DATA PROCESSING AGREEMENT

 

This Data Processing Agreement (this “Agreement”) is incorporated into and is subject to the terms and conditions of the My Business Platform Terms of Use and each other agreement referenced therein and the Order Form (collectively, the “Services Agreement”) between My Business Platform, LLC (“My Business Platform”) and the party that executes and Order Form with My Business Platform (“Client”, and together with My Business Platform, are individually each a “Party” and collectively the “Parties”) pursuant to which My Business Platform provides certain services to Client.

 

1. DEFINITIONS.  The below terms shall have the following definitions in this Agreement. Any capitalized terms used in this Agreement but not defined herein shall have the meaning given in the Services Agreement or Applicable Data Privacy And Protection Laws.

A. “Applicable Data Privacy And Protection Laws” means all applicable federal, territorial, provincial and state privacy, data protection and data security laws and regulations in the United States and Canada, as may be amended from time to time, that are applicable to the data Processed, collected, received, accessed, transmitted, disclosed or stored by the Parties under the Services Agreement.

B. “Authorized Employees” means My Business Platform’s employees who have a need to know or otherwise access Personal Information to enable My Business Platform to perform its obligations under the Services Agreement.

C. “Authorized Persons” means (i) Authorized Employees and (ii) My Business Platform’s contractors, Subprocessors, agents, outsourcers and auditors who have a need to know or are otherwise required to access Personal Information in order to enable My Business Platform to perform its obligations under the Services Agreement.

D. “Client Data” means any data disclosed by Client, or a third-party acting on Client’s behalf, to My Business Platform, or collected by My Business Platform or its Authorized Persons on Client’s behalf, under the Services Agreement. “Client Data” shall include Client Personal Information and Client Confidential Information.

E. “Data Subject” means the identified or identifiable natural person to whom Personal Information relates.

F. “Data Subject Request” means valid exercises of a Data Subjects’ rights, such as to obtain, transfer, correct, delete, limit or control the Processing or use of Personal Information, as provided by Applicable Data Privacy And Protection Laws.

G. “Documented Instruction(s)” means any written communication authorized by Client and provided to My Business Platform in order to instruct My Business Platform regarding (i) My Business Platform’s Processing of Personal Information, (ii) My Business Platform’s handling of a Data Subject Request or (iii) any notifications or disclosures relating to a Security Incident.

H. “Personal Information” means “personal data,” “personal information,” “personally identifiable information,” “personal health information,” “nonpublic information,” “personal financial information,” or similar such term, each as defined by Applicable Data Privacy And Protection Laws, solely relating to My Business Platform’s collection, use, sharing, storage, transmission, and/or disclosure of data pursuant to the Services Agreement. “Personal Information” shall be limited to that data provided by Client to My Business Platform for Processing or collected by My Business Platform or its Authorized Persons on behalf of Client, pursuant to the Services Agreement.

I. “Processing, Processes, or Process” means obtaining, recording, or holding Personal Information, or carrying out any operation or set of operations on Personal Information including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying Personal Information.

J. “Security Incident” means any confirmed act or omission that compromises the security of a My Business Platform system that stores Client Personal Information or the physical or technical safeguards put in place by My Business Platform that relate to the protection of Client Personal Information. The term “Security Incident” shall include any “security incident”, “data breach” or “security breach”, or other similar such term, impacting Client Personal Information in the custody of My Business Platform that requires notification to Client under Applicable Data Privacy And Protection Laws.

K. “Service” has the meaning defined in the Services Agreement.

L. “Subprocessor” means any other entity engaged by My Business Platform to assist My Business Platform in Processing Personal Information.

M. The terms “Business Purpose,” “Processor,” “Sale,” “Service Provider,” “Share”, “Targeted Advertising” and “Cross-Context Behavioral Advertising” shall have the same meaning as in Applicable Data Privacy And Protection Laws, and their cognate terms shall be construed accordingly.

