Data Processing Agreement

Last Updated 9/15/2025

Download

DATA PROCESSING AGREEMENT

 

This Data Processing Agreement (“DPA”) is entered into by and between HCM Unlocked® LLC, a limited liability company organized and existing under the laws of Florida, with its principal place of business at 1221 Brickell Avenue, Suite 900, Miami, Florida 33131 (hereinafter “HCM Unlocked” or “Consultant”), and the entity identified as the Client in the applicable Sales Contract (“Client”). 

 

This DPA is incorporated into and forms part of the HCM Unlocked LLC® Master Service Agreement (the “MSA”), accessible at https://www.hcmunlocked.com/agreements. In the event of any conflict between this DPA and the MSA with respect to the subject matter herein, this DPA shall control. This DPA supersedes and replaces all prior data protection agreements between the Parties. All capitalized terms not defined in this DPA shall have the meaning assigned in the MSA.

 

  1. Definitions. For purposes of this DPA, the following terms shall have the meanings set forth below:

 

Applicable Laws means U.S. federal, state, and local laws, rules, and regulations relating to cybersecurity, data protection, or privacy that:

 

  1. are expressly applicable to Consultant in its role as a service provider in performing Services under the MSA;
  2. have been identified in writing by Client to Consultant prior to execution of this Agreement or any applicable Sales Contract (if specific to Client’s business);
  3. are in effect as of the Effective Date of this Agreement; and
  4. apply specifically to the Services provided by Consultant.

 

“Applicable Laws” shall not include: (a) laws applicable solely to Client in its capacity as a business or data controller; (b) laws that would require Consultant to fundamentally alter its business operations or Services; (c) laws of jurisdictions outside the United States unless Consultant has expressly agreed in writing to comply; or (d) laws enacted after the Effective Date unless Consultant has expressly agreed in writing to comply.

 

Client shall be solely responsible for identifying all Applicable Laws relevant to its business and for notifying Consultant in writing of any specific compliance requirements under such laws that apply to Consultant’s Services.

 

            Applicable Laws include, to the extent they meet the criteria above, the following:

 

  1. NYDFS Cybersecurity Regulation, 23 NYCRR Part 500
  2. The Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6821 et seq.
  3. FTC Financial Privacy Rule, 16 CFR Part 313
  4. FTC Safeguards Rule, 16 CFR Part 314
  5. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, including the Administrative Simplification provisions (Sections 261–264)
  6. California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §§ 1798.100–1798.199, as amended by the California Privacy Rights Act of 2020 (CPRA) and implementing regulations

California Privacy Rights Act of 2020 (CPRA), Cal. Civ. Code §§ 1798.100 et seq., including any implementing regulations, as amended or superseded

 

“Breach Event” means any incident in which the security of Personal Data is compromised, resulting in the unintentional or unlawful destruction, loss, misplacement, alteration, unauthorized disclosure of, or access to Personal Data that has been transmitted, stored, or otherwise processed.

 

“Business” means Client, as defined in §1798.140 of the CCPA, who determines the purposes and means of Processing Personal Data and on whose behalf Consultant Processes such data pursuant to this Agreement and the MSA.

 

“Collects,” “Collected,” or “Collection” means gathering, obtaining, receiving, or accessing any Personal Data pertaining to a Consumer by any means, including actively, passively, or by observing the Consumer’s behavior, as further defined in §1798.140 of the CCPA. For clarity, Consultant Collects Personal Data solely on behalf of Client and only as directed by Client.

 

“Consumer” means a natural person who is a California resident, as defined in §1798.140 of the CCPA, about whom Client has provided Personal Data to Consultant solely for Processing under the MSA. For purposes of this DPA, “Consumer” is limited to individuals whose Personal Data is provided to Consultant by or on behalf of Client.

 

“Data Privacy Laws” means all applicable laws and regulations relating to the Processing, privacy, security, and/or use of Personal Data, as applicable to either Party or the Services, including jurisdiction-specific, industry-specific, or data-specific regulations.

 

“Master Service Agreement” (MSA) means the HCM Unlocked LLC® Master Service Agreement, including the Key Commercial Terms, Terms and Conditions (accessible at https://www.hcmunlocked.com/agreements), this DPA (incorporated by reference), and any Sales Contracts executed by the Parties, together with any schedules, exhibits, addenda, or amendments thereto.

 

“Parties” means Consultant and Client, collectively.

 

“Personal Data” means any information relating to an identified or identifiable natural person that is protected as personal data, personal information, or personally identifiable information under applicable Data Privacy Laws, including “personal information” as defined in §1798.140 of the CCPA, and that is submitted to Consultant by Client.

