Data Processing Addendum

Effective Date: September 25, 2024

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (“MSA”), including any Order Forms and Statements of Work (together “Agreement”) by and between Snappt, Inc. (“Snappt”), a Delaware corporation, and the applicable Client (“Client”, and, together with Snappt, the “Parties”). This DPA is subject to change in Snappt’s sole discretion from time-to-time. Snappt will notify Client of any resulting changes to the Data Processing Addendum by posting the same herein, which such changes will automatically go into effect on the date posted. Client’s continued use of the Services following such date constitutes its agreement to be bound by such revisions to the Data Processing Addendum. If Client objects to the Data Processing Addendum, Client’s sole recourse is to cease using the Service.

WHEREAS Client desires to provide or make available to Snappt, or permit Snappt to access, create, collect, Process, and/or disclose certain Personal Information in order for Snappt to Process such Personal Information on behalf of Client for the purposes of Snappt providing some or all of the services described in the Agreement to support Client’s services provided to Client’s customers;

WHEREAS the Parties acknowledge that pursuant to Civil Code Section 1798.145, subd. (d)(1), the CCPA (as defined below) does “not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.”

WHEREAS the Parties further acknowledge that Civil Code Section 1798.145, subd. (d)(1) “shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act,” pursuant to Civil Code Section 1798.145, subd. (d)(2).

WHEREAS Client desires to provide or make available to Snappt certain Client Personal Information on the condition that Snappt abide by certain conditions and restrictions with respect to such Client Personal Information;

WHEREAS, Snappt desires to access, create, collect, Process, and/or disclose certain Client Personal Information from Client as necessary and appropriate to perform the services under the Agreement and at all times subject to the applicable conditions, restrictions, and Data Protection Laws;

WHEREAS, the Parties seek to implement a data processing agreement that complies with the requirements of the current legal frameworks in relation to data Processing and with the CCPA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act and the Oregon Consumer Data Privacy Act.

WHEREAS, the Parties wish to memorialize their rights and obligations.

NOW, THEREFORE, in consideration of the mutual covenants, and for allowing the Parties to perform the services in the Agreement, IT IS AGREED AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION

Unless otherwise defined herein or in the Agreement, capitalized terms and expressions used in this DPA shall have the following meaning:

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, together with any subordinate legislation or regulations.

“Client Personal Information”  means Client Data about a Consumer that (a) can be used to identify, contact or locate a specific individual; (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “personal data” or “personal information” by Data Protection Laws, including information that a Consumer provides Client in connection with its use of Client’s services and is thereafter Processed by Snappt on behalf of Client pursuant to or in connection with the Agreement.

“Consumer” means a natural person as defined in the CCPA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act and the Oregon Consumer Data Privacy Act.

“Controller” means any legal entity which, alone or jointly with others, collects Consumers’ personal information and which determines the purposes and means of the processing of personal information, including a “Business” as defined in the CCPA.

“Data Protection Laws” means any applicable laws, regulations, and other legal requirements relating to (a) privacy, data security, and protection of Personal Information; and (b) the Processing of any Personal Information. Data Protection Laws may include, but are not limited to the CCPA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act and the Oregon Consumer Data Privacy Act, and any applicable regulations, in each case, to the extent applicable to the Processing of Client Personal Information.

“Data Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Information that is transmitted, stored, or otherwise Processed by Snappt or any of its Service Providers, and/or the accidental, unlawful, or unauthorized disclosure of or access to Snappt or any of its Service Provider’s computer systems, network, or devices.

“Data Transfer” means a transfer of Personal Information from Client to Snappt or an onward transfer of Personal Information from Snappt to a Service Provider where such transfer would be otherwise prohibited by Data Protection Laws.

“FCRA” means the Fair Credit Reporting Act, codified at 15 U.S.C. Section 1681 et seq.

“Process” and its cognates mean any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Service Provider” means any person or entity which Processes Client Personal Information on behalf of Snappt and that receives Personal Information from Snappt or on behalf of Snappt for a business purpose pursuant to the Agreement.

