This CCPA addendum (the “Addendum”) is incorporated into and forms part of the agreement for Services between Persona Identities, Inc. (“Persona”) and the counterparty executing the agreement (“Customer”) (the “Agreement”). This Addendum shall apply to Personal Information of a Consumer contained within Customer Data that is Processed by Persona in the course of providing Customer the Services under the Agreement.
1. Definitions
- “Customer Data” and “Services” have the meanings set forth in the Agreement.
- “Business,” “Collect,” “Commercial Purpose,” “Consumer,” “Personal Information,” “Process,” “Share,” “Sell” and “Service Provider” including where applicable their cognates have the meanings given to those terms in the CCPA.
- “Business Purpose” means Persona’s Collection and Processing of Personal Information as a Service Provider upon lawful documented instructions from Customer, including those in the Agreement, this Addendum, and Customer’s configuration of the Services or as otherwise necessary to provide the Services specified in the Agreement.
- “CCPA” means the California Consumer Privacy Act including and as modified by the California Privacy Rights Act (“CPRA”), together with any implementing regulations.
2. Relationship of the Parties
Customer is a Business, and as such Customer determines the purpose and means of processing Personal Information. Persona is a Service Provider, and as such Persona shall provide the Services and Process any Personal Information in accordance with the Agreement including this Addendum.
3. Restrictions on Use of Personal Information
Customer and Persona acknowledge that Customer is disclosing the Personal Information to Persona only for the Business Purpose. With respect to Personal Information Persona Collects pursuant to the Agreement with Customer, Persona shall not, unless otherwise expressly permitted by the CCPA:
- Sell or Share Personal Information.
- Retain, use, or disclose Personal Information for any purpose other than the Business Purpose.
- Retain, use, or disclose the Personal Information for any Commercial Purpose other than the Business Purpose.
- Retain, use, or disclose the Personal Information outside the direct business relationship between Persona and Customer.
4. Compliance with CCPA; Security
Persona shall comply with all applicable sections of the CCPA, including without limitation by providing the same level of privacy protection for Personal Information Collected from or on behalf of Customer as required of Businesses by the CCPA. Persona’s security commitments are detailed in the Agreement.
5. Audit Rights
In order for Customer to audit Persona’s compliance with its obligations under the CCPA, Persona will on request up to once per calendar year provide Customer with a copy of its most recent SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Persona’s systems.
6. Notification of Noncompliance
Persona shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.
7. Remediation
Persona acknowledges that Customer has the right under the CCPA, upon notice, to take reasonable and appropriate steps to stop and remediate Persona’s unauthorized use of Personal Information.
8. Consumer Rights Requests
Customer is responsible for responding to any Consumer requests relating to Personal Information (“Requests”). If Persona receives any Requests, Persona will advise that the request cannot be acted upon because the request has been sent to a Service Provider. Persona will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests as required by the CCPA.
9. Amendments
Persona may from time to time update this Addendum in accordance with the CCPA, including any changes necessary to meet Persona’s obligations under the CCPA. Any such update will be effective immediately.
10. Order of Precedence
With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.