Faraday Data Processing Addendum
Date of Last Revision: September 1st, 2024
This Data Processing Addendum (“Addendum”) is incorporated by reference into the Agreement (defined below) entered into between Faraday, Inc. (“Faraday”) and the specific client entity identified as a counterparty in the Agreement (“Client”).This Addendum is only valid and legally binding when Client Personal Data is processed by Faraday on behalf of Client in the course of Faraday providing Faraday Products to Client pursuant to the Agreement that expressly incorporates this Addendum. This Addendum forms an integral part of such Agreement.
For purposes of this Addendum, “Agreement” means a subscription agreement between Faraday and a specific client under which Faraday Products are provided by Faraday to that client. All capitalized terms used in this Addendum but not defined herein shall have the meanings set forth in the Agreement.
This Addendum sets forth provisions that govern, to the extent required by applicable law, Faraday’s processing of Client Personal Data (as defined below) pertaining to residents of the United States. These provisions are intended to supplement the provisions in the Agreement. To the extent of any conflict or inconsistency between this Addendum and the remaining terms of the Agreement, this Addendum will govern.
This Addendum may be updated periodically. In the event of any updates, Faraday will notify Client of the same by email at the email notice address provided by Client in an Order Form(s).
1. General Terms
A. The type of data that is subject to processing and governed by this Addendum is that identified and defined herein as “Client Personal Data”.
B. The nature and specific business purposes of processing Client Personal Data, and Client’s instructions to Faraday for processing such data, are as described in Annex 1 of this Addendum. Client is disclosing Client Personal Data to Faraday only for such limited and specified business purposes.
C. The duration of processing of Client Personal Data is for the term specified in the Agreement and any Order Forms incorporated into the Agreement.
D. Definitions:
i. “Data Privacy Law” means all applicable U.S. laws, and regulations promulgated thereunder, relating to privacy, data protection, data security, or the processing of data pertaining to residents of the United States, including the California Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act , the Delaware Personal Data Privacy Act (effective 1/1/2025), the Iowa Consumer Data Protection Act (effective 1/1/2025), the New Hampshire Privacy Act (effective 1/1/2025), the Nebraska Data Privacy Act (effective 1/1/2025), the New Jersey Data Protection Act (effective 1/15/2025), the Tennessee Information Protection Act (effective 7/1/2025), the Minnesota Consumer Data Privacy Act (effective 7/31/2025), the Maryland Online Data Privacy Act of 2024 (effective 10/1/2025), the Indiana Consumer Data Protection Act (effective 1/1/2026), the Kentucky Consumer Data Protection Act (effective 1/1/2026), and the Rhode Island Data Transparency and Privacy Protection Act (effective 1/1/2026).
ii. “Client Personal Data” means “personal information” or “personal data” – as those terms are defined in the applicable Data Privacy Law and its implementing rules, procedures, exceptions, guidelines and regulations – that is contained in Client Data furnished to Faraday in connection with Faraday’s provision of the Faraday Product(s) under the Agreement.
iii. “Consumer” means the term “consumer” as it is defined in the applicable Data Privacy Law.
E. Faraday shall collect, retain, use, disclose, and otherwise process Client Personal Data solely to fulfill its obligations to Client in order to provide the Faraday Product(s) for Client as described in the Agreement. Without limiting the foregoing, Client further authorizes Faraday to collect, retain, use, disclose, and/or otherwise process Client Personal Data:
i. To comply with Client’s written instructions and directions within the Faraday Product(s), as may be provided by Client to Faraday from time to time.
ii. To comply with applicable law.
iii. To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
iv. To cooperate with law enforcement agencies concerning conduct or activity that Client, Faraday, or a third party reasonably and in good faith believes may violate federal, state, or local law.
v. To exercise or defend legal claims.
vi. To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity.
vii. As described in Section 5.2 (“Client Data Use”) of the Terms or any similar provision of the Agreement.
F. In the event of any accidental, unauthorized, or unlawful destruction, loss, alteration, access, or disclosure of Client Personal Data, or if such data becomes damaged, corrupted, or unusable, Faraday shall promptly notify Client of the same. Further, in such event both Client and Faraday shall comply with all applicable data breach notification laws.
