Data Processing Addendum
Version Date: 11.26.2024
This Data Processing Addendum (“DPA”) is incorporated into and is subject to the terms and conditions of the Agreement (as defined below), by and between Humach, LLC (“Humach”) and “Client”.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement (as defined below).
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
“Agreement” means Humach’s Master Service Agreement, Statement of Work(s) and other applicable legal documentation which govern the provision of the Service to Client, as such terms or agreement may be updated from time to time. For the avoidance of doubt, all references to the “Agreement” shall include this DPA (where applicable).
“Client” means the organization that contracts with Humach pursuant to the Agreement.
“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
“Client Data” means any personal data that Humach processes on behalf of Client via the Service.
“Data Protection Laws” means all data protection laws and regulations applicable to a party’s processing of Client Data under the Agreement.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Client Data on systems managed or otherwise controlled by Humach.
“Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under the Data Protection Laws.
“Service” means the service(s) provided to Client pursuant to the Agreement.
“Sub-processor” means any processor engaged by Humach or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of Humach but shall exclude Humach employees, contractors, or consultants.
The terms “personal data”, “controller”, “data subject”, “processor” and “processing”, or equivalent terms, shall have the meaning given to them under applicable Data Protection Laws.
2.1 Purpose. Humach shall process Client Data, as further described in Annex A (Details of Data Processing) of this DPA, only in accordance with Client’s documented lawful instructions as set forth in this DPA, as necessary to comply with the Data Protection Laws, or as otherwise agreed in writing (“Permitted Purposes”). The parties agree that the Agreement, including this DPA, along with the Client’s configuration of or use of any settings, features, or options in the Service (as the Client may be able to modify from time to time) constitute the Client’s complete and final instructions to Humach in relation to the processing of Client Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. For the avoidance of doubt, this DPA shall not apply to instances where Humach is the controller (or the similar term under the Data Protection Laws) unless otherwise described in Annex C (Jurisdiction-Specific Terms) of this DPA.
2.2 Prohibited data. Client will not provide (or cause to be provided) any Sensitive Data to Humach for processing under the Agreement, and Humach will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
2.3 Client compliance. Client represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Client Data and any processing instructions it issues to Humach; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Humach to process Client Data for the purposes described in the Agreement. Client shall have sole responsibility for the accuracy, quality, and legality of Client Data and the means by which Client acquired Client Data. Without prejudice to the generality of the foregoing, Client agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to all content created, sent, or managed through the Service.
2.4 Lawfulness of Client’s instructions. Client will ensure that Humach’s processing of the Client Data in accordance with Client’s instructions will not cause Humach to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. Humach shall promptly notify Client in writing if it becomes aware or believes that any data processing instruction from Client violates any Data Protection Laws.
Client agrees that Humach may engage Sub-processors to process Client Data on Client’s behalf. Humach shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Client Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Humach to breach any of its obligations under this DPA.
4.1 Security Measures. Humach shall implement and maintain appropriate technical and organizational security measures that are designed to protect Client Data from Security Incidents and designed to preserve the security and confidentiality of Client Data in accordance with Humach’s security standards described in Annex B (“Security Measures”) of this DPA.
4.2 Confidentiality of processing. Humach shall ensure that any person who is authorized by Humach to process Client Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
4.3 Updates to Security Measures. Client is responsible for reviewing the information made available by Humach relating to data security and making an independent determination as to whether the Service meets Client’s requirements and legal obligations under Data Protection Laws. Client acknowledges that the Security Measures are subject to technical progress and development and that Humach may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Client.
4.4 Security Incident response. Upon becoming aware of a Security Incident, Humach shall, to the extent permitted by Data Protection Laws: (i) notify Client without undue delay; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Client; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. Humach’s notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgment by Humach of any fault or liability with respect to the Security Incident.
4.5 Client responsibilities. Notwithstanding the above, Client agrees that except as provided by this DPA, Client is responsible for the secure use of the Service, including by users on Client’s behalf.
4.6 Security reports. Upon written request, Humach shall supply (on a confidential basis) a summary copy of its most current security report(s) (“Report”) to Client, so that Client can verify Humach’s compliance with its security standards.
