DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”), including Exhibit A thereto, is entered into by and between Greencard Inc. (“GC”) and you (“Service Provider”) (jointly the “Parties”) in connection with GC’s use of Service Provider’s services (“the Services”), and reflects the Parties' agreement with regard to the Processing of Consumer Personal Information in accordance with the requirements of the Applicable Privacy Laws.

This DPA shall be effective on the date Service Provider collects or Processes Consumer Personal Information (the “Effective Date”).

1. Definitions

1. “Applicable Privacy Laws” means all U.S. state and federal laws which govern the Processing and/or protection of data relating to Consumers, including the California Consumer Privacy Act of 2018 (“CCPA”), as amended or replaced from time to time, along with any implementing regulations.
2. “Consumer” means any natural persons, households, or devices located in or residing in the U.S.
3.  “Consumer Personal Information” is personal information and personal data, as defined under the Applicable Privacy Laws, of any Consumer, which is Processed by the Service Provider on behalf of GC in connection with provision of the Services.
4. “Process”, “Processed” or “Processing” means any operation or set of operations which is performed on Consumer Personal Information or on sets of Consumer Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
5. “Regulator” means any entity which has jurisdiction to enforce GC’s and the Service Provider’s compliance with the Applicable Privacy Laws, including but not limited to the California Privacy Protection Agency.
6. A “Security Incident” has occurred when the Service Provider has knowledge of or reasonably believes there has been: a loss of; actual or attempted unauthorized or unlawful access to, or acquisition, use, or disclosure of; or any other compromise of Consumer Personal Information within the possession or control (e.g., physical or IT environment) of the Service Provider.
7. Terms such as “Sell”, “Share”, “Deidentify”, and “Aggregate” shall have the meaning ascribed to them in the Applicable Privacy Laws.

2. the Service Provider’s Obligations

1. Restrictions on Consumer Personal Information. The Service Provider will Process Consumer Personal Information only as necessary to perform the Services. The Service Provider will not under any circumstances Sell or otherwise Process Consumer Personal Information for any other purpose not directly related to providing services. The Service Provider agrees and warrants that it will not Sell Consumer Personal Information, or disclose or transfer it to any third party in exchange for any monetary or other valuable consideration.
2. Exception for Authorized Parties. Notwithstanding the restrictions in section 3.1, the Service Provider may disclose or transfer Consumer Personal Information to its own service providers (“Authorized Parties”) to the extent that is necessary to perform the Services and in accordance with the Applicable Privacy Laws. The Service Provider shall ensure that all Authorized Parties are bound by contract terms that are no less protective of Consumer Personal Information than this DPA. Upon GC’s request, the Service Provider shall promptly provide a list of Authorized Parties that have access to Consumer Personal Information. If GC reasonably objects to any of the Service Provider’s current Authorized Parties, and the Parties are not able to agree on a suitable alternative, GC shall have the option to terminate the Services without incurring further liability.
3. Assistance with Consumer Requests.  If the Service Provider, directly or indirectly, receives a Consumer request relating to that Consumer’s Consumer Personal Information (“Request”), the Service Provider will provide a copy of the Request to GC within two business days. The Service Provider shall notify GC in writing and liaise with GC before complying with such a Request. The Service Provider shall not communicate with the Consumer regarding such Request without the written permission of GC. If GC receives the Request, the Service Provider will provide all necessary assistance at TGC’s request to enable GC to respond to a Request, for example by providing GC with a copy of or access to all Consumer’s Consumer Personal Information held by the Service Provider or its Authorized Parties, or deleting all Consumer Personal Information related to a Consumer and directing its Authorized Parties to do the same. The Service Provider must provide necessary assistance within five business days of GC’s request. If the Service Provider is unable to provide the necessary assistance within five business days, the Service Provider shall promptly provide a brief explanation of the reasons for the delay or the legal basis for its refusal to do so, and, if applicable, a date certain by which it will be able to do so in writing to GC.  
4. Cooperation. Service Provider shall cooperate with and assist GC in: (a) fulfilling its legal obligations under the Applicable Privacy Laws; and (b) responding to any Regulator request or legal action.

