This Data Processing Addendum (“DPA”), forms part of, and is subject to, agreement between the customer accepting this DPA (“Customer”) and Interior Logic Group Holdings IV, LLC (“Provider”) that references this DPA (the “Agreement”). The parties enter into this DPA on behalf of themselves and, to the extent required under applicable Data Protection Laws, in the name and on behalf of their affiliates, and this DPA shall be effective on the effective date of the Agreement (“Effective Date”).

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

“Business Purpose” has the meaning given in subdivision (e) of Cal. Civ. Code §1798.140 and “purpose” will be interpreted accordingly.

“Customer Data” means any information or other data (including Personal Data) provided by or on behalf of Customer to Provider for purposes of the Agreement and/or any related services.

“Customer Personal Data” means any Customer Data that is Personal Data.

“Consumer” has the meaning given in subdivision (i) of Cal. Civ. Code §1798.140.

“Contractor” has the meaning given in subdivision (j)(1) of Cal. Civ. Code §1798.140.

“Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, in the EU, the GDPR and its implementing regulations, the UK GDPR and in the U.S., the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), the Virginia Consumer Data Protection Act of 2021, the Colorado Privacy Act of 2021, the Utah Consumer Privacy Act of 2022, and the Connecticut Data Privacy Act of 2022.

“Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.

“EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (“Directive”) and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), and repealing Directive 95/46/EC.

“EEA” means, for the purposes of this DPA, the European Economic Area and/or its member states, United Kingdom and/or Switzerland.

“Model Clauses” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en and as updated from time to time.

“Personal Data” means information that: (i) identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, e-mail addresses and other unique identifiers); (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, financial account numbers, credit report information, biometric or health data, answers to security questions and other personal identifiers); or (iii) relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual, including inferences about such individual.  In the case of subclauses (i) through (iii), this information includes, without limitation, all Sensitive Personal Data. Customer’s business contact information is not by itself deemed to be Personal Data. Further, the term “Personal Information” as defined in the CCPA/CPRA shall have the same meaning as Personal Data used herein.

“Processing” has the meaning given to it in subdivision (y) of Cal. Civ. Code §1798.150 and “process,” “processes” and “processed” will be interpreted accordingly.

“Purposes” shall mean the data Processing purposes described and defined in Section 3.4 of this DPA.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data, but does not include any unsuccessful attempt or activity that does not compromise the security of Customer Personal Data, such as pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers).

“Services” means the services provided by Provider to Customer pursuant to the Agreement.

“Sensitive Personal Data” is a subset of Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Further, the term “Sensitive Personal Information” as defined in the CPRA shall have the same meaning as Sensitive Personal Data used herein.

“Sell, Selling, Sale or Sold” has the meaning given in subdivision (ad)(1) of Cal. Civ. Code §1798.140.

“Service Provider” has the meaning given in subdivision (ag)(1) of Cal. Civ. Code §1798.140.

“Sharing” has the meaning given in subdivision (ah)(1) of Cal. Civ. Code §1798.140.

“Sub-processor” means any Data Processor engaged by or on behalf of Provider to assist in fulfilling its obligations pursuant to the Agreement or this DPA.

“Third Party” has the meaning given in subdivision (ai) of Cal. Civ. Code §1798.140.

“UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

“Verifiable Consumer Request” has the meaning given in subdivision (y) of Cal. Civ. Code §1798.140.

2.1   Scope and Applicability. This DPA applies where and only to the extent that Provider Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement.  Any other Processing of Personal Data with respect to Customer and its users conducted by Provider as a Data Controller, including business relationship administration and system security, will be carried out in accordance with Provider’s then-current privacy policy.  Notwithstanding expiry or termination of the Agreement, this DPA and Model Clauses (if applicable) will remain in effect until, and will automatically expire upon, deletion of all Customer Personal Data processed by Provider as described in this DPA.

3.1   Role of the Parties. If and to the extent that the Services provided by Provider under the Agreement require Provider to Process Personal Data, then as between Provider and Customer, Provider shall process Customer Personal Data only as a Data Processor acting on behalf of Customer.  Customer is either the Data Controller of Customer Personal Data, or in the case that Customer is acting on behalf of a third-party Data Controller, then a Data Processor.