 

“Personnel” means employees, contractors, or other individuals engaged by Client, including those engaged indirectly via Consultant, who may be involved in connection with the Services.

 

“Processing” means any operation or set of operations performed on Personal Data, whether automated or manual, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

 

“Sell,” “Selling,” “Sale,” or “Sold means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a Consumer’s Personal Data to another business or third party for monetary or other valuable consideration, as defined in §1798.140 of the CCPA. For clarity, Consultant does not and will not Sell Personal Data in its capacity as a Service Provider.

 

“Service Provider” means Consultant, as defined in §1798.140 of the CCPA, which Processes Personal Data on behalf of Client for a Business Purpose pursuant to this Agreement, and which is contractually prohibited from:

 

  1. Selling or Sharing Personal Data;
  2. retaining, using, or disclosing Personal Data for any purpose other than the Business Purpose specified in this Agreement;
  3. retaining, using, or disclosing Personal Data outside the direct business relationship between Consultant and Client; or
  4. combining Personal Data with Personal Data received from another source or collected from Consultant’s own interactions with a Consumer.

 

“Services” means the products and services provided by Consultant to Client under the MSA.

 

“Share” means making a Consumer’s Personal Data available to a third party for cross-context behavioral advertising, as defined in §1798.140 of the CCPA. For clarity, Consultant does not and will not Share Personal Data in its capacity as a Service Provider.

 

“Subconsultant” or “Subcontractor” means any third party engaged by Consultant to assist in fulfilling its obligations in providing Services to Client.

 

  1. Purpose and Scope. 

 

  1. Purpose. The purpose of this DPA is to define the conditions under which Consultant will Process Personal Data on behalf of Client in connection with the Services.

 

  1. Scope of Application. This DPA applies solely to the extent Consultant Processes Personal Data or other protected information subject to Data Privacy Laws on behalf of Client in its capacity as a Service Provider under the MSA and any applicable Sales Contract.

 

  1. Duration. Consultant’s Processing obligations under this DPA shall commence on the Effective Date of the MSA or the applicable Sales Contract and continue until Consultant ceases providing Services to Client, subject to the data retention and deletion provisions set forth in this DPA.

 

  1. Client Responsibilities and Warranties. Client warrants, represents, and agrees that: 

 

  1. Client is a Business (as defined in the CCPA) and appoints Consultant to Collect and Process Personal Data solely for the Business Purpose set forth in this DPA and the MSA.

 

  1. Client has sole responsibility for the quality, accuracy, and legality of the Personal Data and the means by which it is acquired.

 

  1. Client is solely responsible for compliance with its obligations as a Business under applicable Data Privacy Laws.

 

  1. Client has provided, and will continue to provide, all required notices and has obtained (or will obtain) all necessary consents and rights required by Data Privacy Laws for Consultant to Collect and Process Personal Data for the Business Purpose.

 

  1. Consultant does not receive Personal Data as consideration for Services.

 

  1. Client shall indemnify, defend, and hold harmless Consultant from any claims, damages, liabilities, costs, or expenses arising out of Client’s failure to comply with its obligations under this DPA or applicable Data Privacy Laws.

 

  1. Consulting Obligations.

 

  1. Processing Limitations. Consultant shall only Collect and Process Personal Data on documented lawful instructions from Client, including instructions in the MSA, this DPA, and Client’s configuration of the Services, and only as necessary to provide the Services (the “Business Purpose”). Consultant shall not:

 

  1. Sell or Share Personal Data;
  2. Retain, use, or disclose Personal Data for any purpose other than the Business Purpose, including for Consultant’s own commercial purposes, unless required by applicable Data Privacy Laws;
  3. Retain, use, or disclose Personal Data outside the direct business relationship between Consultant and Client;
  4. Process Personal Data for targeted or cross-context behavioral advertising; or
  5. Combine Personal Data with data from other sources in any way that would be inconsistent with limitations on Service Providers under applicable Data Privacy Laws.

 

  1. Compliance with Laws. Consultant shall Process Personal Data in compliance with applicable Data Privacy Laws, provided Client has notified Consultant in writing of specific compliance requirements that apply to the Processing. Consultant shall notify Client if it reasonably determines it cannot meet its obligations under applicable Data Privacy Laws. If Consultant receives an instruction that it reasonably believes infringes Data Privacy Laws, it shall promptly notify Client, though Consultant has no obligation to independently verify the legality of Client’s instructions.

