For purposes of this DPA, the following terms have the following meanings:

(a) “CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 to 1798.199), as amended.

(b) “Data Privacy Laws” means the CCPA, the GDPR, and other applicable laws that regulate the protection or privacy of Personal Data, as applicable.

(c) “Data Subject” means any individual identified in any of Your Personal Data.

(d) “GDPR” means, collectively, all laws and regulations of the European Union, the United Kingdom, and Switzerland that apply to the processing of Personal Data including, where applicable, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation).

(e) “Personal Data” means data that, alone or in combination with other information, can be used to identify a natural living person.

(f) “Platform” means Transparency-One’s supply chain mapping and management platform, along with any releases, updates, or upgrades, licensed by Transparency-One under the terms of the Agreement.

(g) “Privacy Policy” means, collectively, the privacy policies set forth on Transparency-One’s website (the current versions of which are available at https://www.transparency-one.com/privacy-policy/).

(h) “Services” means the services to be provided by Transparency-One to Your Company under the terms of the Agreement.

(i) “Your California Personal Data” means any of Your Personal Data that is subject to and regulated by the CCPA.

(j) “Your EU Personal Data” means any of Your Personal Data that is subject to and regulated by the GDPR.

(k) “Your Personal Data” means any Personal Data concerning Your Company’s employees that Transparency-One collects from Your Company or its Users.  For purposes of clarity, “Your Personal Data” does not include any Personal Data that another Platform subscriber provides to Transparency-One or enters into the Platform.

(l) “User” means an individual Your Company has authorized to access the Platform and use the Services on Your Company’s behalf using his or her own unique Platform username and password.
 

(a) This DPA applies when Transparency-One processes any of Your Personal Data that is subject to Data Privacy Laws. In the context of Transparency-One performing the Services, the Parties agree that (i) Transparency-One is the “data processor” and Your Company is the “data controller” (as the terms are defined in the GDPR) with respect to Your EU Personal Data; and (ii) Transparency-One is a “service provider” (as defined in the CCPA) and Your Company is a business with respect to Your California Personal Data.

(b) Transparency-One will comply with applicable Data Privacy Laws when processing Your Personal Data, including (i) complying with Section 10 below when processing Your EU Personal Data, and (ii) complying with Section 11 below when processing Your California Personal Data. Your Company will comply with Data Privacy Laws when collecting and transferring Your Personal Data to Transparency-One and when instructing Transparency-One regarding Your Personal Data. As Transparency-One does not control the content of data Your Company provides to Transparency-One or enters into the Platform, Your Company is responsible for managing such data, including Your Personal Data included therein, and for taking all measures necessary to comply with applicable law, including applicable Data Privacy Laws, to ensure Transparency-One may process such data lawfully. Accordingly, if applicable Data Privacy Laws require obtaining a Data Subject’s consent prior to or during Transparency-One’s processing of Your Personal Data, Your Company is responsible for obtaining that consent.

Transparency-One may collect the following categories of Your Personal Data in course of performing the Services:

(a) Account Data. Your Personal Data may include Personal Data related to Your Company’s Platform account and its Users, including (i) the names, email addresses, and contact information of each User and billing contact for Your Company; (ii) Personal Data Transparency-One may need to verify individuals associated with Your Company’s Platform account; (iii) Personal Data included in any feedback that Your Company or any of its Users enters into the Platform or provides to Transparency-One; (iv) Personal Data Transparency-One may be required to collect from Your Company to fulfill legal obligations; and (v) other Personal Data Your Company or any of its Users chooses to provide to Transparency-One or enter into the Platform.

(b) Automatically Collected Data. Your Personal Data may also include Personal Data Transparency-One automatically collects in the course of performing the Services for Your Company and its Users, including (i) Users’ Internet Protocol (IP) addresses, browser types, device types, domain names, access times, durations of visit, and referring URLs; (ii) User activity logs; and (iii) information collected through the use of cookies and similar tracking technologies.

Transparency-One will process Your Personal Data to provide the Services to Your Company and its Users in accordance with the instructions set forth in this DPA.

