Skip to Main Content

This Data Processing Addendum (“DPA”) is part of, and otherwise subject to, the Customer Agreement between Civis Analytics, Inc. (“Civis”) and Customer (the “Agreement”). To the extent of any conflict between the DPA and the Agreement, the DPA will control as to the subject matter at conflict. The DPA shall be effective for the term of the Agreement.

  1. DEFINITIONS
    1. Consumer” means as the term “consumer” is defined under Privacy Laws.
    2. Customer Personal Data” means “Customer Data” or “Your Data,” as defined in the Agreement, to the extent Customer Data or Your Data is or includes Personal Data of Consumers.
    3. Personal Data” means “personal information” or “personal data” as the terms are defined under Privacy Laws. To the extent applicable to the DPA, “personal information” and “personal data” include “sensitive personal information” and “sensitive data,” respectively, as the terms are defined under Privacy Laws.
    4. Privacy Laws” means applicable United States data privacy laws and their implementing regulations. 
    5. Processing” (and any other tenses of the term) means as the term “processing” is defined under Privacy Laws. 
    6. Processor” means as the terms “service provider” or “processor” are defined under Privacy Laws.
    7. Terms Not Defined Herein. Unless otherwise defined herein, capitalized terms used in the DPA shall have the meaning assigned to them in the Agreement.
  2. CUSTOMER TERMS
    1. Customer will provide notice to Consumers regarding any disclosures of Customer Personal Data to Civis as required by applicable law, including, without limitation, Privacy Laws. 
    2. Customer shall comply with, and be solely liable for its compliance with, Privacy Laws, including with respect to Customer’s use of Civis Solutions.
  3. PROCESSOR TERMS
    Except where Section 4 (Third Party Terms) applies, Civis acts as Processor of Customer Personal Data that Civis Processes with respect to Civis Solutions, pursuant to the following terms: 
    1. Details of the Processing. The details of the Processing of Customer Personal Data under the Agreement, SOW, and/or Order are further described in Schedule 1 to the DPA. 
    2. Instructions and Purposes for Processing. Customer Personal Data will be Processed on behalf of and under the instructions of Customer and as otherwise permitted by Processor under Privacy Laws. The Agreement, SOW, and/or Order, to the extent such provisions relate to the Processing of Customer Personal Data, is considered part of Customer’s instructions for the Processing of Customer Personal Data. Customer may issue further instructions on the condition that such instructions are in accordance with the Agreement, SOW, and/or Order. For the avoidance of doubt, Customer’s actions via Civis Platform constitute Customer’s instructions for the Processing of Customer Personal Data. 
    3. Compliance with Privacy Laws. Civis will comply with its applicable obligations under Privacy Laws and, with respect to the California Consumer Privacy Act (“CCPA”), provide the same level of privacy protection as required of Civis under the CCPA. 
    4. Confidentiality of Customer Data. Civis will ensure that each authorized person that Processes Customer Personal Data on behalf of Civis is subject to an appropriate obligation of confidentiality. 
    5. Subprocessors. Civis will only engage subprocessors (i) pursuant to a written agreement where the subprocessor is subject to contractual terms at least as restrictive as those set forth in this Section 3 (where such restrictions are applicable given the nature of the services provided by such subprocessor); and (ii) after notifying Customer and, where required by Privacy Laws, providing Customer with an opportunity to object. See here for the list of Civis subprocessors
    6. Data Protection Assessments. Civis will provide Customer with reasonable support for the completion and documentation of data protection assessments as required under Privacy Laws. 
    7. Consumer Requests. With respect to consumer rights requests made pursuant to Privacy Laws (each, a “Consumer Request”),
      1. To the extent possible, Customer shall use the capabilities provided within Civis Platform to fulfill Consumer Requests received by Customer directly without further involvement from Civis. Customer will inform Civis of any such Consumer Request that requires further involvement from Civis and Customer will provide the information necessary for Civis to cooperate with Customer for Customer’s compliance with such Consumer Request, after which Civis will provide Customer with reasonable cooperation with respect to such Consumer Request.  
      2. Civis will promptly notify and forward to Customer any Consumer Request that Civis receives, to the extent it is clear that such Consumer Request clearly references that it is in relation to Customer. For the avoidance of doubt, Customer is responsible for communicating with the Consumer with respect to the Consumer Request; however, Civis may communicate with the Consumer that submitted the Consumer Request to confirm receipt and forwarding to Customer. Civis shall not engage in any other communications with the Consumer unless otherwise mutually agreed by both parties in writing.
    8. Deletion or Return of Customer Data. Upon Termination of the Agreement, Civis will promptly delete  Customer Personal Data Processed by Civis in relation to Civis Solutions, unless  retention of the Customer Personal Data is otherwise required by applicable law or as part of Civis’s regular backup procedures and data retention policy. Prior to Termination of the Agreement, Customer may request in writing that Civis return a copy of all Customer Personal Data Processed by Civis in relation to Civis Solutions.
    9. Audit. Where required under applicable law,
