DATA PROCESSING ADDENDUM

THIS DATA PROCESSING ADDENDUM (this “Addendum”) is entered into and is hereby made a part of that certain [NAME OF AGREEMENT] (the “Agreement”) entered into between [VENDOR LEGAL ENTITY NAME] (“Vendor”) and Nerdy Nuts LLC (“Company”) as of the effective date of the Agreement.


1. DEFINITIONS

  1. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

  2. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

  3. “Personal Data” means any information relating to an identified or identifiable individual provided Controller where such data is protected similarly as personal data, personal information or personally identifiable information under applicable Privacy Laws.

  4. “Processing Activities” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

  5. “Privacy Laws” means all data privacy or data protection laws or regulations globally that apply to the Processing of Personal Data under this Data Protection Addendum.

  6. “Remedial Actions” means an the performance of (a) a Security Incident investigation, which may be directed by Controller (b) mitigation steps to isolate and stop the Security Incident from continuing to occur; (c) notification to public authorities or regulators, and applicable industry regulator; and (d) the data subjects whose Personal Data was/is included in the affected Personal Data with statutory or similar notification, credit monitoring, identity theft insurance, or the like.

 

2. SCOPE, AND STRUCTURE


  1. Background. Vendor is the Processor who is acting on behalf of Company, the Controller. Controller may elect to share certain Personal Data with Processor in connection with the Agreement. This Addendum establishes the parties’ rights and obligations with respect to such Personal Data. This Addendum supplements the Agreement and is one of several components of Processor’s confidentiality, privacy, and data security obligations. The other components include (a) such general confidentiality/non-disclosure terms as may be set forth in the Agreement with respect to confidential business information that is not comprised by Personal Data; (b) Processor’s own Security Program; and (c) its obligations under applicable law. 

  2. Precedence. The terms and conditions of this Addendum shall be incorporated into and amend the Agreement. Unless modified herein, all other terms and conditions contained in the Agreement will continue in full force and effect. This Addendum may be modified or amended only in a writing signed by both parties. In the event of any inconsistency or conflict between this Addendum and the Agreement, this Addendum shall control; provided, however, that where the Agreement imposes stricter obligations on Vendor with respect to Personal Information, such stricter obligations shall apply. By signing this Addendum, the parties hereto acknowledge having read this Addendum and agree to be bound by its terms.

  3. Act Only Per Instruction. Processor shall conduct the Processing Activities solely in accordance with Controller’s instructions as documented in the Agreement, this Addendum, or as otherwise instructed in writing by the Controller. If Processor believes it is required by applicable law to act or refrain from acting in a manner contrary to such instructions, Processor will notify the Controller. Processor shall ensure that each of its workforce members (in all events, inclusive of employees, contractors, and agents acting on Processor’s behalf hereunder) assigned to the performance of the Processing Activities are aware of and bound to the obligations of this Addendum and Processor shall be responsible for such workforce members’ acts and omissions in performing Processing Activities and/or otherwise in breach of this Addendum. 

  4. Compliance. Processor shall comply with all Privacy Laws applicable to its Processing Activities. Processor shall generally monitor the statutes, regulations, and industry rules comprised by the Privacy Laws for changes that may affect Processor’s obligations.

  5. Rights of Data Subjects. The subjects of any Personal Data have certain rights under applicable Privacy laws. Such rights vary by jurisdiction but generally include the rights of notice of collection, access to collected Personal Data, and correction, blocking, suppression, and deletion thereof. As a material obligation hereunder, Processor shall provide such reasonable and timely assistance to Controller as necessary to satisfy such rights of data subjects. Processor’s specific obligations in this regard shall be proportionate to the degree of custody and control it has over the affected Personal Data. If Processor receives rights requests directly from an applicable data subject, Processor shall, within three (3) business days of such request, direct the data subject to Controller and take no further action regarding such request unless directed by Controller. 

  6. Workforce Screening and Training. Processor shall train and manage its workforce members with respect to its Security Program. Such training should be ongoing and occur at least annually and cover topics including the contents and requirements of Processor’s Security Program, all applicable Privacy laws, and this Addendum. Processor shall establish and educate its workforce members in disciplinary measures for violations of the Security Program or Privacy laws. In addition, and without limiting any similar obligations in the Agreement, the organizational measures under the Security Program shall include procedures and measures designed to screen workforce members having access to Personal Data including by performing, where and to the maximum extent allowed under applicable law, criminal, financial crime, and related background checks and refraining from assigning workforce members to Processing Activities if such screening produces adverse results.

