Data Privacy and Security Addenda

Jump to:
    • Jump to:

    Business Associate Agreement

    This BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is entered into by and between Client (referred to as “Covered Entity”) and Jackson Lewis P.C. (“Business Associate”).

    I.    DEFINITIONS  

    Except as otherwise provided herein, the terms used in this Agreement shall have the same meaning as those terms in the Electronic Transaction, Security or Privacy Rule, as the case may be.

    Specific definitions:

    • (a) Electronic Transaction Rule means the standards for processing Standard Transactions and Code Sets at 45 CFR Parts 160 and 162.
      (b) Individual has the same meaning as the term “individual” in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
    • (c) Personal Information (“PI”) means any data in whatever format that is subject to federal or state laws requiring the safeguarding of, and regulating and restricting access, collection, use, disclosure, processing, destruction, and free movement of individually identifiable personal information.
    • (d) Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160-164.
    • (e) Protected Health Information (“PHI”) has the same meaning as the term “protected health information” in 45 CFR §160.103, including electronic protected health information, but limited to the information created or received by Business Associate from or on behalf of Covered Entity.
    • (f) Secretary means the Secretary of the Department of Health and Human Services or his designee.
    • (g) Security Rule means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Parts 160-164.
    • (h) Final Rule means the regulations issued by the Secretary which were published on January 25, 2013, that amend the Privacy Rule and Security Rule and implement the changes made under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

    II.    OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

    • (a) Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this Agreement or as required by law. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under the Privacy Rule (specifically, Subpart E of 45 CFR Part 164), Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
    • (b) Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as provided for by this Agreement. In addition, Business Associate agrees to implement administrative, physical, and technical safeguards consistent with the requirements of the Security Rule that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate will comply with the Privacy Rule and the Security Rule to the extent required under Subpart C of 45 CFR Part 164 with respect to electronic PHI, and the Final Rule, which shall include but not be limited to 45 CFR Sections 164.308, 164.310, 164.312 and 164.316.
    • (c) Business Associate agrees to report to Covered Entity (i) any use or disclosure of Protected Health Information not provided for by this Agreement, (ii) any Security Incident, (iii) any Breach of Unsecured Protected Health Information, or (iv) to the extent required under any state breach notification statute, any unauthorized acquisition or access to Personal Information, as soon as possible, but not later than 10 calendar days following the date it becomes aware of such use or disclosure, Security Incident, Breach or unauthorized acquisition or access; provided, however, that to avoid unnecessary burden on either party, Jackson Lewis shall report to Covered Entity any Unsuccessful Security Incidents of which it becomes aware of only upon request of the Covered Entity. The frequency, content, and the format of the report of Unsuccessful Security Incidents shall be mutually agreed upon by the Parties. If the definition of “Security Incident” is amended under the Security Rule to remove the requirement for reporting “unsuccessful” attempts to use, disclose, modify, or destroy electronic PHI, then this Section shall be amended so that the provisions relating to “Unsuccessful Security Incidents” no longer apply as of the effective date of such change to the law. For the purposes of this Agreement, “Unsuccessful Security Incidents” mean Security Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of electronic PHI.
    • (d) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information or Personal Information received from, or created or received by Business Associate on behalf of, Covered Entity, or who itself creates, receives, maintains or transmits Protected Health Information or Personal Information on behalf of Business Associate agrees in writing to the substantially similar restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.  
    • (e) Business Associate agrees to provide access, at the request of Covered Entity and in a reasonable time and manner, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to enable Covered Entity to meet the requirements under 45 CFR §164.524.  
    • (f) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and in a reasonable the time and manner as required under the Privacy Rule.
    • (g) Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a reasonable time and manner or as designated by the Secretary, for purposes of determining Covered Entity's compliance with the Privacy Rule.
    • (h) Business Associate agrees to document all disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528. Business Associate further agrees to maintain and make available to Covered Entity all such documentation and information.
    • (i) Business Associate agrees to provide to Covered Entity or an Individual, in a reasonable time and manner, information collected in accordance with the preceding paragraph (h), to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528.
    • (j) Business Associate agrees to mitigate to the extent practicable any harmful effect known to Business Associate of any Security Incident, Breach of Unsecured Protected Health Information, or unauthorized acquisition or access to Personal Information.
    • (k)  If Business Associate conducts any Standard Transaction for or on behalf of Covered Entity, Business Associate shall comply with the requirements under the Electronic Transaction Rule.
    • (l) To the extent Business Associate creates or receives Personal Information from Covered Entity, or on behalf Covered Entity, it shall collect, maintain, process, handle, use, disclose and destroy all Personal Information in compliance with all applicable data privacy and protection laws and maintain a comprehensive data privacy and security program, which shall include appropriate administrative, physical, technical and organizational measures to safeguard such data against the unauthorized access, possession, use, knowledge, process, disclosure, destruction, loss, alteration or theft, and which shall be no less rigorous than generally accepted privacy and security standards.
    • (m) To the extent any Breach of Unsecured Protected Health Information or unauthorized acquisition or access to Personal Information is attributable to a breach of the obligations under this Agreement by Business Associate, Business Associate shall bear the costs incurred by Covered Entity to the extent it is necessary for Covered Entity to comply with its statutory obligations relating to such breach under the applicable breach notification statute or regulation. This obligation shall include the following costs reasonably appropriate and incurred by Covered Entity in responding to such breach: (1) the reasonable cost of preparing and distributing notifications to affected individuals, and (2) the reasonable cost of providing notice to government agencies, credit bureaus, and/or other required entities.
    • (n) To the extent Business Associate receives, stores, processes, or otherwise deals with any patient records from the Covered Entity that are entitled to protection under the federal regulations issued at 42 CFR Part 2, Business Associate agrees to be bound by those regulations. In addition, if necessary, Business Associate will resist in judicial proceedings any efforts to obtain access to such patient records except as permitted by 42 CFR Part 2.
    • (o) Except for payments from Covered Entity for services performed pursuant to this Agreement and the Services Agreement, Business Associate may not directly or indirectly receive remuneration in exchange for PHI or PI.
    • (p) Business Associate may not use or disclose Protected Health Information or Personal Information for research or marketing purposes without first receiving prior written approval from the Covered Entity and obtaining the necessary authorization from the affected individuals.

