This Data Processing Addendum (“DPA”) is between ScreenSteps, Inc. (“Company”) and ScreenSteps, Inc. 's Customers (“Partner”), collectively the “Parties” and each a “Party” to this DPA. This DPA amends and forms part of the written agreement between the Parties titled ScreenSteps Data Processing Addendum dated August 13, 2024 (the “Agreement”). This DPA prevails over any conflicting term of the Agreement to the extent necessary to resolve the conflict.
Section One - Definitions
- “Consumer” means an individual who is a Colorado, Utah, Virginia, Oregon, New Jersey, or Iowa resident acting only in an individual or household context; a Connecticut, Texas, Montana, Delaware, New Hampshire, or Nebraska resident not acting in a commercial or employment context; or a California resident.
- “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.
- “CPA” means the Colorado Privacy Act, as amended from time to time and all other Colorado data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “CPOMA” means the Connecticut Act Concerning Personal Data and Online Monitoring (Public Act 22-15), as amended from time to time, and all other Connecticut data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “CPRA” means the California Consumer Privacy Act of 2018, as amended from time to time, including the California Privacy Rights Act of 2020, and all other California data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “Data Protection Assessment” means a data protection assessment as defined in Section 6-1-1309 of the Colorado Revised Statutes, Section 59.1-576 of the Code of Virginia, and the CPOMA Sec. 8, Section 8 of the OCPA, Section 541.105 of the TDPSA, Section 9 of the MCDPA, Section 9 of the NJDPA, Section 12D-108 of the DPDPA, Section 507-H:8 of the NHPA, and Section 16 of the NDPA; or a risk assessment as outlined in Cal. Civ. Code § 1798.185(a)(15)(B).
- “Data Protection Law” means all applicable privacy and data protection laws, including the CPOMA, CPRA, CPA, UCPA, VCDPA, OCPA, TDPSA, MCDPA, NJDPA, DPDPA, NHPA, NDPA as well as all other data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “Data Subject” means an individual to whom the Personal Data relates.
- “DPDPA” means the Delaware Personal Data Protection Act, as amended from time to time and all other Delaware data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “ICDPA” means the Iowa Consumer Data Protection Act, as amended from time to time and all other Iowa data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “Identified or identifiable natural person” means a person who can be readily identified, directly or indirectly.
- “MCDPA” means the Montana Consumer Data Privacy Act, as amended from time to time and all other Montana data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “NDPA” means the Nebraska Data Privacy Act, as amended from time to time and all other New Hampshire data protection laws, regulations, and regulatory guidance, as may be amended from time to time.
- “NHPA” means the New Hampshire Privacy Act, as amended from time to time and all other New Hampshire data protection laws, regulations, and regulatory guidance, as may be amended from time to time.
- “NJDPA” means the New Jersey Data Privacy Act, as amended from time to time and all other New Jersey data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “OCPA” means the Oregon Consumer Privacy Act, as amended from time to time and all other Oregon data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “Personal Data” means information that is linked or reasonably linkable to an identified or identifiable individual Consumer. Personal Data includes, for example, name, contact information, identification number, location data, online identifier, IP address, as defined in Data Protection Law.
- “Processing,” means any operation or set of operations performed, whether by manual or automated means, on Personal Data or on sets of Personal Data, such as the Collection, use, Sale, storage, retention, disclosure, analysis, deletion, or modification of Personal Data and includes the actions of a Controller directing a Processor to process Personal Data.
- “Processor” means an individual who, or legal entity that, processes personal data on behalf of a controller.
- “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Data to a third party for monetary or other valuable consideration.
- “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Data to a third party for Cross-Context Behavioral Advertising, whether or not for monetary or other valuable consideration, as defined in Data Protection Law.
- “Supervisory Authority” means (1) the attorney general and district attorneys of Colorado; (2) the California Privacy Protection Agency and the Attorney General of California; (3) the Attorney General of the Commonwealth of Virginia, (4) the Attorney General of Connecticut, (5) the Department of Commerce Division of Consumer Protection and the Attorney General of Utah; (6) the Attorney General of Texas, (7) the Attorney General of Oregon; (8) the Attorney General of Montana; (9) the Attorney General of New Jersey; (10) the Attorney General of Iowa; (11) the Delaware Department of Justice; (12) the Attorney General of New Hampshire; and (13) the Attorney General of Nebraska.
- “Targeted Advertising” means displaying to a Consumer an advertisement that is selected based on Personal Data obtained or inferred over time from the Consumer's activities across nonaffiliated websites, applications, or online services to predict Consumer preferences or interests.
- “TDPSA” means the Texas Data Privacy and Security Act, as amended from time to time and all other Texas data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “UCPA” means the Utah Consumer Privacy Act, as amended from time to time and all other Utah data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
- “VCDPA” means the Virginia Consumer Data Protection Act, as amended from time to time and all other Virginia data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
Section Two - Scope
This DPA applies to Processing Personal Data subject to Data Protection Law, as laid out in this DPA and the Agreement. The purposes, methods, and duration of the Personal Data Processing; the categories of Personal Data Processed; retention periods; and protection measures are laid out in this DPA and its Annex.