  7. Subcontracting. Notwithstanding any term or condition to the contrary in the Agreement, including any provision permitting Processor to use subcontractors (including its affiliates) in the general course of performing the Agreement, Processor shall not subcontract the Processing Activities or any portion thereof unless Controller has given its express written consent. Subcontractors for whom consent is granted are hereinafter referred to as, “Permitted Subcontractors” In all events, Processor and all Permitted Subcontractors engaged shall enter into written agreements expressly binding such Permitted Subcontractors to obligations substantially similar to this Addendum. Company shall be responsible for the acts and omissions of its agents and subcontractors and any third parties to which it discloses Personal Information. 

  8. Processor Obligations. Processor shall not, without the prior express written permission of Controller: (a) use or disclose Personal Data except to the minimum necessary extent required to perform its Processing Activities; (b) sell, rent, lease, loan, or otherwise make any Personal Data available to any third party (including its affiliates) for marketing or commercial purposes of any type whether or not undertaken for consideration;(c) create reports based on, or perform any type of benchmarking, analytics, aggregation, or derivation using, Personal Data, even if in a aggregated/de-identified form. Upon receiving the express written permission of Controller to perform any activity that may constitute the selling or sharing of Personal Data, Processor agrees to be bound, as a Third Party (as defined therein), by the obligations outlined in § 7053 California Consumer Privacy Act Regulations. Notwithstanding anything to the contrary in the Agreement regarding indemnity or liability (unless such provisions make express reference to this Addendum), Processor shall defend and hold the Controller and each of its officers, directors, employees, members, managers, and representatives harmless from all third-party claims, and indemnify for all reasonable costs and liabilities, resulting from a breach of this Addendum.

  9. Transfers outside the United States. Processor shall not transfer or access Personal Data outside the country of origin unless otherwise agreed between the parties in writing. Where a transfer is governed by the GDPR, the transfer will be conducted in accordance with an approved mechanism, respectively, set forth in Articles 46 through 49 of the EU GDPR or UK GDPR, as applicable which may, if determined by the transferring party in consultation with the receiving party, require binding the receiving party to the applicable Standard Contractual Clauses (“SCCs”) module appropriate to the roles of the parties in such transfer. Where SCCs Modules 2, 3, and/or 4 are used, the parties agree that if there is any conflict or contradiction between such SCC’s and this DPA, the required resolution of such conflict in favor of the SCCs shall apply only to the act of transfer/importation and the sub-set of personal data directly involved therewith. It shall be the obligation of the Processor to ensure that the appropriate transfer mechanism is in place. 

  10. Disclosures Required by Law. If any third party requests or demands, by subpoena or any similar legal process other than a DPA Inquiry, any Personal Data from Processor, Processor shall, unless otherwise prohibited: (i) immediately notify Controller in writing; and (ii) assist Controller in asserting ownership and control of, and protecting, the Personal Data, including by preventing and/or limiting its disclosure to such third party. Where such disclosure cannot be prevented, Processor shall to extent legally permitted, obtain reasonable assurances from the third party that it will: (1) hold the Personal Data in confidence and use or further disclose the Personal Data only for the purpose for which Processor disclosed the Personal Data; and (2) promptly notify Processor of any instance of which the third party becomes aware that the confidentiality or security of the Personal Data may have been compromised.

  11. DPA Inquiries. Where the third-party request relates to a DPA Inquiry, Processor shall immediately notify Controller of such request where permitted and shall not respond unless expressly instructed in writing by Controller or required by law. Processor shall, at Controller’s request and expense, assist Controller in asserting and protecting the Personal Data including by preventing and/or limiting disclosure. If such disclosure cannot be prevented, Controller, and not Processor, shall disclose the required portion of Personal Data directly to the applicable authority. “DPA Inquiry” means a non-subpoena request for access to, or information about, Personal Data from any governmental authority (including the U.S. Securities and Exchange Commission, U.S. Federal Trade Commission, and the Data Protection Authorities in the various European jurisdictions) and/or self-regulatory bodies (collectively, “Controller’s Regulators”).

  12. Disposal. Where requested by the Controller or following the termination of the Agreement, Processor shall either delete or return all Personal Data. Processor shall provide Controller with certificate of deletion within thirty (30) days of the original request. 