2. COMPLIANCE WITH APPLICABLE DATA PRIVACY AND PROTECTION LAWS.

A. My Business Platform Compliance:  

i. All Personal Information that is provided by Client to My Business Platform, or that is otherwise collected or maintained by My Business Platform or its Authorized Persons on Client’s behalf, pursuant to the Services Agreement shall be considered Client’s Personal Information. Client shall have and retain all right, title and interest in the Personal Information and My Business Platform shall have no rights with respect thereto, other than as specifically contemplated by the Services Agreement and this Agreement. 

ii. To the extent applicable, Client is disclosing Personal Information to My Business Platform, and My Business Platform is collecting Personal Information on behalf of Client, only for provision of the Service and Business Purposes. My Business Platform agrees that it is Client’s Service Provider and Processor.

iii. My Business Platform acknowledges that, to the extent it is Processing Personal Information subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), such Processing is subject to the applicable provisions of the CCPA. My Business Platform acknowledges that it is obligated to provide the Data Subject the same level of privacy protection as is required of Client by the CCPA.

iv. To the extent prohibited by Applicable Data Privacy And Protection Laws, My Business Platform certifies that it will not:

(a) Sell, Share or use for Targeted Advertising or Cross-Context Behavioral Advertising Client Personal Information;

(b) retain, use, or disclose Client Personal Information for any purpose other than the performance of Service unless permitted by Applicable Data Privacy And Protection Laws;

(c) retain, use, or disclose Client Personal Information outside of the direct business relationship between My Business Platform and Client; and

(d) combine Client Personal Information that My Business Platform receives from, or collects on behalf of, Client with Personal Information that My Business Platform receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject unless My Business Platform is acting in both (i) furtherance of a Business Purpose and (ii) in compliance with Applicable Data Privacy And Protection Laws.

v. My Business Platform shall notify Client if My Business Platform makes a determination that My Business Platform can no longer meet its obligations under Applicable Data Privacy And Protection Laws with regards to Personal Information and, in the event of such determination, Client shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of the affected Personal Information.

vi. Client shall have the right to take reasonable and appropriate steps, as provided in Section 6 of this Agreement, to ensure that My Business Platform is using Client Personal Information in a manner consistent with Applicable Data Privacy And Protection Laws and this Agreement.

vii. My Business Platform shall cooperate with Client with regards to Data Subject Requests as provided in Section 7.

viii. Client is hereby notified that My Business Platform will engage its own service providers and contractors to assist My Business Platform in the processing of Client Personal Information as provided in Section 4.

B. Client Compliance; Representations and Warranties.  

i. Client represents and warrants that all Client Data provided to My Business Platform for Processing has been collected and provided to My Business Platform for Processing pursuant to the Services Agreement in compliance with Applicable Data Privacy And Protection Laws.

ii. Client represents and warrants that the categories and locations of Data Subjects and types of Personal Information that is provided to My Business Platform for Processing as described in Exhibit 2 is accurate. With regards to Personal Information that Client collects from a source other than My Business Platform or an agent of My Business Platform, Client shall provide any notices and collect any consents that are required by Applicable Data Privacy And Protection Laws. These notices and consents shall contain all disclosures necessary to comply with Applicable Data Privacy And Protection Laws for the provision of the Personal Information to My Business Platform for Processing under the Services Agreement.

C. Assessments.  My Business Platform shall make available to Client information that is necessary for Client to fulfil its obligations under Applicable Data Privacy And Protection Laws, including where Client is obligated under Applicable Data Privacy And Protection Laws to conduct a data privacy or security impact assessment. The Parties agree to cooperate with each other to promptly and effectively handle inquiries, complaints, audits, or claims from any court, governmental officials or supervisory authority(ies).

3. PROCESSING OF CLIENT DATA.

A. Ownership of Personal Information.  Personal Information is deemed to be Confidential Information of Client.

B. Protection of Personal Information.  My Business Platform shall implement administrative, physical, and technical safeguards to protect Personal Information that are no less rigorous than accepted industry practices and that are in compliance with Applicable Data Privacy And Protection Laws. At a minimum, My Business Platform’s safeguards for the protection of Personal Information shall include: (i) limiting access of Personal Information to Authorized Persons; (ii) securing business facilities, data centers, paper files, servers, back-up systems and computing equipment; (iii) implementing network, device application, database and platform security; (iv) securing information transmission, storage and disposal; (v) implementing authentication and access controls within media, applications, operating systems and equipment; (vi) encrypting Personal Information stored on any mobile media; (vii) encrypting Personal Information transmitted over public or wireless networks; (viii) logically segregating Personal Information from information of My Business Platform or its other Clients; (ix) implementing appropriate personnel security and integrity procedures and practices; and (x) providing appropriate privacy and information security training to My Business Platform’s employees.