Section Three - Roles
- Company is the Processor.
- Partner is the Controller.
- Company will only Process Personal Data on behalf of Partner in accordance with this DPA and other written instructions of Partner, and may not Process Personal Data for purposes or using methods other than those included in Partner’s written instructions, including this DPA.
- Partner instructs Company to Process Personal Data as a Processor as outlined in this DPA and in compliance with Data Protection Law.
Section Four - Obligations of Partner
Partner represents and warrants that it will comply with Data Protection Law and only instruct Company to Process Personal Data to the extent such Processing is lawful according to Data Protection Law.
Section Five - Obligations of Company
- Taking into account the nature of Processing and the information available to Company, Company will take reasonable measures to safeguard the security of the Personal Data it Processes as a Processor on behalf of Partner.
- Taking into account the nature of Processing and the information available to Company, and insofar as reasonably practical, Company will assist Partner in fulfilling Partner’s obligations under Data Protection Law by appropriate technical and organizational measures, including assisting Company in performing any Data Protection Assessments necessary for Company to comply with Data Protection Law.
- Company will notify Partner without undue delay after becoming aware of a Personal Data breach involving Personal Data Processed by Company on behalf of Partner.
- Company will not sell or share Personal Data except as instructed by Partner.
- Company will not retain, use, or disclose Personal Data it processes on Partner’s behalf for any purpose other than those listed in Annex I to this DPA.
- Company will not retain, use, or disclose Personal Data it processes on Partner’s behalf outside of the direct business relationship between Company and Partner.
- Company will not combine the Personal Data it processes on Partner’s behalf with Personal Data it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that Company may combine Personal Data as permitted by Data Protection Law.
- In the event Company determines that it can no longer meet its obligations under Data Protection Law, Company will notify Partner of such determination without undue delay.
Section Six - Audit
- Company will allow for, and contribute to, reasonable audits and inspections by Partner or Partner’s designated auditor. Each Party will bear its own costs related to such audits.
- With Partner’s consent, in lieu of an audit overseen by Partner as described in subparagraph 1 above, Company may arrange for a qualified and independent auditor to conduct, at least annually and at Company’s expense, an audit of Company’s policies and technical and organizational measures in support of the obligations under the Data Protection Law using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The Company will provide a report of the audit to Partner upon request.
- Company will allow and contribute to any audits by the Supervisory Authority.
Section Seven - Data Retention
Upon the termination of the Agreement or this DPA, or if the Agreement or this DPA does not take effect, is void, or has been canceled, Company, at Partner’s direction, will return the Personal Data it Processes on behalf of Partner to Partner or delete it, and may not retain such Personal Data, unless otherwise required by law.
Section Eight - Confidentiality
- Company will keep Personal Data, and all information relating to its Processing, in strict confidence. Company will ensure that all personnel authorized to Process Personal Data are subject to a contractual or statutory obligation of confidentiality.
- Company will not disclose Personal Data Processed on behalf of Partner to any third party without the consent of Partner, or as otherwise provided in this DPA.
Section Nine - Use of Subprocessors
- Partner authorizes Company to engage the subprocessors listed at https://trust.screensteps.com/subprocessors to Process Personal Data on behalf of Partner.
- Partner further authorizes Company to engage other subprocessors to Process Personal Data on behalf of Partner after reasonably notifying Partner at least 30 days in advance of such engagements by subscribing to notifications through the ScreenSteps Trust Center located at https://trust.screensteps.com/subprocessors.
- Partner may object in writing to the engagement of a subprocessor prior to the engagement of the subprocessor. Company will provide Partner with the information necessary to enable Partner to exercise its right to object.
- If Company engages a subprocessor to Process Personal Data in accordance with this DPA, Company must enter into a written agreement with the subprocessor that imposes the same obligations on the subprocessor as are imposed on Company under this DPA.
Section Ten - Notice
Company will make all notifications, including security-related notifications, required under this DPA via email from privacy@screensteps.com. Partner will make any notifications required under this DPA privacy@screensteps.com.
Section Eleven - Modifications
This DPA may only be modified by a written amendment signed by all Parties, with the exception of changes to the Annex to this DPA, which may be amended by an unsigned written agreement between the Parties.
Section Twelve - Invalidity and Severability
If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision will not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Section Thirteen - Term
The term of this DPA is the same as that of the Agreement.
ANNEX I - Description of Processing
Description of Processing
Purpose(s) for Processing:
The purposes for which Personal Data is going to include: provide the ScreenSteps Inc. Software service to customers, provide customer service, monitor health of the system as well as security to our customers.
Method(s) of Processing:
The Company will use cloud storage techniques and state-of-the-art technology to encrypt Partner’s Personal Data.
Categories of Personal Data Processed:
Data contained in Partner Account Data, Partner Usage Data, and any Personal Data provided by Partner (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include name, email, job title, IP addresses, and username.
Retention Period (Duration of Processing):
Company will process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. Company Account Data and Company Usage Data will be processed and stored as set forth in Company’s privacy policy.