    III.    PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

    General Use and Disclosure Provisions
     
    Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the engagement letter (“Services Agreement”), provided that such use or disclosure would not violate (i) the Privacy Rule if done by Covered Entity or (ii) the minimum necessary requirements under HIPAA.

    Specific Use and Disclosure Provisions

    • (a) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
    • (b) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that (i) disclosures are required by law, or (ii)(A) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and (ii)(B) the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
    • (c) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B).
    • (d) Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with §164.502(j)(1).

    IV.    OBLIGATIONS OF COVERED ENTITY

    • (a) Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.
    • (b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.
    • (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.
    • (d) Covered Entity shall at all times be in compliance with the Electronic Transaction, Security and Privacy Rule under HIPAA, including the Final Rule and all other applicable guidance applicable hereto.
    • (e) Except as otherwise provided in this Agreement, Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

    V.    TERM AND TERMINATION

    • (a) Term. The term of this Agreement shall be effective as of the date indicated below, and shall terminate when all of the Protected Health Information and Personal Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, except as provided below.
    • (b) Termination for Cause. Upon either party’s knowledge of a material breach of the Agreement by the other party, the non-breaching party shall either:
      • (1) Provide an opportunity for breaching party to cure the breach or end the violation and terminate this Agreement and the underlying services agreement, if any, if the breaching party does not cure the breach or end the violation within a reasonable time specified by the non-breaching party; or
      • (2) Immediately terminate this Agreement and the underlying services agreement, if any, if the breaching party has breached a material term of this Agreement and, in the non-breaching party’s sole discretion, cure is not possible.
    • (c) Effect of Termination.
      • (1) Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information and Personal Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, subject to any record retention requirements under the Agreement or required by law. This provision shall apply to Protected Health Information and Personal Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information and Personal Information.
      • (2) In the event that Business Associate determines that returning or destroying the Protected Health Information and Personal Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon such determination that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections and obligations of this Agreement to such Protected Health Information and Personal Information and limit further uses and disclosures of such Protected Health Information and Personal Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information and Personal Information.  