2. Additional Terms Specific to Processing of Personal Data of Consumers Residing in the State of California
A. This Section 2 applies only to Faraday’s processing of Client Personal Data that is subject to the California Consumer Privacy Act (CCPA), as expressly identified by Client prior to processing by Faraday.
B. For purposes of this Section 2, Client is a “business” as defined in the California Consumer Privacy Act (CCPA), and Faraday is a “service provider” as defined in the CCPA.
C. Definitions for purposes of this Section 2:
i. “Sensitive Client Personal Data” is Client Personal Data that meets the definition of “sensitive personal information” under the CCPA.
ii. “Sell”, “Selling”, “Sale”, and “Sold” shall have the meaning set forth for such terms in the CCPA.
iii. “Share”, “Shared”, and “Sharing” shall have the meaning set forth for such terms in the CCPA.
D. Faraday shall comply with all applicable sections of the CCPA and its implementing regulations, including, with respect to the Client Personal Data, providing the same level of privacy protection as required of Client by the CCPA and its implementing regulations.
E. Faraday shall implement reasonable security procedures and practices appropriate to the nature of the Client Personal Data to protect such data from unauthorized or illegal access, destruction, use, modification, or disclosure.
F. Faraday shall assist Client through appropriate technical and organizational measures in complying with the requirements of the CCPA, taking into account the nature of Faraday’s processing of Client Personal Data.
G. Faraday shall cooperate with Client in responding to and complying with any Consumer requests made pursuant to the CCPA. For this purpose, Client shall inform Faraday of any Consumer request that Faraday must comply with and provide instructions and the information necessary for Faraday to comply with the request. Faraday shall not be required to comply with a request received directly from a Consumer regarding Client Personal Data, and instead shall notify Client of such request.
H. Faraday shall limit or cease its use of Sensitive Client Personal Data in accordance with any instructions provided by Client.
I. Faraday shall notify Client promptly if it makes a determination that it can no longer meet its obligations under the CCPA and its implementing regulations.
J. Faraday shall not Sell or Share any Client Personal Data.
K. Faraday shall not retain, use, or disclose Client Personal Data for any purpose other than the business purposes specified in the Agreement and this Addendum or as otherwise permitted by the CCPA and its implementing regulations.
L. Faraday shall not retain, use, or disclose Client Personal Data that it has collected pursuant to the Data Processing Agreement outside the direct business relationship between Faraday and Client, unless expressly permitted by the CCPA or its implementing regulations.
M. Faraday shall not combine or update Client Personal Data with personal information/data that it has collected or received outside the scope of the Agreement or this Addendum, unless expressly permitted by the CCPA or its implementing regulations.
N. Faraday shall permit Client to take reasonable and appropriate steps to ensure that Faraday uses and treats Client Personal Data in a manner consistent with Client’s obligations under the CCPA and its implementing regulations.
O. Client may, upon notice to Faraday, take reasonable and appropriate steps to stop and remediate any unauthorized use of Client Personal Data by Faraday.
P. If Faraday engages any other person to assist it in processing Client Personal Data for a business purpose on behalf of Client, or if any other person engaged by Faraday engages another person to assist in processing Client Personal Data for that business purpose, (i) Faraday shall notify Client of such engagement by identifying the same in https://faraday.ai/security, and (ii) the engagement shall be pursuant to a written contract binding the other person to observe all the requirements of the CCPA and its implementing regulations.
3. Additional Terms Specific to Processing of Personal Data of Consumers Residing in U.S. States Other Than California
A. This Section 3 applies only to Faraday’s processing of Client Personal Data that is subject to the Data Privacy Law (excluding the CCPA), as expressly identified by Client prior to processing by Faraday.
B. For purposes of this Section 3, Client is a “controller” as defined in the applicable Data Privacy Law, and Faraday is a “processor” as defined in the applicable Data Privacy Law.