      1. Civis will allow for, and contribute to, reasonable audit and inspection by Customer (in either case of audit and inspection, an “Audit”) pursuant to the terms set forth in Section 3.9.2 and Section 3.9.3.
      2. With respect to any Audit conducted pursuant to Section 3.9.1, the Parties agree that any such Audit must be conducted:
        • (a) upon reasonable written notice to Civis and at Customer’s sole cost and expense, which includes compensating Civis for its participation in such Audit at Civis’s standard professional services rates; 
        • (b) only during Civis’s normal business hours; 
        • (c) in a manner that does not disrupt Civis’s business;
        • (d) without involvement by Civis’s vendors (including subprocessors);
        • (e) remotely (e.g., via electronic transfers of documentation, via teleconferencing), except where otherwise mutually agreed by Customer and Civis in writing; and
        • (f) at most, once per every twelve (12) months (unless otherwise required under Privacy Laws).
      3. With respect to any Audit conducted pursuant to Section 3.9.1, Customer (and, where applicable, a third-party independent auditor appointed by the Customer) shall: 
        • (a) enter into a confidentiality agreement with Civis prior to the Audit in such form as Civis may request; 
        • (b) ensure that its personnel comply with Civis policies and procedures with respect to access to Civis’s premises and systems, as notified to Customer by Civis; and
        • (c) not have access to (i) Civis’s trade secrets or source code, (ii) Confidential Information relating to Civis’s other customers or Civis’s vendors (including subprocessors), (iii) any site or property of Civis’s other customers or Civis’s vendors (including subprocessors) or to any personnel of such other customers or vendors, (iv) any of Civis’s financial or employee information, or (v) any Civis Confidential Information not necessary for the purposes of the Audit.
    10. Security. Taking into account the context of Processing, with respect to its use and provision of Civis Solutions, Customer and Civis will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, respectively. 
    11. CCPA. Further, to the extent the CCPA applies to Customer Personal Data Processed by Civis pursuant to this Section 3: 
      1. Civis is prohibited from:
        • (a) “Selling” or “sharing” Customer Personal Data (as such terms are defined under the CCPA);
        • (b) Retaining, using or disclosing Customer Personal Data for any purpose other than for the business purpose(s) specified in the Agreement and/or an Order or SOW, except where otherwise permitted by the CCPA. The parties agree that the purposes specified in the Agreement and/or an Order or SOW align with the “business purpose” (as such term is defined under the CCPA) set forth in Cal. Civ. Code 1798.140(e)(5); 
        • (c) Retaining, using or disclosing Customer Personal Data outside of the direct business relationship between the Parties, except where otherwise permitted by the CCPA; and
        • (d) Combining Customer Personal Data with Personal Data that Civis receives from or on behalf of another person or persons or that Civis collects from its own interaction with Consumers, except where otherwise permitted by the CCPA.
      2. Customer will have the right to take reasonable and appropriate steps to help ensure that Civis uses Customer Personal Data in a manner consistent with Customer’s obligations under the CCPA by conducting an Audit pursuant to Section 3.9. 
      3. Civis shall notify Customer if Civis determines that Civis can no longer meet its obligations under the CCPA. Customer has the right, upon such notice by Civis, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data by requiring Civis to cease Processing such Customer Personal Data in an unauthorized manner and to provide written documentation to Customer that Civis no longer Processes such Customer Personal Data in such unauthorized manner. 
  4. THIRD PARTY TERMS
    To the extent the CCPA applies to Customer Personal Data Processed by Civis with respect to Civis Solutions for which Civis cannot act as a Processor under the CCPA, Civis acts as a “third party” (as such term is defined in the CCPA) with respect to such Customer Personal Data under the CCPA, pursuant to the following terms:
    1. The parties agree that Customer Personal Data is disclosed by Customer to Civis only for the limited and specified purposes set out in the Agreement, SOW, and/or Order.
    2. Civis shall comply with applicable obligations under the CCPA and provide the same level of privacy protection as required under the CCPA.
    3. Customer will have the right to take reasonable and appropriate steps to help ensure that Civis uses Customer Personal Data in a manner consistent with Customer’s obligations under the CCPA by conducting an Audit pursuant to Section 3.9. 
    4. Civis shall notify Customer if Civis makes a determination that Civis can no longer meet its obligations under the CCPA. Customer has the right, upon such notice by Civis, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data by requiring Civis to cease Processing such Customer Personal Data in an unauthorized manner and to provide written documentation to Customer that Civis no longer Processes such Customer Personal Data in such unauthorized manner.

SCHEDULE 1 

DETAILS OF PROCESSING

Categories of Data Subjects

The categories of data subjects whose Personal Data are Processed are as set forth in the applicable Order or SOW.

Categories of Personal Data

The categories of Personal Data Processed are  as set forth in the applicable Order or SOW.

Nature and Purpose of Processing

To provide the Civis Solutions and/or Deliverables set forth in the applicable Order or SOW.

Duration

The duration is the term of the applicable Order or SOW.

Last Updated April 1, 2023