Data Processing Addendum

Last updated Feb 07, 2025.

This Data Processing Addendum (“DPA”) between the Client and Afiniti supplements and forms a part of the Services Agreement (the “Agreement”) between the Parties. In the event of any inconsistency or conflict between this DPA and the Agreement, this DPA will govern. This DPA will survive termination of the Agreement.

1. Definitions

   Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement and if not defined in the Agreement, will have the meaning given to it under applicable Data Protection Laws. In this DPA, unless the context requires otherwise:

   1. “Afiniti’s Third-Party Data” means any personal information related to Customers lawfully and independently acquired by afiniti to provide the Services.
   2. “Agent” means an individual employee, agent, or contractor of Client.
   3. “Controller” has the meaning provided under applicable Data Protection Laws and shall also include “Business” as defined by applicable Data Protection Laws.
   4. “Customer(s)” mean Client’s actual or prospective customers; Customers are Consumers and/or Data Subjects as defined by applicable Data Protection Laws.
   5. “Data Protection Laws” means all privacy laws, regulations, standards, regulatory guidance, and self-regulatory guidelines that may apply to Client or Service Provider. Law includes, but is not limited to, the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., the California Privacy Rights Act of 2022 (Cal.Civ.Code §§1798 et seq.) (“CPRA”), and other United States data protection and data privacy laws, as supplemented by regulations as amended from time to time.
   6. “Personal Information” means any information with respect to the services provided by Client to Afiniti that could be reasonably linked, directly or indirectly, with a particular Customer or Agent, regardless of the media on which such information is stored (e.g., on paper or electronically), and includes “Personal Data” and “Personally Identifiable Information” or any other similar terms as defined under applicable Data Protection Laws. With the exception of Afiniti’s Third-Party Data, Personal Information is the exclusive property of Client (hereinafter, “Client Personal Information”).
   7. “Processing” means any operation or set of operations which is performed on Personal Information, or on sets of Personal Information, whether or not by automated means, and “Process” will be interpreted accordingly;
   8. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Client Personal Information on afiniti’s system or within its control;
   9. “Sell” and “Share” shall have the meaning provided by Data Protection Laws.
   10. “Service Provider” has the meaning provided under applicable Data Protection Laws and shall also include “Processor” as defined by applicable Data Protection Laws.
   11. “Services” means the service(s) provided by afiniti to Client under the Agreement;
   12. “Subprocessor” means any Processor engaged by afiniti who agrees to receive Client Personal Information directly from afiniti.

2. Role of the Parties; Business Purpose

   1. The Parties acknowledge and agree that:
      
      1. For the purposes of the Agreement and this DPA, afiniti will act as a Service Provider in its performance of its obligations pursuant to the Agreement.
      2. For the purposes of the Agreement and this DPA, Client will act as a Controller in its performance of its obligations pursuant to the Agreement.
   2. Afiniti is Processing Personal Information on behalf of Client for the Business Purpose of performing services on behalf of the business, including providing customer service and providing analytic services, as more specifically described in the Agreement.

3. Afiniti’s Responsibilities for Processing Personal Information

   1. Processing Based On Instructions. afiniti will comply with all applicable Data Protection Laws, including providing the same level of privacy protection as required by Client. afiniti will only Process Client Personal Information in accordance with:
      
      1. the Agreement, to the extent necessary to provide the Services to Client; and
      2. Client’s written instructions.

      unless Processing is required by applicable laws to which Afiniti is subject, in which case Afiniti shall, to the extent permitted by applicable laws, inform Client of that legal requirement before Processing that Client Personal Information.

   2. If afiniti determines that it can no longer meet its obligations under the CCPA and these regulations, afiniti will notify Client no later than five (5) business days after making that determination.
   3. Assistance and Cooperation. Upon Client’s written request, Afiniti will update, correct, delete, supplement, transfer, and provide Client with access to Client Personal Information in Afiniti’s possession or control. Afiniti will cooperate with and assist Client in complying with applicable Data Protection Laws, including but not limited to assisting with data protection impact assessments, audits, and consultations with regulatory bodies.
   4. De-Identified Data. Afiniti may Process Personal Information in De-Identified form, provided that Afiniti will: (i) take reasonable measures to ensure that such data cannot be associated with a Customer or Data Subject; (ii) Process such data only in a de-identified fashion and only for its internal business purposes; (iii) not attempt to re-identify such data; (iv) contractually obligate any recipients of such data to comply with this section; and (v) publicly commit to complying with this section, such as through a prominent disclosure in its privacy policy, on its website, or similar means. For purposes of this DPA, “De-Identified Data” means data that cannot reasonably be used to infer information about or otherwise be linked to a Data Subject or has the meaning otherwise provided under applicable Data Protection Law.