C. Faraday shall assist Client in meeting or complying with Client’s obligations under the applicable Data Privacy Law, including:
i. Taking into account the nature of Faraday’s processing of Client Personal Data and the information available to Faraday, by implementing appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the Client’s obligation to respond to Consumer rights requests pursuant to the applicable Data Privacy Law.
ii. Taking into account the nature of Faraday’s processing of Client Personal Data and the information available to Faraday, by assisting Client in meeting the Client’s obligations in relation to the security of processing the Client Personal Data.
iii. Taking into account the nature of Faraday’s processing of Client Personal Data and the information available to Faraday, by assisting Client in meeting the Client’s notification obligations, pursuant to all applicable U.S. data breach notification laws, in the event of a Client Personal Data breach experienced by Faraday.
iv. Providing necessary information to enable Client to conduct and document data protection assessments pursuant to the applicable Data Privacy Law.
D. Faraday shall ensure that each person processing Client Personal Data is subject to a duty of confidentiality with respect to such data.
E. Taking into account the context of Faraday’s processing, how Faraday processes the Client Personal Data, and the information available to Faraday, Faraday shall implement appropriate administrative, technical, and physical safeguards that are reasonably designed to protect the security and confidentiality of the Client Personal Data and ensure a level of security appropriate to the risk.
F. Faraday shall, at Client’s direction, delete all Client Personal Data to Client as requested at the end of the provision of the Faraday Products unless retention of the Client Personal Data is required by law.
G. Upon the reasonable request of Client, Faraday shall make available to Client all information in its possession necessary to demonstrate Faraday’s compliance with the requirements and obligations in the applicable Data Privacy Law.
H. Faraday shall allow, cooperate with, and contribute to reasonable assessments, audits, and inspections by Client or Client’s designated assessor. Alternatively, Faraday may, with Client’s consent, arrange for a qualified and independent assessor to conduct, at least annually and at Faraday’s expense, an assessment of Faraday’s policies and technical and organizational measures in support of the obligations under the applicable Data Privacy Law using an appropriate and accepted control standard or framework and assessment procedure for such assessments as applicable. Faraday shall provide a report of such assessment to Client upon request.
I. Faraday may engage a subcontractor hereunder to process Client Personal Data, provided that (i) Faraday notifies Client of such engagement by identifying the same in https://faraday.ai/security, and (ii) such engagement is pursuant to a written contract in accordance with the applicable Data Privacy Law that requires the subcontractor to meet the obligations of the applicable Data Privacy Law with respect to the Client Personal Data.
4. Client Obligations
A. Client shall comply with applicable Data Privacy Law, including without limitation, and to the extent required: (i) providing legally required notices; (ii) providing required mechanisms to facilitate all Consumer rights and requests; (iii) honoring all Consumer rights and requests; and (iv) otherwise ensuring that Client and Faraday have any and all rights required in order for Faraday to collect, retain, use, disclose, and otherwise process Client Personal Data under the Agreement and this Addendum.
B. Client shall not direct Faraday to collect, retain, use, disclose, or otherwise process Client Personal Data in violation of applicable Data Privacy Law or other applicable law.
C. Client understands and agrees that, except as otherwise provided in this Addendum, it is solely responsible for responding to Consumers’ requests and that Faraday shall have no responsibility to respond directly to an individual on Client’s behalf, absent written instructions from Client.
D. If in the course of providing the Faraday Product(s), Faraday provides personal information/data to Client, Client shall not process such personal information/data in ways that do not comply with Data Privacy Law, the Agreement, or this Addendum.
5. Limitation of Liability
A. As this Addendum is part of the Agreement, the total aggregate liability of Faraday, including any liability for its service providers’ violations, under or in connection with this Addendum will be subject to, and count toward, the agreed aggregate limits on liability under the Agreement.
6. Changes in Data Protection Legislation; New Features and Functionality.
A. This Addendum is subject to amendment by Faraday at any time as required as a result of (i) any change in, or decision of a competent authority under, any Data Privacy Law, to allow processing of Client Personal Data to be done (or continue to be done) without breach of any Data Privacy Law Faraday will post any amendments to this Addendum https://faraday.ai/legal/dpa. Client’s continued use of the Faraday Product(s) after any such amendments are posted constitutes Client’s acceptance of such amendments.
ANNEX I: PROCESSING DETAILS
Categories of Data Subjects whose Personal Data is Processed
Categories of Personal Data Processed:
Nature of the Processing
Purpose(s) of the Data Processing