State Data Privacy & Protection Addendum

This State Data Privacy & Protection Addendum is between Infutor Data Solutions, LLC (“Service Provider”) and you (“Company”), and is effective as of the date of acceptance. This addendum sets forth the terms and conditions relating to processing of Company’s Personal Information in connection with the products, services or activities provided by Service Provider to Company pursuant to the applicable agreements in effect between the parties (“Agreements”).

In the event of a conflict between the terms of the Agreements and this addendum, the addendum will control.

Background:

Company is the Controller of Personal Information and has entered into Agreements with Service Provider for the Processing of such Personal Information on Company’s behalf. The Agreements identify the purposes of Processing the Personal Information, the type(s) of Personal Information to be Processed, and the duration of such Processing as necessary for Business Purposes and any other purposes agreed to by Company and Service Provider in the Agreements.

Therefore, Company and Service Provider agree as follows:

I. Definitions

“Applicable Law” means statutes, rules, and regulations adopted that are applicable to the Personal Information including, but not limited to the California Consumer Privacy Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act.

“Business Purpose” means the use of Personal Information for the Company’s operational purposes, or other notified purposes, or for Processor’s operational purposes, provided that the use of such Personal Information shall be reasonably necessary and proportionate to achieve the purpose for which the Personal Information was collected or Processed or for another purpose that is compatible with the context in which the Personal Information was collected.

“Commercial Purposes” is as defined under the Applicable Law.

“Controller” means the entity that, alone or jointly with others, determines the purposes and means of Processing Personal Information.

“Cross-context Behavioral Advertising” is as defined under the Applicable Law.

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, is linked or could reasonably be linked, directly or indirectly, with a particular natural person or household, subject to any exceptions or exclusions under Applicable Law.

“Process” “Processes” or “Processing” means any operation, or set of operations, performed on Personal Information by automated or manual means, including the collection, use, storage, disclosure, analysis, deletion, or modification of such Personal Information.

“Processor” or “Service Provider” means the entity that Processes Personal Information on behalf of the Controller.

“Sell” or “Sale” generally means providing Personal Information by any means in exchange for monetary or other valuable consideration, and specifically is as defined under the Applicable Law.

“Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Information for Cross-context Behavioral Advertising, whether or not for monetary or other valuable consideration.

“Subprocessor” means any third party engaged by, or on behalf of, Service Provider to Process Personal Information.

II. Obligations applicable to the Processing of Company’s Personal Information

1. Service Provider shall not Sell or Share Company’s Personal Information.
2. Service Provider shall not retain, use, or disclose Company’s Personal Information: (i) for any purpose other than for the Business Purpose(s) contemplated by the Agreements, as otherwise agreed to by the Company and Service Provider, or as otherwise permitted by Applicable Law, including retaining, using, or disclosing the Personal Information for Service Provider’s Commercial Purposes; and (ii) outside of the direct business relationship between Service Provider and Company.
3. Service Provider shall not combine the Personal Information received from, or on behalf of, the Company with Personal Information received from, or on behalf of, another person or persons, or collects from its own interaction with such natural person, except as necessary to perform any Business Purpose or otherwise in accordance with Applicable Law.
4. Service Provider shall not engage Subprocessors to Process Personal Information on Service Provider’s behalf without first providing Customer with 30 days’ prior written notice of any such Subprocessors and an opportunity to object.
5. Processor’s employees, agents, and contractors who process Personal Information on behalf of Company are subject to a duty of confidentiality with respect to such Personal Information and such persons are contractually obligated to provide comparable privacy protection as required of Processor under this Addendum.
6. Service Provider shall delete or return all Personal Information at the end of the provision of services contemplated by the Agreement, unless otherwise agreed to by the parties or unless the retention of the Personal Information is required by Applicable Law. Company hereby consents to deletion of the Personal Information instead of return of the Personal Information.
7. Service Provider shall reasonably cooperate and assist Company in complying with consumer rights obligations in accordance with Applicable Law.
8. Service Provider shall make information in its possession available to Company necessary to demonstrate compliance with the obligations of this Addendum and permit Company to take reasonable and appropriate steps to help ensure the Processing of Company’s Personal Information is consistent with the obligations herein. This includes audits or assessments to be conducted by Company or a mutually agreed upon independent assessor to assess Service Provider’s technical and organizational measures in support of the obligations in this Addendum. Any audits or assessments conducted in accordance with this paragraph (H) shall be limited to one per calendar year upon 30 days prior notice to Service Provider. Company hereby consents to Service Provider’s use of a qualified and independent auditor to provide such information.
9. Service Provider shall promptly notify Company if it determines that it can no longer meet the obligations of this Addendum.
10. This Addendum may be updated from time to time as necessary to comply with changes in existing Applicable Law, as well as new laws as enacted. Service Provider will provide Company with notice and a link to the updated Addendum. If no objection is received from Company within 30 days of such notification, the updated Addendum terms will be deemed effective. The parties also agree to negotiate in good faith to amend this Addendum as necessary, or to enter into any additional agreements or addendums, to maintain compliance with changing laws and regulations and to adapt to changes in industry standards and best practices.

Last Updated, Dec 15, 2022