Data Processing Addendum

Last Updated: December 21, 2022

This Data Processing Addendum (“DPA”) is entered into by and between Appara and Customer. This DPA amends and forms part of the Agreement. This DPA applies where Appara Processes Customer Personal Data as a Processor on behalf of Customer, the Controller, in connection with providing the Services. This DPA will be effective as of the effective date of the Agreement. This DPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this DPA.

    1. Limitations on Use. Appara will Process Customer Personal Data only: (a) in a manner consistent with Customer’s documented instructions as specified under Section 1.2 (Instructions); and (b) as required by applicable laws, provided that Appara will inform Customer (unless prohibited by law) of the applicable legal requirement before Processing pursuant to such law. Without limiting the instructions under Section 1.2, Appara will not: (x) retain, use, or disclose the Customer Personal Data (i) outside of the direct business relationship between the parties or (ii) for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing the Customer Personal Data for a commercial purpose other than providing the Services; (y) sell or share (as defined by Data Protection Law) the Customer Personal Data; or (z) combine Customer Personal Data with Personal Data Appara receives from individuals or other customers, except as permitted by Data Protection Law.
    2. Instructions. Customer instructs Appara to Process Customer Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Agreement, including as specified in Attachment 2 (Scope of Processing). This DPA, the Agreement, and any instructions provided by Customer through configuration tools made available by Appara constitute Customer’s documented instructions regarding Appara’s Processing of Customer Personal Data. Additional instructions provided by Customer (if any) require prior written agreement by Customer and Appara, including agreement on any additional fees to carry out such instructions. Customer will not instruct Appara to perform any Processing of Customer Personal Data that violates any Data Protection Law. Appara may suspend Processing based upon any Customer instructions that Appara reasonably suspects violate Data Protection Law, provided Appara will promptly inform Customer if, in Appara’s opinion, an instruction infringes Data Protection Law.
    3. Compliance. Each party will comply with its obligations under Data Protection Law. Appara shall notify Customer within 5 business days of determining that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that Appara has Processed Customer Personal Data without authorization, Appara will take reasonable and appropriate steps to stop and remediate such Processing.
    4. Confidentiality. Appara will ensure that persons authorized by Appara to Process any Customer Personal Data are subject to appropriate confidentiality obligations.
    5. Security. Appara will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and provide the level of protection required by Data Protection Law. Appara may amend the technical and organizational measures, provided the new measures do not reduce the level of security.
    6. Disposal. At the choice of Customer, Appara will (or will enable Customer via the Services to) delete (and will delete existing copies unless it only exists in back-up media that is not generally accessible) all Customer Personal Data after the end of the provision of Services (unless Data Protection Law requires the storage of such Customer Personal Data by Appara, in which case Appara will only further retain and Process such Customer Personal Data for the limited duration and purposes required by such Data Protection Law).
    7. Deidentified Data. Customer authorizes Appara to Process Deidentified Data to improve the Services. Appara will (a) take reasonable measures to ensure the Deidentified Data cannot be associated with a Data Subject and (b) publicly commit to maintain and use Deidentified Data in deidentified form and not attempt to reidentify Deidentified Data except to assess the sufficiency of the deidentification process.
    1. Data Subject Rights Assistance. Customer shall be responsible for responding to requests from Data Subjects to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, the right not to be subject to an automated individual decision making/profiling, the right to opt out of sales, sharing/targeted advertising, or the processing of sensitive Personal Data, or other Data Subject rights under Data Protection Law relating to Customer Personal Data (each a “Data Subject Request”). Customer will inform Appara of any Data Subject request that Appara must comply with and provide the information necessary for Appara to comply with the request. Appara will, to the extent permitted by Data Protection Law, notify Customer without undue delay if Appara receives a Data Subject Request. To the extent Customer, in its use of the Services, does not have the ability to address the Data Subject Request, Appara will, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law.
    2. Security Incident Notice and Assistance. Appara will notify Customer without undue delay after becoming aware of a Security Incident. Appara will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident. Taking into account the nature of Processing and the information available to Appara, Appara will assist Customer in ensuring compliance with Customer’s notification obligations imposed under Data Protection Law in connection with any Security Incident.
    1. Appara Reports. Appara may procure summaries of independent audits by third parties to assess Appara’s adherence to the following standards or requirements: (a) SOC 2 Type II (or reports or other documentation describing the controls implemented by Appara that replace or are substantially equivalent to SOC 2 Type II); (b) ISO 27001/27018 (or certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to ISO 27001/27018); and/or (c) PCI DSS Service Provider Level 1 (or certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to PCI DSS) (collectively, “Reports”). Subject to the confidentiality obligations set forth in the Agreement, Appara will provide Customer with a copy of Appara’s then-current Reports as reasonably requested. If the Agreement does not include a provision protecting Appara’s confidential information, then the Reports will be made available to Customer subject to a mutually agreed upon non-disclosure agreement covering the Reports.
    2. Customer Audits. Customer agrees to exercise its audit rights by first requesting the Reports as described in Section 3.1 (Appara Reports). Customer will only request additional information or an on-site audit of Appara to the extent the information provided by Appara is not reasonably sufficient to enable Customer to evaluate Appara’s compliance with this DPA and/or Data Protection Law. Except in the event of a Security Incident or regulatory investigation, Customer will provide no less than 30 days’ advance notice of its request for an on-site audit and will cooperate in good faith with Appara to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party). Any such on-site audit must occur during Appara’s normal business hours and be conducted by Customer or a nationally recognized independent auditor. If Customer relies on a third-party auditor, Customer will be responsible for ensuring that the auditor will: (a) comply with reasonable and applicable on-site policies and procedures provided by Appara, (b) sign a standard confidentiality agreement with Appara, and (c) not unreasonably interfere with Appara’s business activities. Customer will provide a written summary of any audit findings to Appara, and the results of the audit will be the confidential information of Appara.
    1. Appointment of Subprocessors. Customer authorizes Appara to use subcontractors to Process Customer Personal Data in connection with providing the Services (each, a “Subprocessor”).
    2. Objection Right for New Subprocessors.
      1. Appara will notify Customer of its intent to update the Subprocessor List at least 15 days prior to engaging a new Subprocessor. Customer may object to Appara’s use of a new Subprocessor within 10 days of receiving such notice by sending an e-mail to clearly indicating its desire to object to any such change.
      2. If Customer objects to the change in Subprocessors, Appara and Customer will cooperate in good faith to resolve Customer’s objection. If the parties unable to resolve Customer’s objection within 10 days, then either party may terminate the Agreement only with respect to those Services that Appara indicates cannot be provided without the objected-to Subprocessor.
    3. Liability. Appara will impose data protection obligations upon any Subprocessor that are no less protective of Customer Personal Data than those included in this DPA. Appara will remain liable to Customer for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.
  5. LIMITATION OF LIABILITY. Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability in the Agreement. Nothing in this Section 5 is intended to restrict the rights of data subjects under Data Protection Law.
  6. MISCELLANEOUS. Except as specifically amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect. No supplement, modification, or amendment of this DPA will be binding unless executed in writing by each party to this DPA.