2. NATURE OF DATA PROCESSING AND ORDER OF PRECEDENCE

Snappt shall Process Data as a Service Provider on behalf of, and in accordance with, Client’s documented instructions for the provision of the Services and/or for the business purposes agreed with the Client in writing in the Agreement, which includes the following purposes pursuant to the following Client instructions: (i) Processing in accordance with the Agreement (including this DPA) in order to provide fraud detection and identity verification services, financial verification services, certain related analytic aggregate data regarding fraud rates that incorporates the anonymized results of Snappt’s services to its clients (including Client), and any other services offered by Snappt from time-to-time pursuant to the MSA; (ii) Processing initiated by Applicants in their use of the Services which includes support for addressing (identifying, analyzing, etc.) any spoofing attack that requires improvement of the Service for mitigating future intents of fraud and (iii) Processing to comply with other documented reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement. Client hereby instructs Snappt to Process Client Personal Information in accordance with the foregoing and as part of any Processing initiated by Client in its use of the Services (including, without limitation, via any Third Party Service, as and if applicable). Client is solely responsible for the accuracy, quality, and legality of (A) the Client Personal Information (including Applicant Data) collected by or provided to Snappt (or any Licensor, if applicable) by or on behalf of Client, (B) the means by which Client acquired any such Client Personal Information, and (C) the instructions it provides to Snappt regarding the Processing of such Client Personal Information. In addition, Snappt and its Licensors may collect and use the Client Personal Information of Authorized Users and Applicants to administer, provide and improve the Services, to identify opportunities for Client to optimize its use of the Services, including the provision of additional training, and to identify to Client complementary uses of Snappt’s other products and services. If Snappt (or a Licensor, if applicable) incorporates any consent modules into the Service for the purpose of obtaining the consent of any Authorized User or Applicants to the use and collection of Client Personal Information (including, without limitation, consent to the Privacy Policy and/or Terms of Service), Client shall not remove, alter or otherwise impede such consent modules, and shall be liable for any such removal, alteration or other impediment to a consent module, whether by Client or any Authorized User. Client shall not provide or make available to Snappt (or a Licensor, if applicable) any Client Personal Information in violation of the Agreement or Laws or otherwise inappropriate for the nature of the Services, and shall be solely responsible for properly directing Authorized Users and Applicants to the Managed Services. Client shall indemnify Snappt from all Claims and Damages arising out of or relating to a breach of the foregoing by Client. For the avoidance of doubt, the Parties agree that Client Personal Information that is Processed by or on behalf of Snappt, Snappt Personnel, or Third Party Services pursuant to the FCRA is exempt from the restrictions and covenants of Snappt set forth in this DPA. The categories of Personal Information that will be Processed pursuant to this DPA is described in Schedule A to this DPA. Should there be a conflict between this DPA and the Agreement, this DPA will govern as it relates to Client providing Client Personal Information and Snappt’s Processing of same.

3. COMPLIANCE WITH LAWS

The Parties shall each comply with their respective obligations under all applicable Data Protection Laws.

4. SNAPPT OBLIGATIONS

4.1 When Processing Client Personal Information, Snappt shall comply with all applicable Data Protection Laws in the Processing of Client Personal Information. Snappt’s obligations in this DPA relate solely to the Processing of Client Personal Information that is not otherwise exempt pursuant to the FCRA. Snappt will Process Client Personal Information as a “service provider” or “processor” pursuant to applicable Data Protection Laws and strictly for the purpose of performing the services under the Agreement, or as otherwise permitted by the applicable Data Protection Laws. Snappt commits to provide Client Personal Information with the same level of privacy protection as is required by the applicable Data Protection Laws.