    VI.    MISCELLANEOUS

    • (a) Regulatory References. A reference in this Agreement to a section in the Electronic Transaction, Privacy or Security Rule means the section as in effect or as amended.
    • (b) Amendment. In the event that additional standards are promulgated, or any existing standards are amended, including without limitation the Privacy Standards, Security Standards, and the Transactions and Code Sets Standards, the parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, or any applicable state law, as amended.  Except as herein otherwise provided, no amendment or modification of, or supplement to, this Agreement shall be binding unless duly executed in writing by each of the parties hereto.
    • (c) Survival. The respective rights and obligations of Business Associate under the Section of this Agreement entitled “Effect of Termination” shall survive the termination of this Agreement.
    • (d) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Electronic Transaction, Privacy or Security Rule.
    • (e) Cooperation. Business Associate will fully cooperate with Covered Entity and render such assistance as may be reasonably required in the event of litigation or administrative proceedings with respect to any violation or claimed violation of the HIPAA Privacy and Security Standards, related laws, or state breach notification laws.
    • (f) Counterparts. This Agreement may be executed in two or more counterparts, each of which together shall be deemed an original, but all of which together shall constitute one and the same instrument. In the event that any signature is delivered by facsimile transmission or by email delivery of a ".pdf" format data file, such signature shall create a valid and binding obligation of the party executing (or on whose behalf such signature is executed) with the same force and effect as if such facsimile or ".pdf" signature page were an original thereof.
    • (g) Successors and Assigns. This Agreement and each party’s obligations hereunder will be binding on the representatives, assigns, and successors of such party and will inure to the benefit of the assigns and successors of such party; provided, however, that any such assignment shall not be effective absent the consent of the non-assigning party which shall not unreasonably withheld or delayed.
    • (h) No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than parties and their respective successors or assigns, any rights, remedies, or obligations whatsoever.
    • (i) Nature of relationship. No provision of this Agreement is intended to create, nor shall be deemed or construed to create, any employment, agency or joint venture relationship between the Covered Entity and Business Associate other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this Agreement and the underlying agreements. None of the parties nor any of their respective representatives shall be construed to be the agent, employer, or representative of the other. The parties have reviewed the factors to determine whether an agency relationship exists under the federal common law of agency and it is not the intention of either the Covered Entity or Business Associate that Business Associate constitute an “agent” under such common law.
    • (j) Governing Law. This Agreement will be governed by and interpreted in accordance with the laws of the State of New York, without regard to principles of conflicts of law. Each party irrevocably agrees that any legal action, suit or proceeding brought by it in any way arising out of this Agreement must be brought solely and exclusively in state or federal courts located in the State of New York, and each party irrevocably submits to the sole and exclusive jurisdiction of these courts in personam, generally and unconditionally with respect to any action, suit or proceeding brought by it or against it by the other party.
    • (k) Entire Agreement. This Agreement sets forth the full and complete understanding of the parties hereto with regard to its subject matter.
    • (l) Waiver. The failure of the Covered Entity or Business Associate to object or to take affirmative action with respect to any conduct of the other which is in violation of this Agreement shall not be construed as a waiver of that violation or any prior or future violations of this Agreement.
    • (m) Headings. The sections and subsections headings used herein are for reference and convenience only, and shall not enter into the interpretation thereof.
    • (n) Notices. Any notice which is to be given by one party to the other under this Agreement will be given in writing and delivered to the postal and email addresses of the other party. A notice will be effective upon receipt thereof by the other party. Either party may change its address for service by giving notice to the other party in accordance with this paragraph.

