Last Updated: December 21, 2022
This Data Processing Addendum (“DPA”) is entered into by and between Appara and Customer. This DPA amends and forms part of the Agreement. This DPA applies where Appara Processes Customer Personal Data as a Processor on behalf of Customer, the Controller, in connection with providing the Services. This DPA will be effective as of the effective date of the Agreement. This DPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this DPA.
Attachment 1: Definitions
For purposes of this DPA, the following terms will have the meaning ascribed below:
“CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Consumer Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.
“Controller” means “controller” and “business” (and analogous variations of such terms) under Data Protection Law.
“Customer Personal Data” means Personal Data that Appara Processes on behalf of Customer in connection with providing the Services as described in Attachment 2 that is subject to Data Protection Law.
“Data Protection Law” means the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state or federal data protection or privacy laws in the United States that apply to Appara’s Processing of Customer Personal Data.
“Deidentified Data” means information that cannot reasonably be linked to or associated with Customer or any Data Subject.
“Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) under Data Protection Law.
“Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.
“Processor” means “processor” and “service provider” (and analogous variations of such terms) under Data Protection Law.
“Security Incident” means “personal data breach” and “security incident” (and analogous variations of such terms) under Data Protection Law.
“Services” means the services provided by Appara pursuant to the Agreement.
Attachment 2 – Scope of Processing
Subject-Matter and Duration of Processing
Appara Processes Customer Personal Data if and when provided by Customer in the course of providing the Services in accordance with the Agreement and until the Agreement terminates or expires.
Nature and Purpose of Processing
Processing of Customer Personal Data in connection with and for the purpose of Appara providing the Services to Customer pursuant to the Agreement. Specifically, the Customer Personal Data will, if and to the extent Customer provides it, be subject to storage and analysis, among other Processing activities.
Types of Customer Personal Data
Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. This may include, but is not limited to, clients’ and end-user’s contact information and device/usage data.
Categories of Data Subjects
The data subjects will include Customer’s end-users and clients.