume the role of "Controller", "Business", or other analogous roles in applicable Data Protection Laws.

1.2 "Data Protection Laws" means any data protection and/or privacy-related laws, statutes, directives, or regulations (and any amendments or successors thereto) to which a party to the Addendum is subject and which are applicable to the Application Services, including without limitation the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020 ("CCPA"), the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, in each case as amended and including any regulations promulgated thereunder.

1.3 "Data Protection Impact Assessment" means any risk assessment that is designed to identify and analyze whether processing of Personal Information presents significant risk to the privacy or security of Data Subjects.

1.4 "Data Subject" means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, address, title, or an online identifier.

1.5 "Personal Information" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, or otherwise considered "personal data" or "personal information" under applicable Data Protection Laws.

1.6 "Process" or "Processing" means any operation or set of operations which is performed on Personal Information including but not limited to collecting, recording, organizing, structuring, altering, accessing disclosing, copying, transferring, storing, deleting, combining, restricting, adapting, retrieving, consulting, destroying, disposing, or otherwise using Personal Information.

1.7 "Processor" means the entity that Processes Personal Information on behalf of the Controller. The term "Processor" includes entities that assume the role of "Processor", "Service Provider", or other analogous roles in Data Protection Laws.

1.8 "Security Breach" means a breach of ProsperStack's security leading to any accidental or unauthorized access, use, disclosure, destruction, or loss of any Personal Information, as defined in applicable Data Protection Laws.

1.9 All other defined terms shall have the meanings set forth in the Principal Agreement.

2. Terms

2.1 The parties agree that Customer is a Controller and ProsperStack is its Processor in relation to this Addendum and Personal Information that is Processed in the course of ProsperStack's provision of the Application Services set forth in the Addendum. The parties agree to comply at all times with the applicable provisions of applicable Data Protection Laws in respect to the collection, transmission, and processing of all Personal Information exchanged or shared pursuant to the Principal Agreement.

2.2 The subject matter of the Processing of Personal Information covered by this Addendum is the Application Services ordered by Customer and provided by ProsperStack to Customer as set out in the Principal Agreement. The categories of data subjects subject to Processing are clients of Customer. The categories of data to be collected include name, email address, and usage metrics related to subscriptions.

2.3 Customer agrees to (i) determine the means and purposes of ProsperStack's Processing of Personal Information in accordance with the Principal Agreement and this Addendum; and (ii) maintain responsibility for accuracy, quality, and legality of Personal Information and the means by which Customer acquired Personal Information. Customer shall have sole responsibility for obtaining any and all relevant agreements, authorizations, consents, instructions or permissions for the Processing of Personal Information from Data Subjects, including, if applicable, Customer's customers(s), for ProsperStack to Process Personal Information on Customer's behalf. Customer shall have sole responsibility for the accuracy, completeness, format, and legality of Personal Information. Customer certifies that Customer will limit the transfer to Personal Information that is strictly necessary for ProsperStack to provide the ProsperStack Application Services Customer has contracted.

2.4 ProsperStack shall Process Personal Information in accordance with Customer's documented instructions provided that such instructions are: (i) based in and for the purpose of performing the terms of the Principal Agreement; and (ii) in compliance with Data Protection Laws. ProsperStack shall promptly notify Customer if, in ProsperStack's commercially reasonable opinion, ProsperStack is unable to comply with such instruction or such instruction is not in compliance with Data Protection Laws. ProsperStack will Process Personal Information for the duration of the Principal Agreement or as otherwise indicated in documented instructions from the Customer, unless otherwise agreed upon in writing or required by Data Protection Laws.