    State Privacy Law Addendum

    THIS STATE LAW PRIVACY ADDENDUM (Addendum) supplements the Master Services Agreement or Engagement Letter (Agreement) entered into between Jackson Lewis P.C. and/or their respective subsidiaries (collectively, “Service Provider”) and the client or customer identified in the applicable Agreement to whom services outlined therein are provided ("Customer") (referred to collectively as the “Parties”), solely to the extent that the provision of services to Customer pursuant to such Agreement requires that Service Provider access, create, collect, process, retain, or disclose personal information of consumers, as defined below.

    WHEREAS, Customer desires to provide or make available to Service Provider, or permit Service Provider to access, create, collect, process, retain, or disclose certain personal information for the purposes of providing some or all of the services described in the Agreement (Services);

    WHEREAS, Service Provider desires to access, create, collect, process, retain, and/or disclose certain of the Customer’s personal information as necessary and appropriate to perform the Services under the Agreement;

    NOW, THEREFORE, in consideration of the mutual covenants, and for continuing to perform the Services, the Parties agree as follows.

    California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (“CCPA/CPRA”) Provisions 

    The following California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 provisions (“Provisions”) are incorporated into Agreement by and between Service Provider and Customer with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that the personal information is covered by the CCPA/CPRA.

    1. Definitions. The following definitions and rules of interpretation apply in these Provisions:
      1. CCPA means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General or the California Privacy Protection Agency, as applicable. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in these Provisions.
      2. “Contracted Business Purposes” means the Services described in the Agreement.
      3. CPRA means the California Privacy Rights Act of 2020 which amended the CCPA, and any related regulations or guidance provided by the California Attorney General or the California Privacy Protection Agency, as applicable. Terms defined in the CPRA, including sensitive personal information and sharing, carry the same meaning in these Provisions. 
      4. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide or permit the Service Provider to access personal information for processing in accordance with their instructions.
    2.  Customer’s Obligations.
      1. Customer will provide or otherwise make available, directly or indirectly, only the minimum necessary personal information to perform the Services.
      2. Customer represents that it has provided all required notices and/or obtained any required consents or authorizations necessary to provide or make available personal information to Service Provider.
      3. Upon Service Provider’s request, Customer will cooperate with Service Provider to understand the nature and extent of the personal information being provided or made available to Service Provider.
      4. Customer will provide or otherwise make personal information available to Service Provider in a secure manner as required by law.
    3. Service Provider’s CCPA/CPRA Obligations.
      1. Service Provider will only collect, use, retain, or disclose personal information collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal information access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. For example, and without limitation, the Service Provider may make internal use of personal information to build or improve the quality of its services, provided such use is not to perform services on behalf of another person. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
      2. Service Provider will not collect, use, retain, disclose, or otherwise make personal information collected pursuant to the Agreement available for Service Provider’s own commercial purposes, outside of the Contracted Business Purposes, or in a way that does not comply with the CCPA/CPRA, nor will it sell or share personal information belonging to Customer. If a law requires the Service Provider to disclose personal information collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
      3. Service Provider may not combine personal information collected pursuant to the Agreement with personal information that it receives from or on behalf of another person or persons, or that Service Provider may collect from its own interaction with the customer, except as otherwise permitted under the CCPA/CPRA.
