Incorporated into and forming part of the Master Services Agreement
This Data Processing Agreement (the "DPA") is between the Customer and Kovva, Inc. ("Provider") (together the "Parties"). It sets out the additional terms, requirements, and conditions on which the Parties will handle, process, disclose, transfer, or store Personal Information under the Master Services Agreement.
"Business Purpose" means the services described in the Master Agreement.
"Data Subject" means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.
"Personal Information" means any information the Provider processes for the Customer under the Agreement that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider's possession or control or that the Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.
"Processing," "processes," or "process" means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.
"Privacy and Data Protection Requirements" means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.
"Security Breach" means any act or omission that results in unauthorized access to or disclosure or acquisition of Personal Information.
This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA. The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA.
In the case of conflict or ambiguity between any provision in the body of this DPA and any provision in the Appendices, the provision in the body of this DPA will prevail. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail.
The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.
Appendix A describes the general Personal Information categories and related types of Data Subjects the Provider may process to fulfill the Business Purposes of the Master Agreement. Customer acknowledges that the Services may allow entry of freetext inputs and agrees not to disclose Personal Information to Provider except as necessary for the limited and specified Business Purposes.
The Provider will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with and as permitted by the Customer's instructions and the Master Agreement. The Provider will not process, retain, use, or disclose the Personal Information for any other purpose, outside of the parties' business relationship, or in a way that does not comply with this DPA, the Master Agreement, or the Privacy and Data Protection Requirements. This includes not combining or updating the Personal Information with personal information obtained outside of this contract unless the Privacy and Data Protection Requirements permit the action. The Provider will notify the Customer if, in Provider's opinion, the Customer's instruction would not comply with the Privacy and Data Protection Requirements.
The Provider will comply with any Customer request or instruction requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing to the extent Customer cannot do so on its own through the Services.
The Provider will maintain the confidentiality of all Personal Information and will not sell it to anyone, share it for cross-context behavioral advertising (targeted advertising) with anyone, or disclose it to third parties without specific authorization from the Customer or this DPA, unless required by law. If a law requires the Provider to process or disclose Personal Information, the Provider will first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
The Provider will reasonably assist the Customer with meeting the Customer's compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider's processing and the information available to the Provider.
The Provider will notify the Customer of any changes to Privacy and Data Protection Requirements, or its ability to meet those obligations, that may adversely affect the Provider's performance of the Master Agreement or this DPA.
The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Information other than as required under the Privacy and Data Protection Requirements.
The Provider will limit Personal Information access to:
The Provider will ensure that all employees:
The Provider will implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, or disclosure.
The Provider will promptly notify the Customer of a confirmed Security Breach.
Immediately following any confirmed Security Breach, the parties will coordinate with each other to investigate the matter. The Provider will reasonably cooperate with the Customer in the Customer's handling of the matter.
The Provider shall not be responsible for any expenses or costs related to a Security Breach that arises from the Customer's specific instructions, negligence, willful default, or breach of this DPA, in which case the Customer will cover all reasonable expenses.
7.1 Customer shall not transfer to Provider any Personal Information that requires a cross-border transfer mechanism under applicable Privacy and Data Protection Requirements, including, but not limited to, Personal Information from or about individuals that reside in the European Union, United Kingdom, or Switzerland.
7.2 If any such cross-border transfer of Personal Information is required by Customer to use the Services under the Master Agreement, Customer will provide written notice to Provider and the Parties will negotiate in good faith whether they may enter into, and first enter into, applicable data transfer mechanisms as required by law prior to such transfer of Personal Information.
Customer authorizes Provider to use a third party (subcontractor) to process the Personal Information to provide the services under the Agreement if:
Where the subcontractor fails to fulfill its obligations under such written agreement, the Provider remains liable to the Customer for the subcontractor's performance of its agreement obligations.
The Provider will redirect to Customer a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information that is processed under the Master Agreement, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions. Customer will then process the request.
The Parties will notify each other if they receive any other complaint, notice, or communication that directly or indirectly relates to the Personal Information processing under the Master Agreement or to either party's compliance with the Privacy and Data Protection Requirements.
The Provider will provide reasonable and timely assistance to the Customer (at Customer's sole expense) to respond to any complaint, notice, communication, or Data Subject request.
The Provider will not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer's instruction, permitted by this DPA, or is otherwise required by law.
This DPA will remain in full force and effect so long as: (a) the Master Agreement remains in effect; or (b) the Provider retains any Personal Information related to the Master Agreement in its possession or control (the "Term").
Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement to protect Personal Information will remain in full force and effect.
At the Customer's written request, to the extent Customer cannot access through the Services Personal Information processed under the Master Agreement, the Provider will give the Customer a copy of or access to all or part of the Customer's Personal Information in its possession or control in the format and on the media reasonably specified by the Customer.
On termination of the Master Agreement for any reason or expiration of its term, the Provider will return or sanitize or, if directed in writing by the Customer, return and destroy, all or any Personal Information related to this agreement in its possession or control, except for Personal Information that it must retain for legal or business purposes. The Provider may only use this retained Personal Information for the required retention reason or purposes.
Upon the Customer's written request, once per year, the Provider will make relevant audit reports available to the Customer for review: the Provider's latest Service Organization Controls (SOC) Type 1 and SOC Type 2 audit reports and reports relating to its ISO/IEC 27001 certification. The Customer will treat such audit reports as the Provider's Confidential Information as defined in the Master Agreement.
The Customer warrants and represents that the Provider's expected use of the Personal Information for the Business Purposes and as instructed by the Customer will comply with all Privacy and Data Protection Requirements.
Business Purposes: The provision of the Services, including installation, configuration, hosting, maintenance, support, and implementation assistance under the Master Agreement and Order Form. Processing is necessary to provide access to Provider's software and related services for Customer's internal business purposes.
Personal Information Categories: To the extent the following constitutes Personal Information under applicable Privacy and Data Protection Requirements:
Data Subject Types: Customer's employees, contractors, and internal personnel authorized to use the Services ("Authorized Users").
Processing Duration: For the Term of the Master Agreement and any applicable Order Forms, including any renewal periods, and for a reasonable period thereafter to comply with post-termination obligations (e.g., data return or deletion or legal requirements).
Subcontractors: Provider may use subcontractors for hosting, support, and related services, subject to the terms of the Master Agreement and this DPA.