(a) This DPA constitutes Your Company’s documented instructions to Transparency-One to process and use Your Personal Data as reasonably necessary to: (i) provide the Services to Your Company and its Users as described in the Agreement, including configuring or personalizing the Services to Your Company and its Users and contacting Users about the Services; (ii) exercise Transparency-One’s rights and fulfill Transparency-One’s obligations under the Agreement and the Privacy Policy, including sending statements, invoices, and payment reminders to Your Company, collecting payments from Your Company, and verifying compliance with applicable terms and conditions governing the Services; (iii) address and respond to questions and complaints made by or about Your Company or its Users related to the Services; and (iv) comply with applicable law; provided that, if Transparency-One is required to disclose Your Personal Data to comply with the law, Transparency-One will use commercially reasonable efforts to inform Your Company of such required disclosure.

(b) The Parties agree that this DPA sets forth Your Company’s complete and final instructions regarding Transparency-One’s processing of Your Personal Data, and that any request for processing of Your Personal Data outside of these instructions will require an agreement between the Parties.

(c) Transparency-One will notify Your Company if Transparency-One reasonably believes any of Your Company’s instructions violate applicable law.

Following the termination of Your Company’s Platform subscription, Transparency-One will, upon written request from Your Company, delete (through anonymization or otherwise) Your Personal Data in the Platform, provided that this requirement will not apply (i) to the extent Transparency-One is required by law to retain Your Personal Data or Transparency-One has a legal basis for retaining Your Personal Data; or (ii) to Your Personal Data that Transparency-One has archived on back-up systems, which Transparency-One will securely isolate and, except as required by law, protect from any further processing.

(a) Except as provided in the Agreement and the Privacy Policy, Transparency-One will hold Your Personal Data in strict confidence. Transparency-One will implement appropriate security and technical measures designed to ensure that Transparency-One’s access to Your Personal Data is limited to Transparency-One personnel who are involved in performing the Services or require access to Your Personal Data for Transparency-One to perform its obligations or exercise its rights under the Agreement or this DPA.

(b) Transparency-One will ensure that all Transparency-One personnel who have access to Your Personal Data will be informed of the confidential nature of Your Personal Data, have received appropriate training on their responsibilities, and are bound by confidentiality obligations that satisfy the requirements of applicable Data Privacy Laws.

(a) Consent. Subject to this Section 7, Your Company consents to Transparency-One engaging subcontractors, suppliers, and Transparency-One’s corporate affiliates as subprocessors of Your Personal Data (“Subprocessors”) and to Transparency-One adding or removing Subprocessors at any time. Transparency-One will maintain a current list of Subprocessors that Your Company may access upon written request. Transparency-One will be liable for each Subprocessor’s acts and omissions to the same extent that Transparency-One would be liable for such acts and omissions under the Agreement.

(b) Due Diligence. When required by applicable Data Privacy Laws, Transparency-One will conduct reasonable due diligence on prospective Subprocessors to ensure they are capable of protecting Personal Data as required by applicable Data Privacy Laws.

(c) EU Subprocessor Agreements. Transparency-One will enter into written agreements with Subprocessors of Your EU Personal Data (“EU Subprocessors”), if any, that comply with Article 28(3) of the GDPR. Upon Your Company’s written request, Transparency-One will provide Your Company copies of any such agreements with EU Subprocessors (which may be redacted to remove information not relevant to the GDPR).

(d) Objections to EU Subprocessors. Your Company may notify Transparency-One of objections it has to any new EU Subprocessor within 30 days after the addition of such EU Subprocessor to the list referenced in Section 7(a) above, provided that such objection must be in writing and based on reasonable grounds related to data protection. Transparency-One agrees to engage in good-faith discussions with Your Company about reasonable solutions to resolve such objections. If the Parties fail to resolve an objection within 60 days, Your Company may terminate its Platform subscription in accordance with the termination section of the Agreement.

(a) Security Measures. Transparency-One will maintain appropriate technical and organizational measures designed to safeguard and ensure the adequate protection of Your Personal Data (“Security Measures”). Transparency-One will ensure that the Security Measures satisfy Transparency-One’s applicable obligations under Data Privacy Laws, including, with respect to Your EU Personal Data, Article 32 of the GDPR.

(b) Security Assessments. On an annual basis, Transparency-One will engage a qualified independent auditor to review and test Transparency-One’s Security Measures (“Security Assessments”). Transparency-One will promptly address and correct material vulnerabilities and security deficiencies discovered through Security Assessments. Upon request, Transparency-One will provide executive summary reports of such Security Assessments to Your Company.