      4. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons requiring the Service Provider to provide, amend, limit, transfer, or delete the personal information collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing of personal information collected pursuant to the Agreement, except where otherwise required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the CCPA/CPRA, and (ii) in the case of deletion of personal information collected pursuant to the Agreement, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider.
      5. If the Contracted Business Purposes require the collection of personal information directly from consumers on the Customer’s behalf, Service Provider will provide a CCPA/CPRA-compliant notice at collection (described under CCPA/CPRA Sec. 1798.100) addressing categories of personal information collected and the purpose(s) of their use or collection that the Customer specifically pre-approves in writing. Service Provider will not modify or alter the notice in any way without the Customer’s prior written consent.
      6. Service Provider will maintain reasonable and appropriate technical and organizational measures to protect personal information collected pursuant to the Agreement.
    4. Assistance with Customer’s CCPA/CPRA Obligations.
      1. To the extent related to the Contracted Business Purposes, Service Provider will reasonably cooperate and assist Customer with meeting the Customer’s CCPA/CPRA compliance obligations and responding to verifiable consumer requests as required under the CCPA/CPRA with respect to personal information collected pursuant to the Agreement, taking into account the nature of the Service Provider’s processing and the information available to the Service Provider. In its role as service provider and with respect to personal information collected pursuant to the Agreement, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under this Agreement and the CCPA/CPRA.
      2. To the extent required by the CCPA/CPRA, Service Provider will permit Customer to take reasonable and appropriate steps to ensure Service Provider uses personal information collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the applicable provisions of the CCPA/CPRA.
      3. Service Provider must notify Customer promptly if it receives any complaint, notice, or communication that directly or indirectly relates either Party’s compliance with the CCPA/CPRA with respect to personal information collected pursuant to the Agreement, or if Service Provider determines it cannot meet its obligations under the applicable provisions of the CCPA/CPRA.
      4. The Service Provider will permit Customer, upon thirty (30) days advance written notice, to take reasonable and appropriate steps to stop and remediate the use of personal information collected pursuant to the Agreement that is unauthorized under the CCPA/CPRA and these Provisions.
    5. Subcontracting.
      1. Service Provider may use subcontractors to provide the Contracted Business Services. Any subcontractor used must qualify as a service provider under the CCPA/CPRA to the extent any such subcontractor would be required to collect, use, maintain, or disclose personal information collected pursuant to the Agreement hereunder, and Service Provider may not make any disclosures of personal information collected pursuant to the Agreement to the subcontractor that the CCPA/CPRA would treat as a sale or sharing of personal information.
      2. Service Provider will notify Customer in the event it engages any other person to assist Service Provider in processing personal information collected pursuant to the Agreement for a business purpose on behalf of the Customer, and in such case, the engagement shall be pursuant to a written contract that includes the applicable obligations in these Provisions, to the extent required by the CCPA/CPRA.
    6. General.
      1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
      2. Both Parties will comply with all applicable requirements of the CCPA/CPRA when collecting, using, retaining, or disclosing personal information collected pursuant to the Agreement, including providing the same level of privacy protections required thereunder.
      3. Service Provider understands these Provisions and the CCPA/CPRA’s restrictions and prohibitions on selling or sharing personal information collected pursuant to the Agreement and retaining, using, or disclosing personal information collected pursuant to the Agreement outside of the Parties’ direct business relationship, and it will comply with them.
      4. For avoidance of doubt, the Provisions apply only to the extent required under the CCPA. For example, and without limitation, these Provisions do not apply to personal information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). The Provisions also do not apply to any protected health information that is collected, processed, sold, or disclosed pursuant to the federal Health Insurance Portability and Accountability Act, and implementing regulations.  