  13. Data Security Obligations. Processor shall maintain for the duration of the Agreement and thereafter for so long as Processor is engaged in any Processing Activities involving Personal Data, a written enterprise-wide corporate information security program that includes implemented technical, organizational, administrative, and other measures designed to protect, in a manner consistent with accepted industry standards, practices, and procedures, against anticipated or actual threats or hazards to the security or integrity of Personal Data as well as destruction, loss, unauthorized access to, or unauthorized use of, Personal Data (the “Security Program”). The Security Program shall be made available to Controller upon request. Processor shall notify Controller of any updates or amendments to the Security Program that materially change the elements thereof. Notwithstanding any contrary term or condition set forth in the Agreement, Controller may terminate all or the affected portion of the Agreement for convenience without payment or penalty within thirty (30) days of becoming aware of any change to the Security Program which Controller reasonably believes reduces Processor’s ability to comply with this Addendum or otherwise diminishes the security of Personal Data. Notwithstanding the above, Controller shall have the right, once per year (or more frequently if demanded by a Controller Regulator) to provide Processor with, and Processor shall complete, security, privacy, or similar questionnaires or otherwise provide information about the Security Program.

  14. Security Incidents. Processor shall notify Controller in writing within forty-eight (48) hours of Processor in the event of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to, Personal Information (altogether, a “Security Incident”), or (ii) any reasonable suspicion of a Security Incident, regardless of its cause. Such notice shall provide a reasonably detailed description of the Security Incident, the means through which it was discovered, and the steps being taken in accordance with the preceding obligations. Processor shall update Controller at least daily until the Security Incident is contained. Except as may be required by applicable law, Processor shall not disclose the occurrence of a Security Incident that involves solely Controller’s Personal Data, to any third party, including any governmental or industry self-regulatory authority, without first obtaining Controller’s prior written consent. Controller may itself or through a third-party forensics investigator subject to confidentiality obligations, at its cost, review information regarding the Security Incident investigation (such as log files and the like).   

  15. Affected Personal Data; Remedial Actions; Costs. In addition to the response actions and Security Incident investigation described above, Processor shall undertake all required Remedial Actions provided that the timing, content, and manner of effectuating such Remedial Actions shall be agreed by the parties and in all cases shall comply with the applicable Privacy laws.  As such, Processor shall be financially responsible for all Remedial Actions. Notwithstanding anything to the contrary in the Agreement regarding indemnity or liability (unless such provisions make express reference to this Addendum), Processor shall defend and hold the Controller and each of its officers, directors, employees, members, managers, and representatives harmless from all third-party claims, and indemnify for all reasonable costs and liabilities, arising from Security Incident or reasonable suspicion of a Security Incident.

  1. Cyber Insurance. Notwithstanding any contrary insurance provisions in the Agreement, Processor shall maintain customary insurance policies reasonably sufficient to protect Processor and Controller against risks reasonably known to arise from Processor’s performance or failure to perform under this Addendum (e.g., so-called cyber insurance). The foregoing shall include, in all events, coverage for ransom attacks and related payments. In connection with the foregoing obligations of Processor, Controller reserves the right to require specific policies of insurance at specified limits from carriers maintaining specified financial size and stability ratings, all of which shall be as set forth in a Supplement hereto. In any events, all insurance required by this Section shall be maintained for so long as the Processing Activities are being performed and thereafter for so long as Personal Data remains in the custody, care or control of Processor.


3. MISCELLANEOUS

The terms and conditions of this Addendum shall be incorporated into and amend the Agreement. Unless modified herein, all other terms and conditions contained in the Agreement will continue in full force and effect. This Addendum may be modified or amended only in a writing signed by both parties. In the event of any inconsistency or conflict between this Addendum and the Agreement, this Addendum shall control; provided, however, that where the Agreement imposes stricter obligations on Processor with respect to Personal Information, such stricter obligations shall apply. By signing this Addendum, the parties hereto acknowledge having read this Addendum and agree to be bound by its terms.


IN WITNESS WHEREOF, Controller and Processor have caused this Addendum to be executed by their respective duly authorized officers.

CONTROLLER: Nerdy Nuts LLC

By:

Print:

Title:

PROCESSOR: [LEGAL ENTITY]

By:

Print:

Title: