CHOOZLE U.S. DATA PROCESSING AGREEMENT
This data processing agreement (”Agreement”) forms part of the main agreement(s) between ___ (“Company”) and Choozle, Inc. (“Provider”) (each individually a Party and collectively the “Parties”) and all further agreements executed under it (collectively, the “Main Agreement(s)”) pursuant to which Provider provides services to Company. This Agreement is effective as of (1) the execution date of the Main Agreement if incorporated as an exhibit thereto; or (2) the date last signed if executed as an amendment to or otherwise separately from the Main Agreement.
Data Processing Terms
1. Roles of Parties: The Parties acknowledge and agree that Provider is considered a Service Provider under the Agreement.
2. Compliance With Law: Provider shall at all times comply with Company’s written instructions pursuant to the Main Agreement(s) and all applicable laws, rules and regulations, including but not limited to, all applicable Data Protection Law.
3. Data Security: The Provider will implement appropriate technical and organizational measures designed to safeguard Personal Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display or distribution, and against accidental loss, destruction or damage. The Provider must document those measures in writing and periodically review them to ensure they remain current and complete, at least annually.
4. Data Retention and Deletion: Provider shall retain Company Personal Data for only so long as necessary to perform its obligations under the Main Agreement(s), unless otherwise required under applicable laws. Upon termination or expiration of the Main Agreement(s) or earlier as requested by Company, Provider shall destroy or return to Company (at Company’s election) all Company Personal Data in its possession, custody and control, except for such Personal Data as must be retained under applicable law (which Provider shall destroy once it is no longer required under applicable law to retain).
5. Data Security Incidents: Provider shall notify Company within seventy-two (72) hours of discovery of an unauthorized access to, acquisition or disclosure of Company Personal Data, or other breach of security with respect to Company Personal Data in Provider’s or its representatives’ control or possession (a “Data Security Incident”). If a Data Security Incident requires notice to any regulator, data subject or other third party, Company shall have sole control over the content, timing and method of distribution of any needed notice, unless otherwise required by applicable law.
6. Data Subject Rights: If Provider receives a request from a Company Data Subject relating to their Company Personal Data, Provider shall immediately forward the request to Company and provide all reasonable cooperation necessary for Company to fulfill the Company Data Subject’s request in compliance with applicable laws.
7. Termination and Survival: This Agreement and all provisions herein shall survive so long as, and to the extent that, Provider Processes or retains Company Personal Data.
8. Conflicts: In case of contradictions between this Agreement and the provisions of the Main Agreement, the provisions of this Agreement shall prevail.
9. Applicable law and jurisdiction: The applicable law and jurisdiction as set forth in the Main Agreement apply to this Agreement.
CHOOZLE GLOBAL DATA PROCESSING AGREEMENT
This data processing agreement (”Agreement”) forms part of the main agreement(s) between ___ (“Company”) and Choozle, Inc. (“Provider”) (each individually a Party and collectively the “Parties”) and all further agreements executed under it (collectively, the “Main Agreement(s)”) pursuant to which Provider provides services to Company. This Agreement is effective as of (1) the execution date of the Main Agreement if incorporated as an exhibit thereto; or (2) the date last signed if executed as an amendment to or otherwise separately from the Main Agreement.
Data Processing Terms
1. Roles of Parties. The Parties acknowledge and agree that Provider is considered a Service Provider under the Agreement.
2. Company Personal Data Processing
a. In connection with its performance of the Services, Provider will Process the Company Personal Data relating to the Company Data Subjects described in Annex 1, which may be amended by the Parties from time to time.
b. Provider shall at all times comply with Company’s written instructions pursuant to the Main Agreement(s) and all applicable laws, rules and regulations, including but not limited to, all applicable Data Protection Law.
c. Provider shall (1) limit access to Company Personal Data to only those employees or agents that require access to perform their roles and responsibilities in connection with the Services, and (2) under no circumstances rent, sell or disclose Company Personal Data, except as otherwise allowed under this Agreement or the Main Agreement.
3. Cross border transfer. If Company’s Processing of Personal Data involves the transfer of Company Personal Data of Data Subjects in the EEA, United Kingdom and/or Switzerland to a country or territory outside of those regions, the parties hereby incorporate, and agree to comply with, the Standard Contractual Clauses of June 4, 2021 (“SCCs”) approved by the European Commission.
4. Data Security. The Provider will implement appropriate technical and organizational measures designed to safeguard Personal Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display or distribution, and against accidental loss, destruction or damage. The Provider must document those measures in writing and periodically review them to ensure they remain current and complete, at least annually.
5. Data Retention and Deletion
a. Provider shall retain Company Personal Data for only so long as necessary to perform its obligations under the Main Agreement(s), unless otherwise required under applicable laws.
b. Upon termination or expiration of the Main Agreement(s) or earlier as requested by Company, Provider shall destroy or return to Company (at Company’s election) all Company Personal Data in its possession, custody and control, except for such Personal Data as must be retained under applicable law (which Provider shall destroy once it is no longer required under applicable law to retain).
6. Data Security Incidents
a. Provider shall notify Company within forty-eight (48) hours of discovery of an unauthorized access to, acquisition or disclosure of Company Personal Data, or other breach of security with respect to Company Personal Data in Provider’s or its representatives’ control or possession (a “Data Security Incident”). The notice to Company shall include:
- i. a description of the Data Security Incident;
- ii. a description of the steps Provider has taken, or plans to take, to investigate the Data Security Incident;
- iii. an overview of the affected Company Personal Data, including the number and locations of affected Company Data Subjects;
- iv. the expected consequences of the Data Security Incident and mitigation tactics.
b. If a Data Security Incident requires notice to any regulator, data subject or other third party, Company shall have sole control over the content, timing and method of distribution of any needed notice, unless otherwise required by applicable law.
7. Audit Rights. Upon written request, Provider shall provide, if available, any data security compliance reports or audit reports that assess the effectiveness of Provider’s information security program. Upon reasonable advance written notice, Company may (not more than once per year) during normal business hours and at its own expense, audit Provider’s networks, systems, procedures, and Processing of Company Personal Data, and compliance with this Agreement.
8. Requests or Demands from Governmental or Regulatory Bodies. Provider shall inform Company as soon as possible if it receives a request or demand from a governmental or regulatory body with authority over Provider or Company relating to Provider’s Processing of Company Personal Data, and shall cooperate with Company in connection with any response to such investigation or audit.
9. Data Subject Rights. If Provider receives a request from a Company Data Subject relating to their Company Personal Data, Provider shall immediately forward the request to Company and provide all reasonable cooperation necessary for Company to fulfill the Company Data Subject’s request in compliance with applicable laws.
10. Sub-processors. Provider will not permit any Sub-processor to Process Company Personal Data, unless Provider and the Sub-processor have entered into an agreement that imposes obligations on the Sub-processor that are no less restrictive and at least equally protective of Company Personal Data than those imposed on Provider under this Agreement. Provider is responsible for ensuring the compliance of Sub-processors with applicable Data Protection Law in connection with the Processing of Company Personal Data.
11. Termination and Survival. This Agreement and all provisions herein shall survive so long as, and to the extent that, Provider Processes or retains Company Personal Data.
12. Counterparts. This Agreement may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this Agreement by executing a counterpart.
13. Ineffective clause. If individual provisions of this Agreement are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.
14. Conflicts. In case of contradictions between this Agreement and the provisions of the Main Agreement, the provisions of this Agreement shall prevail.
15. Applicable law and jurisdiction. The applicable law and jurisdiction as set forth in the Main Agreement apply to this Agreement.