    Utah Consumer Privacy Act (“UCPA”) Provisions 

    If applicable, the provisions in this section concerning the Utah Consumer Privacy Act (“Provisions”) are incorporated into the Agreement by and between Service Provider and Customer, with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that Customer is a controller as defined under UCPA and the personal data is covered by the UCPA.

    1. Definitions. The following definitions and rules of interpretation apply in these Provisions:
      1. UCPA means the Utah Consumer Privacy Act, as amended (Utah Code. Ann. §§ 13-61-101 to 13-61-404), and any related regulations or guidance provided by the Utah Attorney General. Terms defined in the UCPA, including personal data, carry the same meaning in these Provisions.
      2. “Contracted Business Purposes” means the Services described in the Agreement.
      3. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide the Service Provider with personal data for processing in accordance with their instructions.
    2. Customer’s Obligations.
      1. Customer will provide or otherwise make available, directly or indirectly, only the minimum necessary personal information to perform the Services.
      2. Customer represents that it has provided all required notices and/or obtained any required consents or authorizations necessary to provide or make available personal information to Service Provider.
      3. Upon Service Provider’s request, Customer will cooperate with Service Provider to understand the nature and extent of the personal information being provided or made available to Service Provider.
      4. Customer will provide or otherwise make personal information available to Service Provider in a secure manner as required by law.
    3. Service Provider’s UCPA Obligations.
      1. Service Provider will only collect, use, retain, or disclose personal data collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal data access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
      2. Service Provider will not sell personal data collected pursuant to the Agreement belonging to Customer.
      3. Service Provider will ensure each person processing personal data under this Agreement is subject to a duty of confidentiality with respect to the personal data.
      4. If a law requires the Service Provider to disclose personal data collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
      5. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete the personal data collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing or personal data collected pursuant to the Agreement, except where required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the UCPA, and (ii) in the case of deletion of personal data, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider collected pursuant to the Agreement. In its role as processor, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under these Provisions and the UCPA.
      6. Service Provider will delete or return all personal data obtained or created in connection with the Contracted Business Purposes to Customer and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such personal data.
      7. Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to personal data collected pursuant to the Agreement.
    4. Subcontracting.
      1. Service Provider may use subcontractors to provide the Contracted Business Services. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under these Provisions solely with respect to personal data under the UCPA collected pursuant to the Agreement.
    5. General.
      1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
      2. Both Parties will comply with all applicable requirements of the UCPA when collecting, using, retaining, or disclosing personal data collected pursuant to the Agreement, including providing the same level of privacy protections required thereunder.
      3. For avoidance of doubt, the Provisions apply only to the extent required under the UCPA. For example, and without limitation, these Provisions do not apply to personal information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations. The Provisions also do not apply to any protected health information that is collected, processed, sold, or disclosed pursuant to the federal Health Insurance Portability and Accountability Act, and implementing regulations.  

    Virginia Consumer Data Privacy Act (“VCDPA”) Provisions 

    If applicable, the provisions in this section concerning the Virginia Consumer Data Privacy Act (“Provisions”) are incorporated into the Agreement by and between Service Provider and Customer, with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that Customer is a controller as defined under VCDPA and the personal data is covered by the VCDPA.

    1. Definitions. The following definitions and rules of interpretation apply in these Provisions:
      1. VCDPA means the Virginia Consumer Data Privacy Act, as amended (Va. Code. Ann. §§ 59.1-571 to 59.1-581), and any related regulations or guidance provided by the Virginia Attorney General. Terms defined in the VCDPA, including personal data, carry the same meaning in these Provisions.
      2. “Contracted Business Purposes” means the Services described in the Agreement.
      3. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide the Service Provider with personal data for processing in accordance with their instructions.
    2. Customer’s Obligations
      1. Customer will provide or otherwise make available, directly or indirectly, only the minimum necessary personal information to perform the Services.
      2. Customer represents that it has provided all required notices and/or obtained any required consents or authorizations necessary to provide or make available personal information to Service Provider.
      3. Upon Service Provider’s request, Customer will cooperate with Service Provider to understand the nature and extent of the personal information being provided or made available to Service Provider.
      4. Customer will provide or otherwise make personal information available to Service Provider in a secure manner as required by law.
    3. Service Provider’s VCDPA Obligations
      1. Service Provider will only collect, use, retain, or disclose personal data collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal data collected pursuant to the Agreement access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
      2. Service Provider will not sell personal data collected pursuant to the Agreement belonging to Customer.
      3. Service Provider will ensure each person processing personal data under these Provisons is subject to a duty of confidentiality with respect to the personal data collected pursuant to the Agreement.
      4. If a law requires the Service Provider to disclose personal data collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
      5. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete the personal data collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing of personal data collected pursuant to the Agreement, except where required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the VCDPA, and (ii) in the case of deletion of personal data collected pursuant to the Agreement, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider. In its role as processor, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under this Agreement and the VCDPA.
      6. The Service Provider may arrange for a qualified and independent assessor to conduct an assessment of the Service Provider’s policies and technical and organizational measures in support of its obligations under the VCDPA with respect to personal data collected pursuant to the Agreement using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Service Provider shall provide a report of such assessment to Customer upon written request.
      7. Upon the reasonable request of Customer and no less than thirty (30) days advance notice, Service Provider will make available to Customer information necessary to demonstrate Service Provider’s compliance with its obligations under the VCDPA with respect to personal data collected pursuant to the Agreement to the extent required thereunder.
      8. Service Provider will delete or return all personal data obtained or created in connection with the Contracted Business Purposes to Customer and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such personal data.
      9. Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to personal data collected pursuant to the Agreement.
    4. Subcontracting
      1. Service Provider may use subcontractors to provide the Contracted Business Services. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under these Provisions solely with respect to personal data collected pursuant to the Agreement under the VCDPA.
    5. General
      1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
      2. Both Parties will comply with all applicable requirements of the VCDPA when collecting, using, retaining, or disclosing personal data collected pursuant to the Agreement.
      3. For avoidance of doubt, the Provisions apply only to the extent required under the VCDPA. For example, and without limitation, these Provisions do not apply to personal information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations. The Provisions also do not apply to any protected health information that is collected, processed, sold, or disclosed pursuant to the federal Health Insurance Portability and Accountability Act, and implementing regulations.