5. Disclosure to Law Enforcement or Government Authorities.  If the Service Provider is required by law to disclose any Consumer Personal Information to law enforcement or government authorities, the Service Provider shall notify GC in writing and liaise with GC before complying with such disclosure request. If the Service Provider, either directly or indirectly, receives any communication from Regulators relating to Consumer Personal Information, the Service Provider shall provide a copy to GC within two business days. The Service Provider shall not respond to any communication from a Regulator relating to Consumer Personal Information without the express permission of GC. The Service Provider shall work in full cooperation with GCto prepare any permitted response(s) to Regulators without unreasonable delay.
6. Retention of Consumer Personal Information. The Service Provider will retain Consumer Personal Information as directed by GC. At the termination of this DPA, or upon GC’s written request, the Service Provider will either securely destroy or return the Consumer Personal Information to GC within thirty (30) days unless the applicable law requires retention of the Consumer Personal Information for a longer period of time. If such retention is required, the Service Provider will advise GC of the basis for its retention within twenty (20) days after termination of this DPA.  The Service Provider shall send GC a certification that all Consumer Personal Information has been removed from its systems within thirty (30) business days.
7. Confidentiality. The Service Provider will treat all Consumer Personal Information as strictly confidential and will inform all employees, contractors and third parties engaged in Processing the Consumer Personal Information of the confidential nature of such information. The Service Provider shall ensure that all such persons or parties have signed adequate confidentiality contracts or are under appropriate statutory obligations of confidentiality. The Service Provider shall ensure that all employees, contractors and other third parties with access to the Consumer Personal Information complete adequate and appropriate privacy and data security training prior to having access to the Consumer Personal Information.
8. Reasonable Security Measures and Practices. The Service Provider warrants that it has reasonable security measures and practices in place appropriate to the nature of such Consumer Personal Information to protect against a Security Incident, including at minimum the 20 controls listed in the Center for Internet Security’s Critical Security Controls and the guidelines in the California Attorney General’s 2016 Data Breach Report. Failure to have these minimum reasonable security measures and practices in place will be considered a breach of this DPA.
9. Security Incident. Upon the Service Provider’s discovery of a Security Incident, the Service Provider shall immediately, but in no event later than 48 hours after such discovery, provide GCwith written notice of the Security Incident. To the extent the Security Incident is attributable to a breach of Service Provider’s obligations under this DPA, Service Provider shall bear the reasonable costs, including attorneys’ fees, incurred by GC, or one of GC’s customers, to comply with their respective legal obligations relating to such incident under applicable data protection laws. Such costs shall include, without limitation, those related to: (i) conducting a digital forensic investigation to determine the scope of the Security Incident; (ii) preparing and distributing notification to affected individuals; (iii) providing notice to government agencies, credit bureaus, and/or other required entities; (iv) providing affected individuals identity theft protection and restoration services for a specific period not to exceed twelve months, unless a longer period is required by applicable law; (v) call center support for affected individuals for a specific period not to exceed 30 days from the date the breach notification is sent to the affected individuals; (vi) defending against litigation, and responding to government agency investigations, related to the Security Incident; and (vii) any other measures required under applicable law.
10.  Applicable Privacy Laws. In providing the services, the Service Provider agrees that it shall comply with all Applicable Privacy Laws.

3. Audit Rights

Upon GC’s written request, to confirm the Service Provider’s compliance with this DPA, as well as any Applicable Privacy Laws, the Service Provider grants GC, or upon GC’s election, a third party on GC’s behalf, permission to perform an assessment, audit, examination or review of all controls in relation to all Consumer Personal Information being Processed by the Service Provider. Within fourteen (14) days of GC’s written request, the Service Provider shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure and application software that processes, stores, uploads, accesses, transports, or otherwise Processes Consumer Personal Information.