Attachment 1: Definitions

For purposes of this DPA, the following terms will have the meaning ascribed below:

CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Consumer Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.

Controller” means “controller” and “business” (and analogous variations of such terms) under Data Protection Law.

Customer Personal Data” means Personal Data that Appara Processes on behalf of Customer in connection with providing the Services as described in Attachment 2 that is subject to Data Protection Law.

Data Protection Law” means the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state or federal data protection or privacy laws in the United States that apply to Appara’s Processing of Customer Personal Data.

Deidentified Data” means information that cannot reasonably be linked to or associated with Customer or any Data Subject.

Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) under Data Protection Law.

Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.

Processor” means “processor” and “service provider” (and analogous variations of such terms) under Data Protection Law.

Security Incident” means “personal data breach” and “security incident” (and analogous variations of such terms) under Data Protection Law.

Services” means the services provided by Appara pursuant to the Agreement.


Attachment 2 – Scope of Processing

Subject-Matter and Duration of Processing

Appara Processes Customer Personal Data if and when provided by Customer in the course of providing the Services in accordance with the Agreement and until the Agreement terminates or expires.

Nature and Purpose of Processing

Processing of Customer Personal Data in connection with and for the purpose of Appara providing the Services to Customer pursuant to the Agreement. Specifically, the Customer Personal Data will, if and to the extent Customer provides it, be subject to storage and analysis, among other Processing activities.

Types of Customer Personal Data

Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. This may include, but is not limited to, clients’ and end-user’s contact information and device/usage data.

Categories of Data Subjects

The data subjects will include Customer’s end-users and clients.