2.5 ProsperStack shall not (i) retain, use, or disclose Personal Information (a) for any purpose other than for the specific business purpose of providing the Application Services specified in the Principal Agreement; (b) outside of the direct business relationship between ProsperStack and Customer; or (c) or as otherwise permitted by Data Protection Laws; or (ii) "sell" or "share" Personal Information as such terms are defined under Data Protection Laws. Finally, the transfer of the Personal Information to ProsperStack shall not be considered a "sale" or "sharing" as defined in Data Protection Laws. The foregoing does not apply to any information that no longer satisfies the definition of Personal Information, including by application of anonymization, de-identification, or aggregation techniques that meet the requirements of Data Protection Laws.

2.6 ProsperStack shall not retain Personal Information longer than is required for the purpose of providing the Application Services under the Principal Agreement, unless (i) a longer retention period is required for audit, legal, or regulatory purposes or (ii) Customer instructs ProsperStack in writing to (a) keep certain Personal Information longer or (b) return certain Personal Information earlier. The return or destruction of any data storage medium provided by Customer to ProsperStack shall be conducted without undue delay (i) after termination or expiration of the Principal Agreement or (ii) earlier, by written request of Customer. The foregoing does not apply to any information that no longer satisfies the definition of Personal Information, including by application of anonymization, de-identification, or aggregation techniques that meet the requirements of Data Protection Laws.

2.7 ProsperStack shall provide commercially reasonable assistance to Customer to carry out, upon Customer's written request, a Data Protection Impact Assessment, to the extent required by Data Protection Law and to the extent the Data Protection Impact Assessment cannot be carried out by Customer without ProsperStack's assistance. Customer shall bear the sole cost and expense for a Data Protection Impact Assessment and Customer shall reimburse ProsperStack for any costs and expenses incurred by ProsperStack in providing such assistance.

2.8 ProsperStack shall make available to Customer all information necessary for ProsperStack to demonstrate compliance with its obligations under this Addendum and Data Protection Laws. ProsperStack will cooperate with Customer for the purpose of inspecting, examining, and assessing (collectively, "Auditing") ProsperStack's with the obligations defined in this Addendum or the Principal Agreement, as it relates to the Application Services. Auditing will be conducted by an independent third party and may take place no more than once every twelve (12) months, unless otherwise required by Data Protection Laws.

2.9 ProsperStack agrees to implement, maintain, and document an information security program that includes appropriate administrative, technical and physical safeguards designed to protect Personal Information from unauthorized access, use, modification, disclosure, or destruction, in accordance with industry standards.

2.10 ProsperStack agrees to hold all Personal Information in strictest confidence and use due care to prevent any unauthorized or inappropriate use or disclosure. ProsperStack shall:

2.10.1 Ensure that all of ProsperStack's personnel comply with the provisions of this Addendum regarding the Processing of Personal Information;

2.10.2 Ensure that all of ProsperStack's personnel involved in processing Personal Information are subject to a duty of confidentiality with respect to Personal Information; and

2.10.3 Exercise the necessary and appropriate supervision over personnel to ensure the privacy, confidentiality, and security of Personal Information.

2.11 In the event of a Security Breach, ProsperStack will promptly notify Customer of discovery of such Security Breach and reasonably cooperate with Customer, including providing Customer with information about the Security Breach that Customer may reasonably request, as soon as such information can be collected or otherwise becomes available, including any remedial action taken and the potential consequences of the Security Breach.

2.12 ProsperStack may enlist sub-processors to provide Processing services on its behalf, provided that ProsperStack complies with the provisions of this clause. ProsperStack's current list of sub-processors is available at https://prosperstack.com/subprocessors/. In such an event, Customer and ProsperStack agree to discuss commercially reasonable alternative solutions in good faith. Any such sub-processors will be permitted to Process Personal Information only to deliver the Application Services. ProsperStack remains responsible for its sub-processor's compliance with the obligations of this Addendum, and ProsperStack shall ensure that any subcontractors to whom ProsperStack transfers Personal Information will have entered into written agreements with ProsperStack requiring that the sub-processor abide by terms substantially similar to this Addendum.