4. Indemnification

The Service Provider will indemnify and hold harmless GC and its affiliates, directors, officers and employees from and against all third party claims, actions, suits, demands, judgments, losses, fines, damages, liabilities, costs, or expenses (including, without limitation, court filing fees, court costs, arbitration fees, witness fees, and attorneys’ and other professionals’ fees and disbursements), to the extent they arise out of the Service Provider’s or Authorized Parties’ breach of this DPA. The prevailing Party in any action or proceeding brought to enforce the indemnification rights, duties, and obligations under this section 5 will be entitled to recover its reasonable attorneys’ fees and costs.

5. Termination

This DPA shall end automatically when the Services expire or are terminated. In the case of any non-compliance by the Service Provider with any of the obligations under this DPA, or the Applicable Privacy Laws, GCmay, by giving written notice, immediately terminate the Services, suspend any data transmission related to the Services, or require the Service Provider to cease or suspend any or all processing of Consumer Personal Information. Termination or expiration of this DPA shall not discharge the Service Provider from its obligations meant to survive the termination or expiration of this DPA, including but not limited to sections 2.4, 2.5, 2.7, 2.8, 3, 4, and Exhibit A.

6. General

1. Any provision of this DPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.
2. Facsimile or scanned signatures and signed facsimile or scanned copies of this DPA shall legally bind the Parties to the same extent as originals. This DPA may be executed in multiple counterparts all of which taken together shall constitute one single contract between the Parties.
3. Notwithstanding anything appearing to the contrary in this DPA, no direct or indirect partner, member or shareholder of GC (or any officer, director, agent, member, manager, personal representative, trustee or employee of any such direct or indirect partner, member or shareholder) shall be personally liable for any debts or other obligations of GC or in respect of any claims against GC arising under this DPA. No personal judgment shall be sought or obtained against any direct or indirect partner, member or shareholder of GC (or any officer, director, agent, member, manager, personal representative, trustee or employee of any such direct or indirect partner, member or shareholder).

EXHIBIT A: CCPA ADDENDUM

The terms used in this CCPA Addendum (“Addendum”) shall have the definitions set forth in the California Consumer Privacy Act, as amended (“CCPA”), unless otherwise defined in this Addendum.  The term “Service Provider”, as used herein, shall also include Contractors.    

1. Service Provider shall not Sell or Share any Personal Information it collected in connection with the Services, the DPA, or this Addendum (“GC Information”).
2. GC is disclosing GC Information to Service Provider only for the limited and specific Business Purpose of Service Provider’s provision to GC of the Services (the “Contracted Business Purpose”).  Service Provider shall not retain, use, or disclose GC Information for any purpose other than the Contracted Business Purpose or as otherwise permitted by the CCPA.  
3. Unless expressly permitted by the CCPA, Service Provider shall not retain, use, or disclose GC Information: (a) for any commercial purpose other than the Contracted Business Purpose; or (b) outside of Service Provider’s direct business relationship with GC, including, without limitation, by combining or updating GC Information with personal information that Service Provider received from another source or collected from its own interaction with a Consumer.
4. Service Provider shall comply with all applicable sections of the CCPA and shall provide the level of privacy protection required of Businesses thereunder.  Such compliance shall include, without limitation: (a) cooperating with GC in responding to and complying with Consumer requests made pursuant to the CCPA; and (b) implementing reasonable security procedures and practices, appropriate to the nature of the GC Information, to protect that information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code § 1798.81.5.    
5. GC shall have the right to take reasonable and appropriate steps to ensure that Service Provider uses the GC Information in a manner consistent with GC’s obligations under the CCPA.  These steps may include, without limitation, manual reviews and automated scans of Service Provider’s information systems, and regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months.
6. In the event Service Provider determines that it can no longer comply with its obligations under the CCPA, it shall promptly notify GC of that determination.
7. GC shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate Service Provider’s unauthorized use of GC Information, including, without limitation, requiring Service Provider to provide documentation verifying that it no longer retains or uses the information of Consumers that submitted to GC a valid request to delete.
8. Service Provider shall reasonably cooperate with GC to comply with Consumer requests made pursuant to the CCPA.
9. If Service Provider subcontracts with another person in connection with the Contracted Business Purpose, Service Provider shall (a) notify GC of the engagement, and (b) have a contract with such person that complies with the CCPA and this Addendum.