4.2 Snappt Personnel

Snappt shall take reasonable steps to ensure the reliability of any of its employees, agents, or subcontractors (collectively “Snappt Personnel”), or its Service Providers, who may have access to Client Personal Information, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Client Personal Information, as strictly necessary for the purposes of the Agreement, and to comply with all applicable Data Protection Laws, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4.3 For purposes of this DPA

Snappt shall also refer to Snappt’s Personnel and Snappt’s Service Providers, if any. Snappt shall safeguard and hold all such Personal Information in confidence, and shall not disclose such Personal Information except when disclosure is required by law, is required in order to perform the services pursuant to the Agreement, or where Client has authorized Snappt to disclose it.

4.4 Contracting and Disclosing Personal Information to Service Providers

Client hereby consents to Snappt’s use of the Service Providers set forth at https://www.snappt.com/msa and to such Service Providers’ access to and use of Client Personal Information in accordance with the terms hereof. Snappt reserves the right to update such list of Service Providers from time-to-time by posting such updates to the foregoing URL, and such update shall be effective as of the date posted. By continuing to use any Service(s) after the new effective date, Client agrees to be bound by such changes. If the modified list of Service Providers is not acceptable to Client, Client’s sole recourse is to cease using the Service(s). Therefore, Client is hereby advised to review the URL prior to each use of the Service(s). Any Service Provider which Processes Client Personal Information on Snappt’s behalf will be subject to substantially the same confidentiality obligations as Snappt with respect to Processing Client’s Personal Information. Snappt shall enter into a data processing agreement with each such Service Provider that contains, in substance, similar obligations as those binding on Snappt under this DPA.

4.5 Further Representations and Warranties

Subject to Section 5 of the MSA, Snappt further represents and warrants it will, and cause any and all Snappt Personnel and Service Providers, to comply with the following duties and obligations as they relate to Client Personal Information to the extent required under applicable Data Protection Law:

• Snappt may not sell Client Personal Information.
• Snappt may not collect, Process, create, retain, use, or disclose Client Personal Information for any purpose other than for the sole purpose of performing the services under the Agreement and otherwise pursuant to the Agreement.
• Snappt may not collect, Process, create, retain, use, or disclose Client Personal Information outside of its direct relationship with Client, and Client acknowledges and agrees that Snappt’s Processing of Client Personal Information is at the direction of Client as the Controller of such Personal Information.
• Snappt may not combine Client Personal Information it receives from, or on behalf of, Client with Personal Information Snappt collects, Processes, creates, retains, uses, or discloses with Snappt’s own interactions with Consumers except as permitted by regulations issued pursuant to the CCPA or as otherwise permitted pursuant to applicable Laws (including the FCRA). For purposes of this DPA, “combine” means to aggregate Personal Information about a Consumer into a single profile.
• To the extent Snappt receives information from Client that has been deidentified, as defined under applicable Data Protection Laws, Snappt agrees not to attempt to reidentify the data, to take reasonable measures to maintain and use the information in a deidentified manner, and to contractually obligate any authorized recipients to comply with applicable Data Protection Laws for information that has been deidentified.
• Snappt agrees to promptly delete and procure the deletion of all copies of Client Personal Information relating to Consumers upon the written request of Client. Snappt shall comply with a deletion request within a reasonable period from the date of receipt from Client, which period shall not cause Client to violate any deletion timeframes as required under applicable Data Protection Law. Upon request, Snappt shall provide Client with a certification of deletion. Snappt agrees to inform Client within the time period required under the applicable Data Protection Laws, if Snappt determines that it is no longer able to meet its obligations under the applicable Data Protection Laws.

4.6 Limitations of Access Use and Disclosure of Client Personal Information

Snappt agrees to Process Client Personal Information while complying with all applicable Data Protection Laws.

Snappt shall access, collect, maintain, Process, handle, use, disclose, and destroy all Personal Information, as defined in applicable Data Protection Laws, in compliance with all applicable Data Protection Laws.

4.7 Third Party Services

Client acknowledges and agrees that any Third Party Service through whom Client accesses the Services shall not be considered a Service Provider of Snappt. Snappt is only sharing Personal Information with such Third Party Services at the direction of Client as the Controller of such Personal Information. Accordingly, Client acknowledges and agrees that it is responsible for entering into a separate data processing agreement with such Third Party Service with respect to any use of or Processing by such Third Party Service of Personal Information provided by Snappt to such Third Party Service in accordance with the Agreement. Client represents, warrants and covenants that Snappt’s provision of Personal Information to such Third Party Service complies with applicable Laws.