Client acknowledges that Humach may transfer and process Client Data to and in the United States and anywhere else in the world where Humach, its Affiliates or its Sub-processors maintain data processing operations. Humach shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
Upon termination or expiration of the Agreement, Humach shall (at Client’s election) delete or return to Client all Client Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Humach is required by applicable law to retain some or all of the Client Data, or to Client Data it has archived on back-up systems and eventually delete in accordance with Humach’s deletion policies, except to the extent required by applicable law.
7.1 Data subject requests. Humach shall provide reasonable additional assistance to Client to the extent possible to enable Client to comply with its data protection obligations with respect to data subject rights under Data Protection Laws. In the event that any such request is made to Humach directly, Humach shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact Client) or legally required, without Client’s prior authorization. For the avoidance of doubt, nothing in the Agreement shall restrict or prevent Humach from responding to any data subject or data protection authority requests in relation to personal data for which Humach is a controller.
7.2 Data protection impact assessment. To the extent required under applicable Data Protection Laws, Humach shall provide all reasonably requested information regarding the Service to enable Client to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. Humach shall comply with the foregoing by: (i) complying with Section 5 of this Agreement; (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Client to comply with such obligations, upon request, providing additional reasonable assistance (at Client’s expense).
To the extent Humach processes Client Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annex C, then the terms specified in Annex C with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to Humach.
9.1 Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement.
9.2 Any claims made against Humach or its Affiliates under or in connection with this DPA shall be brought solely by the Client entity that is a party to the Agreement.
9.3 In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
10.1 This DPA shall remain in effect for as long as Humach carries out Client Data processing operations on behalf of Client or until termination of the Agreement (and all Client Data has been returned or deleted in accordance with Section 6).
10.2 The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Service.
10.3 In the event of any conflict or inconsistency between this DPA and any other part of the Agreement, then the DPA shall prevail.
10.4 Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.
10.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
10.6 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
Website visitors who visit Company Websites.
Clients who purchase goods or services from Company.
Client’s customers who purchase goods or services from Client.
Identifiers: Names, addresses, email addresses, phone numbers, social security numbers, passport numbers, driver’s license numbers, etc.
Location data: Geographic location information, such as IP addresses, GPS data, etc.
Online identifiers: Cookies, device identifiers, and other online tracking technologies, etc.
Demographic information: Age, gender, date of birth, nationality, race, ethnicity, etc.
Employment information: Job titles, employment history, salary information.
Education information: Educational qualifications, academic records.
Sensitive personal data: Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, and data concerning criminal convictions and offenses.
Continuous and as determined by Client.
Humach processes the collected data in the course of providing the services which the Client is providing for Client’s use or to Client’s customers.
Data may be collected by any means of communication including voice, email, chat, bot/agent, etc.
Humach shall only process Client Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by Client in its use of the Service; and (iii) processing to comply with any other reasonable instructions provided by Client (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
Humach will process Client Data as outlined in Section 6 (Return or Deletion of Data) of this DPA.
Humach maintains a vigilant and active security posture including, but not limited to, PCI, SOC, and other cybersecurity framework compliances. For more specific questions, please access the Humach Trust Portal at https://humach.com/security-and-compliance/ or contact Humach for more information about Humach’s security measures. The Humach Trust Portal may be modified from time to time, without notice to Client.
1. Except as described otherwise, the definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the CCPA.
2. For this “California” section of Annex C only, “Permitted Purposes” shall include processing Client Data only for the purposes described in this DPA and in accordance with Client’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” under the CCPA.
3. Humach’s obligations regarding data subject requests, as described in Section 7 (Data Subject Rights and Cooperation) of this DPA, extend to rights requests under the CCPA.
4. Notwithstanding any use restriction contained elsewhere in this DPA, Humach shall process Client Data to perform the Service, for the Permitted Purposes and/or in accordance with Client’s documented lawful instructions, or as otherwise permitted or required by applicable law.
5. Notwithstanding any use restriction contained elsewhere in the Agreement, Humach may de-identify or aggregate Client Data as part of performing the Service specified in the Agreement.
6. Where Sub-processors process the Personal Information of Client contacts, Humach takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom Humach has entered into a written contract that includes terms substantially similar to this “California” section of Annex C or are otherwise exempt from the CCPA’s definition of “sale”.