4. Client’s Responsibilities for Processing Personal Information

   1. The Client shall provide all notices and obtain all consents as required under applicable Data Protection Laws for the lawful Processing of Client Personal Information by Afiniti in accordance with the Agreement.
   2. The Client agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense, Afiniti against all costs, claims, damages and expenses incurred by Afiniti or for which Afiniti may become liable due to any failure by the Client to comply with subsection 4.1.
   3. The Client acknowledges that Afiniti is reliant on the Client for direction as to the extent to which Afiniti is entitled to use and process the Client Personal Information. Consequently, Afiniti will not be liable for any claim brought against the Client by any consumers arising from any act or omission by Afiniti to the extent that such act or omission resulted from the Client’s instructions or the Client’s use of the Services.

5. Subprocessors

   1. Requirements for Subprocessor Engagement. When engaging any Subprocessor, afiniti will:
      
      1. ensure via a written agreement that:
         
         1. the Subprocessor only accesses and uses Client Personal Information to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement and this DPA; and
         2. the same obligations are imposed on the Subprocessor with regard to their Processing of Client Personal Information, as are imposed on afiniti under this DPA.

6. Prohibitions on the Processing of Personal Information

   1. The following provisions apply to Client Personal Information to the extent it is subject to the Data Protection Laws:
      1. Processing of Client Personal Information. Afiniti shall not Sell or Share Client Personal Information. Afiniti shall not collect, Process, or retain Client Personal Information (i) for any other commercial purpose other than providing the Services to Client pursuant to the Agreement; and (ii) outside the direct business relationship between Client and Afiniti, including to combine or update Personal Information with information received from or on behalf of another source or collected from Afiniti’s own interactions with a Data Subject unless permitted by applicable Data Protection Law.
      2. Disclosure of Client Personal Information. Afiniti shall not Sell, Share, disclose, release, transfer, make available or otherwise communicate any Client Personal Information to another business or third-party without the prior written consent of Client unless and to the extent that such disclosure is made to a Subprocessor for a business purpose pursuant to Section 5 of this DPA. Notwithstanding the foregoing, nothing in this DPA shall restrict Afiniti’s ability to disclose Client Personal Information to comply with applicable laws or as otherwise permitted by the Data Protection Laws.

7. Data Security and Audits

   1. Afiniti Security Obligations. Afiniti shall implement appropriate technical and organizational measures to protect the Client Personal Information to ensure a level of security appropriate to the risk relating to the nature of the Personal Information.
   2. Security Audits. The Client may, upon reasonable notice and at reasonable times, audit (either by itself or using independent third-party auditors) Afiniti’s compliance with the security measures set out in this DPA. Afiniti shall assist with, and contribute to, any audits conducted in accordance with this clause 7.2, provided that such audits are not carried out more than once a year. The Client shall reimburse any costs or expenses incurred by Afiniti in granting access to its data processing facilities or procuring access to its Subprocessors’ data processing facilities.
   3. Client shall have the right to take reasonable and appropriate steps to ensure that Afiniti uses Personal Information in a manner consistent with Client’s business obligations under the applicable Data Protection Laws.

8. Consumer Rights

   1. Unless otherwise required by applicable law, Afiniti shall promptly notify Client of any request received by Afiniti or any Subprocessor in respect to Client Personal Information.
   2. Afiniti shall, where reasonably possible, assist Client with ensuring its compliance under applicable Data Protection Laws by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to requests for exercising consumer rights as described in the Data Protection Laws and in particular shall:
      1. reasonably assist Client with responding to requests to correct, delete, access, or copy Client Personal Information within its possession or control, or
      2. promptly correct, delete, access, or copy Client Personal Information within the Services at Client’s request.

9. Government Disclosure

   1. Government Disclosure. Afiniti shall promptly notify the Client of any request for the disclosure of Client Personal Information by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

10. Duration and Termination

    1. Deletion of data. Subject to clause 10.2 below, Afiniti shall, within ninety (90) days of the date of termination of the Agreement:
       1. if requested to do so by the Client, return a copy of all Client Personal Information by secure file transfer in such a format as notified by the Client to Afiniti; and
       2. delete and use reasonable efforts to procure the deletion of all other copies of Client Personal Information Processed by Afiniti or any Subprocessors.
    2. Afiniti and its Subprocessors may retain Client Personal Information to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Afiniti shall ensure the confidentiality of all such Client Personal Information and shall ensure that such Client Personal Information is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.