3.2   Customer Processing of Personal Data. Customer represents to Provider: (i) Customer will comply with its obligations under Data Protection Laws in respect of its Processing of Personal Data, including any obligations specific to its role as a Data Controller; and (ii) Customer has provided all notices and obtained all consents, assignments, licenses, authorizations, permissions and/or rights necessary under Data Protection Laws for Provider to lawfully Process Personal Data as contemplated under this Agreement for the Purpose. If Customer is itself a Data Processor acting on behalf of a third-party Data Controller, Customer further represents to Provider that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Provider as another Data Processor, have been authorized by the relevant Data Controller.

3.3   Provider Processing of Personal Data. Provider shall process Customer Personal Data only to the extent, and in such a manner, as is necessary for the Purposes and in accordance with Customer’s documented lawful instructions. Provider will not, and will ensure its Sub-processors do not, combine Customer Personal Data with any Personal Data from other sources, or which Provider or its Sub-processor collected on its own behalf, except as permitted by Data Protection Laws, and will not “sell” any Customer Personal Data within the meaning of the CCPA or otherwise. Additionally, Provider will comply with applicable obligations under the CPRA, including that Provider will provide the same level of privacy protection as required under the CPRA. The parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to Provider in relation to the Processing of Customer Personal Data. Additional Processing outside the scope of such instructions will require prior written agreement between the parties.

3.4 Details of Processing. The following describes the details of the Processing to be provided by Provider to Customer under this DPA.

(a) Subject Matter. The subject matter of the Processing under this DPA is Customer Personal Data.

(b) Duration. The duration of the Processing under this DPA is the Term of the Agreement.

(c) Purposes. The Purposes of the Processing under this DPA is the provision of the Services to Customer.

(d) Nature of Processing. The nature of the Processing under this DPA is the provision of computation, storage and other Services agreed to by Provider and Customer.

(e) Type of Data. The type of Customer Data to be Processed under this DPA includes Customer Personal Data uploaded to the Services through Customer’s accounts.

(f) Categories of Data Subjects. The data subjects of the Processing under this DPA may include Customer’s customers, employees, suppliers, and end users.

3.5   Notice of Processing Obligations. If, at any time, Provider cannot meet its obligations under this DPA: (i) Provider shall provide notice to Customer; (ii) Customer may retrieve all Customer Personal Data provided under this DPA; and (iii) Provider shall properly dispose of Customer Personal Data in accordance with the retention requirements of this DPA.

4.1   Authorized Sub-processors.  Customer agrees that Provider may engage Sub-processors to process Customer Personal Data on Customer’s behalf. Provider shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer if it adds or removes Sub-processors at least fourteen (14) days’ prior to allowing such Sub-processor to process Customer Personal Data. Customer may object in writing to Provider’s appointment of a new Sub-processor within ten (10) calendar days of such notice. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If Provider cannot provide an alternative Sub-processor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer may terminate the Agreement (including this DPA) upon written notice to Provider.

4.2   Sub-processor Obligations. Provider will: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to Process the Customer Personal Data in a manner that is substantially similar to the standards set forth in this DPA, and, to the extent applicable to the Services provided by Provider, to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of each Sub-processor.

5.1   Security Measures.  Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data Processed by Provider on behalf of Customer (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Provider may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services or Customer Data, including Customer Personal Data.

5.2   Confidentiality of Processing. Provider shall ensure that any person who is authorized by Provider to process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality.

6.1   Reports. Provider acknowledges that Provider is regularly audited by independent third-party auditors and/or internal auditors against Provider’s Security Measures. Upon request, Provider shall supply (on a confidential basis) a summary of its then-current audit report(s) and any other published materials made available by Provider, which further describe Provider’s principles, programs, and practices regarding information security and privacy (collectively, “Report”) to Customer, so that Customer can verify Provider’s compliance with this DPA.  Notwithstanding the foregoing, Customer may disclose a Report as allowed under the applicable confidentiality section of the Agreement, including where requested or required by data protection authorities having jurisdiction over Customer even if not legally required (“Data Protection Authority Request”), provided, however, that Customer, as permitted by law, shall give Provider prior written notice of the Data Protection Authority Request such that Provider can attempt to secure confidential treatment for the Report.  If Customer is not legally permitted to give Provider prior notice, Customer agrees to use reasonable efforts to secure confidential treatment for the Report and further agrees to not remove or obscure any “confidential,” “proprietary,” or similar markings from the Report.