C. Data Storage.  Client acknowledges that, as of the effective date of the Services Agreement, My Business Platform’s primary data storage facilities are in the United States. Client authorizes My Business Platform, in connection with the provision of the Services, to make worldwide transfers of Personal Information to its affiliates and/or Authorized Persons for Processing and storage to provide Client the Service. When making such transfers, My Business Platform shall ensure that appropriate protection and security measures are in place to safeguard the Personal Information transferred.

D. Deidentification, Aggregation and Anonymization.  Notwithstanding the other provisions of the Services Agreement, nothing shall prohibit My Business Platform and its Authorized Persons from using aggregate, statistical and deidentified data generated or submitted through Client’s use and receipt of the Service, provided that such data is (i) not individually identifiable to any individual person, (ii) not Personal Information, as defined herein, and (iii) otherwise qualifies as deidentified or aggregated under Applicable Data Privacy And Protection Laws.

E. Enhancement Of Service.  In order to facilitate the provision of the Service, My Business Platform and its Authorized Persons may use Subcontractor Data to the Service being provided to Client, including by applying technologies and by developing and enhancing the efficiencies and means by which My Business Platform provides the Service to Client, so long as such use is solely in furtherance of providing Service to Client or a Business Purpose.

F. Return and Deletion of Personal Information.  Upon termination or expiration of the Services Agreement and upon Client’s request, My Business Platform will promptly return Client Personal Information (excluding My Business Platform system logs) in its possession, in an electronic format and media to be reasonably agreed upon by the Parties, and, within a mutually agreed upon time frame, not to exceed 60 (sixty) calendar days of Client’s request. If Client requests deletion of Client Data, My Business Platform shall delete Client Data within a commercially reasonable timeframe following termination or expiration of the Services Agreement. However, My Business Platform may retain one copy of Client Data as may be required by applicable laws or for audit purposes.

4. AUTHORIZED PERSONS.  

A. Subprocessors.  Client acknowledges that My Business Platform may engage the Subprocessors as listed in Exhibit 1. My Business Platform may supplement or amend Exhibit 1 upon written notice to Client. My Business Platform agrees that such engagement shall be pursuant to a written agreement that complies with Applicable Data Privacy And Protection Laws and that provides a materially similar level of protection as required by applicable provisions of this Agreement. My Business Platform will ensure that any Authorized Persons applies appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Information and against accidental loss or destruction of, or damage to, Personal Information.

B. Authorized Employees.  During the term of each Authorized Employee’s employment by My Business Platform, My Business Platform shall at all times cause Authorized Employees to abide strictly by My Business Platform’s obligations under this Agreement and My Business Platform’s standard policies and procedures.  

5. SECURITY INCIDENT PROCEDURES.

A. Security Incident Plan.  My Business Platform agrees to implement and maintain a security incident plan covering how My Business Platform will detect and respond to Security Incidents and how My Business Platform will notify Client of any confirmed Security Incident. My Business Platform further agrees to provide Client with the name and contact information for an individual who shall serve as Client’s primary contact and shall be available to assist Client as a contact in resolving obligations associated with a Security Incident.

B. Notification.  My Business Platform shall notify Client of a Security Incident within seventy-two (72) hours of My Business Platform confirming that a Security Incident has occurred.

C. Investigation.  My Business Platform shall use industry standard efforts to remedy any Security Incident and shall act in compliance with Applicable Data Privacy And Protection Laws. Promptly following My Business Platform’s notification to Client of a Security Incident, the Parties shall coordinate with each other to investigate the Security Incident. My Business Platform agrees to reasonably cooperate with Client in Client’s handling of the matter and make available to Client sufficient materials for Client to comply with Applicable Data Privacy And Protection Laws. This provision shall not be construed as expanding Client’s audit rights under the Services Agreement or this Agreement.