(c) Audits. To the extent required by applicable Data Privacy Laws, and subject to the limitations and requirements in this Section 8(c), Transparency-One will permit Your Company to conduct audits of Transparency-One’s Security Measures (“Audits”). Your Company’s right to conduct Audits is subject to the following limitations: (i) Your Company must provide Transparency-One with reasonable prior notice of its intent to conduct an Audit, and must provide Transparency-One a detailed Audit plan at least two weeks prior to the scheduled Audit date; (ii) Audits will be subject to reasonable confidentiality restrictions that Transparency-One may require, including, as permitted by applicable Data Privacy Laws, reasonable confidentiality agreements; (iii) Your Company shall not have any right to view information about other Platform subscribers in any Audit; (iv) Audits must be conducted in a manner that does not unreasonably interfere with Transparency-One’s business operations or adversely affect the confidentiality, integrity, or availability of the Platform, and (v) except when otherwise required to comply with applicable Data Privacy Laws, Your Company may not conduct more than one Audit during any three-year period.

(a) Notification. To the extent required by applicable Data Privacy Laws, Transparency-One will notify Your Company promptly and within the time period required by law, upon Transparency-One becoming aware of any confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Your Personal Data (a “Data Breach”). Notwithstanding the above, a Data Breach will not include (i) any incident that is reasonably unlikely to result in material risk to a Data Subject’s rights or freedoms; (ii) any incident not caused by a breach of Transparency-One’s Security Measures or those of a Subprocessor; or (iii) any disclosure, access to, or processing of Your Personal Data that is authorized by Your Company.

(b) Assistance. At Your Company’s request, and to the extent required by applicable Data Privacy Laws, Transparency-One will provide reasonable assistance to Your Company in fulfilling Your Company’s notification obligations related to any Data Breach. Transparency-One’s notification of or response to a Data Breach will not be construed as Transparency-One acknowledging any fault or liability related to such Data Breach.

This section only applies if Transparency-One processes Your EU Personal Data.

(a) Rights of Data Subjects. To the extent required by Article 28(3)(e) of the GDPR, Transparency-One will (i) if legally permitted, promptly notify Your Company if Transparency-One receives a request from a Data Subject to exercise any of the Data Subject’s rights under Articles 15-22 of the GDPR (“Data Subject Request”), and (ii) upon request, provide reasonable assistance to Your Company in responding to Data Subject Requests.

(b) Cooperation and Assistance. To the extent required by Article 28(3)(f) of the GDPR, upon request, Transparency-One will cooperate with and assist Your Company in Your Company’s efforts to comply with its obligations under Articles 32 through 36 of the GDPR, taking into account the nature of the Services and Your EU Personal Data.

(c) Information to Demonstrate Compliance. To the extent required by Article 28(3)(h) of the GDPR, Transparency-One will make available to Your Company all reasonably requested information in Transparency-One’s possession that is necessary to demonstrate Transparency-One’s compliance with Article 28 of the GDPR.

(d) Data Transfers. Your Company acknowledges and agrees that Transparency-One is headquartered in the Dallas, Texas, USA, and that, subject to the requirements in this Section 10(d), Transparency-One may transfer, store, and process Your EU Personal Data in the United States. When Transparency-One transfers any of Your EU Personal Data from a European Union member state, the United Kingdom, or Switzerland to a jurisdiction that the European Commission has determined does not ensure an adequate level of protection of Personal Data (it being understood that the United States will be deemed to ensure an adequate level of protection so long as (i) the Data Protection Framework shall be in place and effective for these purposes, and (ii) Transparency-One certifies its compliance with the Data Protection Framework (including the UK and Swiss extensions to the Data Protection Framework, as applicable)), Transparency-One will process Your EU Personal Data in accordance with the Standard Contractual Clauses promulgated by the European Commission (“SCCs”).

This section only applies if Transparency-One processes Your California Personal Data.

(a) Transparency-One’s obligations as Service Provider. Transparency-One will act as Your Company’s service provider under the CCPA, and as such, Transparency-One will not (i) retain, use or disclose Your California Personal Data other than as described in this DPA, or (ii) sell (as defined in the CCPA) any of Your California Personal Data.

(b) Notices and Disclosures. Your Company will provide all CCPA-required notices and disclosures regarding Your Personal Data being collected and shared with Transparency-One in connection with the Services.