6.2   Information requests. Provider shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, including responses to information security and audit questionnaires that are necessary to confirm Provider’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year, except that this right may also be exercised in the event Customer is expressly requested or required to provide this information to a data protection authority, or Provider has experienced a Security Incident, or other reasonably similar basis.

7.1   International Processing. Provider may process Customer Data anywhere in the world where Provider, its affiliates or its Sub-processors maintain data Processing operations. Provider will at all times provide appropriate safeguards for Customer Personal Data wherever it is processed, in accordance with the requirements of Data Protection Laws.

7.2   EEA Transfers. To the extent Provider processes any Customer Personal Data protected by applicable Data Protection Laws of the EEA (“EEA Data”), the parties agree that Provider makes available the transfer mechanisms listed below, for any transfers of EEA Data from the EEA to Provider located in a country which does not ensure an adequate level of protection (within the meaning of applicable Data Protection Law) and to the extent such transfers are subject to such Data Protection Laws of the EEA, Provider agrees to abide by and process EEA Data in compliance with the Model Clauses and for these purposes Provider agrees that it is a “data importer” and Customer is the “data exporter” under the Model Clauses (notwithstanding that Customer may be an entity located outside of the EEA).

8.1   Deletion by Customer. Provider will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Service.

8.2   Deletion on Termination.  For thirty (30) days following termination or expiration of the Agreement, Customer shall have the option to retrieve any remaining Customer Personal Data in accordance with the Agreement. Thereafter, Customer instructs Provider to automatically delete all remaining (if any) Customer Personal Data (including copies).  Provider shall not be required to delete Customer Personal Data to the extent (i) Provider is required by applicable law or order of a governmental or regulatory body to retain some or all of the Customer Personal Data; and/or (ii), Customer Personal Data has been archived on back-up systems, which Customer Personal Data Provider shall securely isolate and protect from any further Processing, except to the extent required by applicable law.

8.3   Security Incident Response. Upon confirming a Security Incident, Provider shall: (i) notify Customer without undue delay after Provider becomes aware of the Security Incident; (ii) provide information relating to the Security Incident; and (iii) take reasonable steps to contain, investigate, and mitigate such Security Incident.

9.1   Cooperation. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority. If a law enforcement agency sends Provider a demand for Customer Personal Data (e.g., a subpoena or court order), Provider will attempt to redirect the law enforcement agency to request that data directly from Customer.  As part of this effort, Provider may provide Customer’s contact information to the law enforcement agency.  If compelled to disclose Customer Personal Data to a law enforcement agency, then Provider will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent Provider is legally permitted to do so.

9.2   Consumer Access Requests. Taking into account the nature of the Processing, Provider shall (at Customer’s request and expense) provide reasonable cooperation to enable Customer to respond to any requests from applicable data protection authorities or a Verifiable Consumer Request to exercise rights (to the extent available to them under Data Protection Laws) of: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to Processing, not to be subject to automated individual decision making, opt-out of the sale of Personal Data, or the right not to be discriminated against, in each case solely to the extent relating to the Processing of Customer Personal Data through the Services under the Agreement. In the event that any Verifiable Consumer Request is made directly to Provider where such request identifies Customer, Provider shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so, and instead, after being notified by Provider, Customer shall respond to the Verifiable Consumer Request. If Provider is required to respond to such a Verifiable Consumer Request, Provider will promptly notify Customer and provide Customer with a copy of the Verifiable Consumer Request unless legally prohibited from doing so.

9.3   Records. Customer acknowledges that Provider may be required under the GDPR or the UK GDPR, as applicable to: (a) collect and maintain records of certain information, including the name and contact details of each Data Processor and/or Data Controller on behalf of which Provider is acting and, where applicable, of such Data Processor’s or Data Controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities.  Accordingly, if the GDPR or UK GDPR applies to the Processing of Customer Personal Data, Customer will, where requested, provide such information to Provider via the Services or other means provided by Provider, and will ensure that all information provided is kept accurate and up-to-date.

9.4   DIPA. To the extent Provider is required under applicable Data Protection Law, Provider shall (at Customer’s request and expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

10.1   The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment or exhibit the parties may have previously entered into in connection with the Services. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.

10.2   This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

10.3   Provider certifies that it understands its obligations under this DPA and shall comply with them.