Data Processing Addendum
This Data Protection Addendum (“DPA”) is entered into as of the Effective Date (defined below) between RevolutionParts, Inc. (“REVOLUTIONPARTS ” or “Processor”) and Customer (“Customer”). REVOLUTIONPARTS and Customer may each be referred to as a “Party” and or collectively referred to as the “Parties”. To the extent applicable pursuant to the REVOLUTIONPARTS Terms of Service, this DPA shall be effective as of the effective date of Customer’s Agreement (as defined in the REVOLUTIONPARTS Terms of Service) with REVOLUTIONPARTS. Unless otherwise indicated, all capitalized terms used but not defined in this DPA have the meanings given to them in Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), or the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”). The parties agree that for the purposes of this DPA, Customer is a Data Controller or Business and REVOLUTIONPARTS is a Data Processor or Service Provider.
- Definitions. In this DPA:
“Applicable Law” means applicable data privacy law, which may include the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), or the Personal Protection and Electronic Documents Act (PIPEDA). For the avoidance of doubt, if REVOLUTIONPARTS processes Personal Data that is not governed by or its processing activities are not governed by Applicable Law, such law is not applicable for purposes of this DPA. Each party is responsible only for the Applicable Law applicable to it.
“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data.
“Personal Data” means includes “personal data,” “personal information,” and “personally identifiable information,” and such terms shall have the same meaning as defined by Applicable Law.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Standard Contractual Clauses” means the annex found in EU Commission Implementing Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament, available here: (https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf), completed as described in the “Data Transfers” section below.
“Subprocessor” means any Processor affiliate or subcontractor engaged by REVOLUTIONPARTS for the Processing of Personal Data.
- Instructions from the Customer. REVOLUTIONPARTS will retain, use, disclose, and otherwise Process the Personal Data only as described in the REVOLUTIONPARTS Terms of Service, unless obligated to do otherwise by applicable law. In such case, REVOLUTIONPARTS will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Customer will not instruct REVOLUTIONPARTS to Process Personal Data in violation of any applicable law. REVOLUTIONPARTS has no obligation to monitor the compliance of Customer’s use of the REVOLUTIONPARTS proprietary platform, Portal, and Services with Applicable Law, though REVOLUTIONPARTS will promptly inform Customer if, in REVOLUTIONPART’S opinion, an instruction from Customer infringes applicable law. The REVOLUTIONPARTS Terms of Service, including this DPA, constitute Customer’s complete and final instructions to REVOLUTIONPARTS regarding the Processing of Personal Data, including for purposes of the Standard Contractual Clauses. Without limiting the foregoing:
- REVOLUTIONPARTS will not Process the Personal Data in a manner inconsistent with REVOLUTIONPART’S role as Customer’s “Service Provider,” as such term is defined in the CCPA.
- REVOLUTIONPARTS will not “sell” the Personal Data, as such term is defined in the CCPA.
- REVOLUTIONPARTS will restrict access to Personal Data to those authorized persons who need such information to provide the Services. REVOLUTIONPARTS will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data.
- REVOLUTIONPARTS will implement appropriate technical and organizational measures to ensure a level of security appropriate to the Personal Data provided by Customer and Processed by REVOLUTIONPARTS.
- Customer agrees that REVOLUTIONPARTS may engage other Processors (“Subprocessors”) to assist in providing the Services consistent with the REVOLUTIONPARTS Terms of Service. REVOLUTIONPARTS will maintain a list of such Subprocessors and make it available to Customer upon request. Customer’s objection will be effective only if it articulates objective, justifiable reasons why it believes new Subprocessors are not able to adequately protect Personal Data in accordance with the REVOLUTIONPARTS Terms of Service, this DPA, or applicable data protection law. Where REVOLUTIONPARTS engages a Subprocessor for carrying out specific Processing activities on behalf of Customer, REVOLUTIONPARTS will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on REVOLUTIONPARTS under this DPA. Where that Subprocessor fails to fulfill its data protection obligations, REVOLUTIONPARTS will remain liable to Customer for the performance of that Subprocessor’s obligations.
- Data Subject Requests. To the extent legally permitted, REVOLUTIONPARTS shall promptly notify Customer if REVOLUTIONPARTS receives any requests from an individual seeking to exercise any rights afforded to them under Applicable Law regarding Personal Data. REVOLUTIONPARTS has implemented and will maintain appropriate technical and organizational measures needed to enable Customer to respond to requests from data subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Data held by REVOLUTIONPARTS.
- Upon a request issued by a supervisory authority for records regarding Personal Data, REVOLUTIONPARTS will cooperate to provide the supervisory authority with records related to Processing activities performed on Customer’s behalf. To the extent legally permissible, REVOLUTIONPARTS will inform Customer in writing of such a request and partner with Customer working in good faith to verify the legal basis of the request.
- REVOLUTIONPARTS will cooperate to the extent reasonably necessary in connection with Customer’s requests related to any legally required data protection impact assessments and consultation with supervisory authorities.