    Colorado Privacy Act (“CPA”) Provisions 

    If applicable, the provisions in this section concerning the Colorado Privacy Act (“Provisions”) are incorporated into the Agreement by and between Service Provider and Customer, with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that Customer is a controller as defined under CPA and the personal data is covered by the CPA.

    1. Definitions. The following definitions and rules of interpretation apply in these Provisions:
      1. CPA means the Colorado Privacy Act, as amended (Col. Rev. Stat. §§ 6-1-1301 et seq.), and any related regulations or guidance provided by the Colorado Attorney General. Terms defined in the CPA, including personal data, carry the same meaning in these Provisions.
      2. “Contracted Business Purposes” means the Services described in the Agreement.
      3. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide the Service Provider with personal data for processing in accordance with their instructions.
    2. Customer’s Obligations
      1. Customer will provide or otherwise make available, directly or indirectly, only the minimum necessary personal information to perform the Services.
      2. Customer represents that it has provided all required notices and/or obtained any required consents or authorizations necessary to provide or make available personal information to Service Provider.
      3. Upon Service Provider’s request, Customer will cooperate with Service Provider to understand the nature and extent of the personal information being provided or made available to Service Provider.
      4. Customer will provide or otherwise make personal information available to Service Provider in a secure manner as required by law.
    3. Service Provider’s CPA Obligations
      1. Service Provider will only collect, use, retain, or disclose personal data collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal data collected pursuant to the Agreement access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
      2. Service Provider will not sell personal data collected pursuant to the Agreement belonging to Customer.
      3. Service Provider will ensure each person processing personal data under these Provisions is subject to a duty of confidentiality with respect to the personal data collected pursuant to the Agreement.
      4. If a law requires the Service Provider to disclose personal data collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
      5. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete the personal data collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing of personal data collected pursuant to the Agreement, except where required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the CPA, and (ii) in the case of deletion of personal data collected pursuant to the Agreement, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider. In its role as processor, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under these Provisions and the CPA.
      6. The Service Provider may arrange for a qualified and independent assessor to annually conduct an assessment of the Service Provider’s policies and technical and organizational measures in support of its obligations under the CPA with respect to personal data collected pursuant to the Agreement using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Service Provider shall provide a report of such assessment to Customer upon written request.
      7. Upon the reasonable request of Customer and no less than thirty (30) days advance notice, Service Provider will make available to Customer information necessary to demonstrate Service Provider’s compliance with its obligations under the CPA with respect to personal data collected pursuant to the Agreement.
      8. Service Provider will delete or return all personal data obtained or created in connection with the Contracted Business Purposes to Customer and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such personal data.
      9. Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to personal data collected pursuant to the Agreement. Service Provider will reasonably cooperate with Customer to allocate responsibilities concerning the security of personal data collected pursuant to the Agreement and to implement the applicable measures.
    4. Subcontracting
      1. Service Provider may use subcontractors to provide the Contracted Business Services provided that it must first provide Customer with an opportunity to reasonably object without unreasonable delay.
      2. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under these Provisions solely with respect to personal data under the CPA collected pursuant to the Agreement.
    5. General
      1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
      2. Both Parties will comply with all applicable requirements of the CPA when collecting, using, retaining, or disclosing personal data collected pursuant to the Agreement.
      3. For avoidance of doubt, the Provisions apply only to the extent required under the CPA. For example, and without limitation, these Provisions do not apply to personal information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations. The Provisions also do not apply to any protected health information that is collected, processed, sold, or disclosed pursuant to the federal Health Insurance Portability and Accountability Act, and implementing regulations.