D. Remediation.  My Business Platform shall provide assistance with any obligation of Client under Applicable Data Privacy and Protection Laws, as reasonably requested, to make notifications to the affected Data Subjects, regulatory authorities, or the public, regarding the Security Incident. My Business Platform shall not make any statement or notification to any Data Subjects who are the subject of the affected Personal Information, supervisory authority, or otherwise, regarding the Security Incident without the prior written approval of Client. Nothing in this Section shall be construed to prevent My Business Platform from making notifications and disclosures (i) to an Authorized Person who is necessary for the mitigation, investigation or remediation of a Security Incident, (ii) as required by an applicable contract with a third-party (including My Business Platform’s insurer or other customers), or (iii) as required by Applicable Data Privacy and Protection Laws, provided that My Business Platform shall not disclose the identity of Client or that Client Personal Information has been affected by the Security Incident unless required by Applicable Data Privacy and Protection Laws. My Business Platform shall have no liability or responsibility arising from My Business Platform’s compliance with Client’s Documented Instructions, including with regards to notifying impacted Data Subjects, supervisory authorities or Client’s customers of a Security Incident.

6. CLIENT RIGHTS AND RESPONSIBILITIES.

A. Client Direction.  Client agrees that My Business Platform and its Authorized Persons will be acting at the direction of and on behalf of Client with regards to the Processing of Personal Information to provide the Service pursuant to the Services Agreement.

B. Client Audit Rights.  During the Term of the Services Agreement, My Business Platform shall keep accurate records relevant to the security controls and policies in place to protect Personal Information. Upon Client’s reasonable written request, no more than twice per calendar year, My Business Platform agrees to provide Client with a copy of the results of My Business Platform’s most recent internal SSAE18 (SOC 2) audit reports, which results shall be My Business Platform’s Confidential Information. In addition, upon Client’s written request, My Business Platform shall make available summaries of security policies, security testing and security related audits via a secure video conferencing services or, in Client’s discretion, via a questionnaire submitted to My Business Platform by Client, in order to demonstrate My Business Platform’s compliance with this Agreement. Such reports, results and summaries will be considered Confidential Information of My Business Platform. Notwithstanding anything to the contrary herein or in the Services Agreement, in no event shall Client be permitted to direct audit or testing of My Business Platform’s information technology systems or an on-site of My Business Platform’s facilities.

C. Client Responsibility for Data.  Unless required by Applicable Data Privacy And Protection Laws, My Business Platform shall not be required to verify information supplied to it by Client, nor shall My Business Platform have the responsibility to verify, inquire, or investigate as to whether Client has the right to utilize the Client Personal Information provided to My Business Platform under this Agreement. Client agrees that it has the responsibility for the accuracy, quality, completeness, and appropriateness of Personal Information that Client, or for any third party acting on behalf of Client, provides to My Business Platform. My Business Platform reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse, or remove any or all Personal Information, in My Business Platform’s sole discretion, from any content provided to My Business Platform by Client.

7. COOPERATION WITH DATA SUBJECT REQUESTS AND INQUIRIES.

A. Data Subject Requests.  Client will, as soon as practicable after receiving a verified Data Subject Request regarding Personal Information Processed by My Business Platform, advise My Business Platform of the Data Subject Request. Client will advise My Business Platform of the jurisdiction, controlling law, and response requirements for the Data Subject in the form of Documented Instructions. My Business Platform agrees to cooperate with Client to comply with Data Subject Requests. My Business Platform will implement appropriate technical and organizational measures for the fulfilment of Client’s data privacy and protection regulatory obligations under Applicable Data Privacy And Protection Laws relating to Data Subject Requests. My Business Platform agrees to respond to Client within thirty (30) calendar days or the time prescribed by Applicable Data Privacy And Protection Laws, whichever is shorter, in response to Client’s Documented Instructions relating to the handling of a Data Subject Request.

B. Notification Of Direct Receipt.  My Business Platform agrees to notify Client of My Business Platform’s direct receipt of Data Subject Requests as soon as practicable, but in all cases within ten (10) business days of receipt. Client and My Business Platform will coordinate a course of action regarding the handling of such requests. Unless otherwise agreed by the Parties or as provided in a Documented Instruction, My Business Platform shall not take any action following its direct receipt of Data Subject Request other than to (i) confirm receipt of the Data Subject Request to the requesting individual and (ii) inform the Data Subject that the Data Subject should submit the request directly to Client.