- Third Party Requests. If REVOLUTIONPARTS receives a request from a third party in connection with any government investigation or court proceeding that REVOLUTIONPARTS believes would require it to produce any Personal Data processed pursuant to the REVOLUTIONPARTS Terms of Service, REVOLUTIONPARTS will inform Customer in writing of such request and cooperate with Customer if Customer wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable law.
- Transfer of Personal Data; Appointment. Customer authorizes REVOLUTIONPARTS to transfer, store or Process Personal Data in the United States or any other country in which REVOLUTIONPARTS or its Subprocessors maintain facilities. Customer appoints REVOLUTIONPARTS to perform any such transfer of Personal Data to any such country and to store and Process Personal Data in order to provide the Services. REVOLUTIONPARTS will conduct all such activity in compliance with the REVOLUTIONPARTS Terms of Service, this DPA, applicable law and Customer’s instructions.
- Data Transfers Outside of the EU. To the extent that the Services involve a transfer of Personal Data originating from either party’s systems in the United Kingdom, EEA or Switzerland to either party’s systems located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, such transfers are subject to applicable data transfer mechanisms.
- If Customer is located in the United Kingdom, EEA or Switzerland and transfers Personal Data to REVOLUTIONPARTS in the United States, for such transfer the Parties agree to be bound by the Standard Contractual Clauses. If there is a conflict between the Standard Contractual Clauses and the REVOLUTIONPARTS Terms of Service, the Standard Contractual Clauses will prevail. For purposes of the Standard Contractual Clauses:
- The clauses shall be governed by the laws of the jurisdiction from which the data is exported.
- Customer is the “Data Exporter” and REVOLUTIONPARTS is the “Data Importer”.
- The data subjects include Customer’s employees or end users.
- The purpose of the transfer is to allow REVOLUTIONPARTS to provide the Services outlined in the REVOLUTIONPARTS Terms of Service.
- The categories of Personal Data include names, email addresses, IP addresses, contact details, and social security numbers.
- The recipients of the Personal Data include REVOLUTIONPARTS employees with a need to Process the Personal Data for the purposes set forth herein.
- Data Importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the REVOLUTIONPARTS Terms of Service.
- Deletion or Return. At the choice of Customer, REVOLUTIONPARTS will delete or return all the Personal Data Processed in connection with the Services to Customer at any time or after the end of the provision of such Services and delete existing copies unless applicable law requires storage of the Personal Data. REVOLUTIONPARTS will relay Customer’s instructions to all Subprocessors. Notwithstanding the foregoing, this provision will not require REVOLUTIONPARTS to delete Personal Data from archival and back-up files except as provided by REVOLUTIONPART’S internal data deletion practices and as required by applicable law.
- Breach Notification. REVOLUTIONPARTS will comply with the Personal Data Breach-related obligations directly applicable to it under applicable law. After becoming aware of a Personal Data Breach related to the Personal Data processed under the REVOLUTIONPARTS Terms of Service, REVOLUTIONPARTS will notify Customer without undue delay, to the extent known, of: (a) the nature of the data breach; (b) the number and categories of data subjects and data records affected; and (c) the name and contact details for the relevant contact person at REVOLUTIONPARTS. Customer is solely responsible for complying with legal requirements for notification applicable to Customer and fulfilling any third-party notification obligations related to any Customer Personal Data Breach. Nothing shall be construed to require REVOLUTIONPARTS to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
Audits. No more than once annually (unless otherwise required by applicable law), REVOLUTIONPARTS shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, to demonstrate REVOLUTIONPARTS’ compliance with this DPA or Article 28 of the GDPR. For clarity, such audits or inspections are limited to REVOLUTIONPARTS’ Processing of Personal Data subject to the GDPR on behalf of Customer only, not any other aspect of REVOLUTIONPARTS’ business or information systems or other customers. If Customer requires REVOLUTIONPARTS to contribute to audits or inspections that are necessary to demonstrate compliance, Customer will provide REVOLUTIONPARTS with written notice at least 60 days in advance of such audit or inspection. Such written notice will specify the things, people, places or documents to be made available. Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Confidential Information and, notwithstanding anything to the contrary in the REVOLUTIONPARTS Terms of Service, will remain Confidential Information in perpetuity or the longest time allowable by applicable law after termination of the REVOLUTIONPARTS Terms of Service. Such materials and derivative work product produced in response to Customer’s request will not be disclosed to anyone without the prior written permission of REVOLUTIONPARTS unless such disclosure is required by applicable law. If disclosure is required by applicable law, Customer will give REVOLUTIONPARTS prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency. Customer will make every effort to cooperate with REVOLUTIONPARTS to schedule audits or inspections at times that are convenient to REVOLUTIONPARTS. To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this REVOLUTIONPARTS Terms of Service. If, after reviewing REVOLUTIONPARTS’ response to Customer’s audit or inspection request, Customer requires additional audits or inspections, Customer acknowledges and agrees that it will be solely responsible for all costs incurred in relation to such additional audits or inspections.