    Connecticut’s Act concerning personal data privacy and online monitoring (“Act”) Provisions

    If applicable, the provisions in this section concerning the Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring  (“Provisions”) are incorporated into the Agreement by and between Service Provider and Customer, with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that Customer is a controller as defined under the Act and the personal data is covered by the Act.

    1. Definitions. The following definitions and rules of interpretation apply in these Provisions:
      1. Act means the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, as amended (S.B. No. 6), and any related regulations or guidance provided by the Connecticut Attorney General. Terms defined in the Act, including personal data, carry the same meaning in these Provisions.
      2. “Contracted Business Purposes” means the Services described in the Agreement.
      3. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide the Service Provider with personal data for processing in accordance with their instructions.
    2. Customer’s Obligations
      1. Customer will provide or otherwise make available, directly or indirectly, only the minimum necessary personal information to perform the Services.
      2. Customer represents that it has provided all required notices and/or obtained any required consents or authorizations necessary to provide or make available personal information to Service Provider.
      3. Upon Service Provider’s request, Customer will cooperate with Service Provider to understand the nature and extent of the personal information being provided or made available to Service Provider.
      4. Customer will provide or otherwise make personal information available to Service Provider in a secure manner as required by law.
    3. Service Provider’s Obligations Under the Act
      1. Service Provider will only collect, use, retain, or disclose personal data collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal data collected pursuant to the Agreement access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
      2. Service Provider will not sell personal data collected pursuant to the Agreement belonging to Customer.
      3. Service Provider will ensure each person processing personal data under these Provisions is subject to a duty of confidentiality with respect to the personal data collected pursuant to the Agreement.
      4. If a law requires the Service Provider to disclose personal data collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
      5. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete the personal data collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing of personal data collected pursuant to the Agreement, except where required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the Act, and (ii) in the case of deletion of personal data collected pursuant to the Agreement, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider. In its role as processor, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under these Provisions and the Act.
      6. The Service Provider may arrange for a qualified and independent assessor to conduct an assessment of the Service Provider’s policies and technical and organizational measures in support of its obligations under the Act with respect to personal data collected pursuant to the Agreement using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Service Provider shall provide a report of such assessment to Customer upon written request.
      7. Upon the reasonable request of Customer and no less than thirty (30) days advance notice, Service Provider will make available to Customer information necessary to demonstrate Service Provider’s compliance with its obligations under the Act with respect to personal data collected pursuant to the Agreement to the extent required thereunder.
      8. Service Provider will delete or return all personal data obtained or created in connection with the Contracted Business Purposes to Customer and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such personal data.
      9. Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to personal data collected pursuant to the Agreement.
    4. Subcontracting
      1. Service Provider may use subcontractors to provide the Contracted Business Services. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under this Provisions solely with respect to personal data under the Act collected pursuant to the Agreement.
    5. General
      1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
      2. Both Parties will comply with all applicable requirements of the Act when collecting, using, retaining, or disclosing personal data collected pursuant to the Agreement.
      3. For avoidance of doubt, the Provisions apply only to the extent required under the Act. For example, and without limitation, these Provisions do not apply to personal information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations. The Provisions also do not apply to any protected health information that is collected, processed, sold, or disclosed pursuant to the federal Health Insurance Portability and Accountability Act, and implementing regulations.