2.13 ProsperStack shall reasonably assist the Customer with its obligation to respond to requests from Data Subjects under Data Protection Laws (including requests for information relating to the Processing, and requests relating to access, rectification, erasure or portability of the Personal Information) provided that ProsperStack reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.

3 By signing this Addendum, ProsperStack certifies that it understands the restrictions set forth herein and under Data Protection Laws, and will comply with them. ProsperStack shall immediately notify Customer if it determines that it can no longer meet its obligations under this Addendum or Data Protection Laws. Upon such notice, Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by ProsperStack.

This Addendum was last updated on December 8, 2023.

This Appendix A of the Addendum applies to the extent that the Services involve the processing of data that is subject to EU Data Protection Laws.

Appendix A: GDPR Data Processing Addendum

This GDPR Data Processing Addendum ("GDPR Addendum") forms part of the Contract for Services under the ProsperStack Terms of Service (the "Principal Agreement"). This GDPR Addendum is an amendment to the Principal Agreement and is effective upon its incorporation to the Principal Agreement, which incorporation may be specified in the Principal Agreement or an executed amendment to the Principal Agreement. Upon its incorporation into the Principal Agreement, this GDPR Addendum will form a part of the Principal Agreement.

WHEREAS

(A) The Company acts as a Data Controller.

(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this GDPR Addendum shall have the following meaning:

1.1.2 "Company Personal Data" means any Personal Data Processed by a Contracted Processor on Controller's behalf pursuant to or in connection with the Principal Agreement;

1.1.3 "Contracted Processor" means a Subprocessor;

1.1.4 "EEA" means the European Economic Area;

1.1.5 "EU/UK Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR , the United Kingdom Data Protection Act 2018 ("UK DPA"), and the UK GDPR (as defined in section 3 of the UK DPA);

1.1.6 "GDPR" means EU General Data Protection Regulation 2016/679 and the UK GDPR;

1.1.7 "Data Transfer" means:

1.1.7.1 a transfer of Company Personal Data from Controller to a Contracted Processor; or

1.1.7.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.8 "Services" means any products or services described on the ProsperStack website.

1.1.9 "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of Controller in connection with the GDPR Addendum.

1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

2.1.2 not process Company Personal Data other than on Controller's documented instructions.

2.2 Controller instructs Processor to process Company Personal Data to provide the Services and related technical support.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1 Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by Controller.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller obligations, as reasonably understood by Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 Processor shall:

6.2.1 promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Controller of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1 Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Controller with sufficient information to allow Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Processor shall co-operate with Controller and take reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

8.1 Processor shall provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or return of Company Personal Data

9.1 Subject to this section 9 Processor shall promptly and in any event within 30 days of the date of cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data.

9.2 Processor shall provide written certification to Controller that it has fully complied with this section 9 within 30 days of the Cessation Date.

10. Audit rights

10.1 Subject to this section 10, Processor shall make available to Controller on request all information necessary to demonstrate compliance with this GDPR Addendum, and shall allow for and contribute to audits, including inspections, by Controller or an auditor mandated by Controller in relation to the Processing of the Company Personal Data by the Contracted Processors.

10.2 Information and audit rights of Controller only arise under section 10.1 to the extent that the GDPR Addendum does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

11. Data Transfer

11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of Controller. If personal data processed under this GDPR Addendum is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data as set forth below.

12. General Terms

12.1 Confidentiality. Each Party must keep any information it receives about the other Party and its business in connection with this GDPR Addendum ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a)disclosure is required by law; (b)the relevant information is already in the public domain.

12.2 Notices. All notices and communications given under this GDPR Addendum must be in writing and will be sent by email. Controller shall be notified by email sent to the address related to its use of the Service under the Principal Agreement. Processor shall be notified by email sent to the address: privacy@prosperstack.com.

This GDPR Addendum was last updated on December 8, 2023.

Start retaining more customers with ProsperStack today

Contact us