5. Security

5.1

Snappt shall provide reasonable security and will implement and maintain appropriate technical and organizational measures to protect Client Personal Information from any Data Security Incident.

5.2

Snappt shall be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Snappt Personnel. Snappt shall take reasonable steps to confirm that all Snappt Personnel are protecting the security, privacy, and confidentiality of Client Personal Information consistent with the requirements of this DPA and their respective data processing agreements with Snappt.

6. Consumer Rights

6.1

Taking into account the nature of the Processing, Snappt shall assist Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligations to respond to requests to exercise Consumer rights under the applicable Data Protection Laws. Snappt agrees to provide commercially reasonable assistance to enable Client to respond to and comply with verifiable Consumer requests concerning Client Personal Information pursuant to applicable Data Protection Laws. Where Client is unable to access Client Personal Information subject to a Consumer rights request directly, Snappt shall provide Client with requested information within twenty (20) days of receipt of a request for assistance from Client. Snappt shall notify Client without any delay of any request from a person seeking to exercise any rights under the applicable Data Protection Laws.

6.2 Snappt shall:

• Promptly notify Client if it receives a request from a Consumer under any Data Protection Law in respect of Client Personal Data; and
• Ensure that it does not act on or respond to that request except on the documented instructions of Client or as required by applicable Data Protection Laws to which Snappt is subject, in which case Snappt shall to the extent permitted by applicable Data Protection Laws inform Client of that legal requirement before Snappt responds to the request.

7. Data Security Incident

7.1

Snappt agrees to implement a data security incident management program to address how Snappt and its Service Providers, if any, manage Data Security Incidents.

If Snappt, or any of its Service Providers, becomes aware of a Data Security Incident involving Client Personal Information, it shall notify Client without undue delay, upon discovering such Data Security Incident affecting Client Personal Information, and provide Client with sufficient information to reasonably allow Client to assess the nature and scope of the Data Security Incident, and meet its obligations, if any, under applicable Data Protection Laws. Such notification by Snappt to Client shall, to the extent possible:

• Describe the nature of the Data Security Incident;
• The categories of Client Personal Information concerned;
• The number of individuals potentially affected;
• The computer systems, networks, and/or devices affected; and/or
• The measures taken or proposed to be taken to address the Data Security Incident.

 

7.2

In cooperation with Client, Snappt shall investigate such Data Security Incident and take all necessary, appropriate, and commercially reasonable corrective action to remedy such Data Security Incident and prevent a recurrence of same.

7.3

For the avoidance of doubt, if a Data Security Incident occurs for any reason, Snappt’s total liability shall remain subject to Section 11 of the MSA.

8. Data Protection Impact Assessment and Prior Consultation

Snappt shall provide reasonable assistance to Client with any data protection impact assessments Client is required to complete by competent data privacy authorities or applicable Data Protection Laws.

9. Data Transfers

Snappt may access and Process Client Personal Information on a global basis as necessary to provide the services in accordance with the Agreement. Wherever Client Personal Information is transferred outside its country of origin, the Parties will ensure such transfers are made in compliance with the requirements of the applicable Data Protection Laws.

10. Deletion or Return of Client Personal Information

Upon the written request of Client, Snappt shall promptly, and in any event within twenty (20) business days of the date of written request, delete and procure the deletion of all copies of that Client Personal Information. Upon request, Snappt shall certify that it has deleted all Client Personal Information disclosed under the Agreement, as well as all copies of same, and procure the deletion of all other copies of Client Personal Information collected or processed by any Snappt Personnel or any of its Service Providers.

11. General Terms

11.1 Notices

Any notice required or permitted hereunder shall be in writing, shall reference the Agreement and this DPA, and shall be delivered in accordance with Section 12.12 of the MSA.

11.2 Severability

If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.