C. Record Keeping.  My Business Platform also agrees to maintain records of Data Subject Requests for at least twenty-four (24) months, or as required under Applicable Data Privacy And Protection Laws, whichever period is longer. Further, My Business Platform will reasonably cooperate with any audit or inquiry by any regulatory body with the authority to conduct such an audit or inquiry and will reasonably assist Client at Client’s expense in cooperation with any such audit or inquiry.

8. SCOPE OF PROCESSING.

A. Non-US/CAN Personal Information. The Parties agree that Personal Information is not contemplated to include information about identifiable individuals residing in countries other than the United States or Canada (“Non-US/CAN Personal Information”). Client shall have the sole responsibility to determine the laws applicable to Client Data, including whether Client Data includes any Non-US/CAN Personal Information. Notwithstanding anything else in the Agreement, My Business Platform shall have no obligation to process Non-US/CAN Personal Information and may immediately destroy or return to Client any Non-US/CAN Personal Information without penalty, responsibility or liability. My Business Platform shall have no responsibility to pre-screen Client Personal Information for compliance with this Section.

B. Protected Health Information.  The Parties agree that Client Data is not contemplated to include “protected health information” as defined under Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. § 160.103 (“Protected Health Information”). Client shall have the sole responsibility to determine the laws applicable to Client Data, including whether Client Data includes any Protected Health Information. Client shall immediately notify My Business Platform in the event that Client Data is determined to contain Protected Health Information and the Parties agree to evaluate the applicability and implementation of a Business Associate Agreement and execute the same, if necessary and mutually agreeable, as an addendum to the Agreement. Notwithstanding anything else in the Agreement or this Agreement, My Business Platform shall have no obligation to process Protected Health Information and may immediately destroy or return to Client any Protected Health Information without penalty, responsibility or liability. My Business Platform shall have no responsibility to pre-screen Client Data for compliance with this Section.

9. LIMITATION OF LIABILITY AND INDEMNIFICATION.

A. Indemnification.  Except as modified by this Section 9, the exclusive remedies and limitation of liabilities of My Business Platform and Client shall be those set out in the Services Agreement. However, notwithstanding anything in the Agreement, My Business Platform shall have no liability to Client relating to or arising from acts or omissions by My Business Platform that were undertaken at the express direction of Client.

B. Limit of liability.  Nothing in this Agreement shall be construed to extend My Business Platform’s liability under the Services Agreement beyond the liability contemplated by Services Agreement’s liability cap provision.

C. Privacy Defense and Indemnity of My Business Platform.  Client shall defend, hold harmless and indemnify My Business Platform against losses, liabilities, claims, or causes of action relating to, arising from, or based on breaches of Client’s obligations in this Agreement as well as losses, liabilities, claims, or causes of action relating to, arising from, or based on:

i. defects in Personal Information collection and attendant disclosures or consents by Client, including Client exceeding the scope of consent or disclosure;

ii. provision of Personal information to My Business Platform for Processing pursuant to the terms and disclosures of the Services Agreement and this Agreement in violation of any law or regulation, including Applicable Data Privacy and Protection Laws;

iii. acts or omissions by My Business Platform that were undertaken at the express direction of Client, including defects in Client’s Documented Instructions;

iv. failures of Client to provide opt-out or Data Subject Request features required by Applicable Data Privacy and Protection Laws;

v. decisions by Client to not inform a regulator or Data Subject of a Security Incident;

vi. decisions by Client relating to My Business Platform’s or Client’s response or handling of a Data Subject Request; or

vii. failures of Client to notify My Business Platform that Client Personal Information contains Non-US/CAN Personal Information.

10. APPLICATION OF SERVICES AGREEMENT TERMS.  To the extent of conflict between the terms of the Services Agreement and the terms of this Agreement, the terms of this Agreement shall control. All other terms and conditions of the Services Agreement shall remain in full force and effect.

11. AMENDMENTS.  My Business Platform may amend this Agreement at any time.  ]The Parties acknowledge that substantial changes to My Business Platform’s obligations may be subject to changes in fees for the Service or alternation in the manner and means by which My Business Platform performs the Service.

 

Exhibit 1

Subprocessors

 

 

Name of Subprocessor	Category	Country(ies) of Processing	Services/Processing provided by the Subprocessor
Amazon Web Services, Inc.	Subprocessor	United States	Cloud Hosting