 

  1. Confidentiality. Both Parties shall maintain the confidentiality of Personal Data and not disclose such data except as permitted under this DPA or as required by law. Consultant shall ensure that all personnel authorized to Process Personal Data are subject to binding confidentiality obligations.

 

  1. Data Security. Consultant shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data against Breach Events, based on the sensitivity of the data processed and the risks associated with the Processing activities. “Commercially reasonable” security measures shall be determined by Consultant in its sole discretion, taking into account industry standards, implementation costs, the nature and scope of Processing, and the risks for the rights and freedoms of individuals. Client acknowledges that security measures are not guarantees against all security threats, and Consultant does not warrant that Personal Data will be protected against all possible security incidents. Client is responsible for assessing whether Consultant’s security measures are appropriate for Client’s specific risk tolerance and compliance requirements.

 

  1. Breach Notification. Consultant shall notify Client without undue delay, and in any event within seventy-two (72) business hours, upon becoming aware of a confirmed Breach Event involving Client’s Personal Data. Consultant shall provide information about the Breach Event as it becomes known and as reasonably necessary for Client to meet its notification obligations. For clarity, “becoming aware” means when Consultant has established with reasonable certainty that a Breach Event affecting Client’s Personal Data has occurred, following initial investigation. Preliminary or unconfirmed security incidents do not trigger notification obligations until confirmed through Consultant’s standard incident response procedures. Client remains solely responsible for making any legally required notifications to affected individuals, regulators, or third parties.

 

  1. Assistance with Data Subject Requests.

 

  1. Upon Client’s written instructions and at Client’s expense, Consultant shall use reasonable efforts to assist Client with:
  2. Deleting or amending Personal Data consistent with a verified Consumer request, except where an exemption under Data Privacy Laws permits retention;
  3. Responding to verified Consumer requests received by Client regarding Collection or Processing of Personal Data;
  4. Providing information reasonably necessary for Client to respond to inquiries or complaints from Consumers or regulators; and
  5. Performing data protection impact assessments, where required by law.
  6. Client shall respond to Consultant’s requests for information or clarification regarding data subject requests within five (5) business days. Failure to respond within this timeframe shall relieve Consultant of any obligation to process the data subject request until Client provides the necessary information.  
  7. If Client receives more than five (5) data subject requests in any calendar month that require Consultant’s assistance, Consultant may charge its then-current hourly rates for all time spent processing such additional requests.
  8. Consultant shall have no obligation to interact directly with data subjects or regulators unless required by applicable law, and Client shall serve as the sole point of contact for all data subject requests.

 

  1. Subcontractors. Client acknowledges and agrees that Consultant may engage Subconsultants (including third-party service providers) to Process Personal Data in connection with providing the Services. Consultant shall enter into written agreements with such Subconsultants containing obligations substantially similar to those in this DPA.

 

Consultant shall remain responsible for the acts and omissions of its Subconsultants that result in a failure to meet the data protection obligations set forth herein, subject to the limitations of liability in the MSA. Consultant shall not be obligated to disclose the identities of its Subconsultants or the terms of its agreements with them, except as required by applicable law.

 

  1. Subprocessor Management

 

  1. Consultant may update its list of Subprocessors from time to time by providing notice to Client via email.
  2. Client shall have ten (10) business days from receipt of such notice to object in writing to the addition of any new Subprocessor. Any such objection must be based on reasonable grounds directly related to data protection concerns.
  3. If Client does not object within the ten (10) business day period, Client shall be deemed to have approved the new Subprocessor.
  4. If Client objects to a new Subprocessor within the specified timeframe and on reasonable grounds, Consultant shall use commercially reasonable efforts to: (1) make the Services available without requiring use of the objected-to Subprocessor; or (2) suggest an alternative Subprocessor. If Consultant is unable to accommodate these alternatives within thirty (30) days, either Party may terminate the affected Services without penalty, which shall be Client’s sole and exclusive remedy.

 

  1. Audits and Monitoring. 

 

  1. Oversight Rights. To the extent required by applicable Data Privacy Laws, Client may take reasonable and appropriate steps to ensure that Personal Data is used by Consultant in compliance with Client’s obligations under such laws.

 

  1. Audit Rights. Client may audit Consultant’s compliance with this DPA once annually, subject to the following conditions:

 

  1. Audits shall be conducted during normal business hours, with no less than forty-five (45) days’ advance written notice, and in accordance with Consultant’s security and confidentiality requirements.
  2. Client must submit any audit request in writing, specifying the scope, duration, and start date of the proposed audit.
  3. Consultant may satisfy audit requests by providing information regarding its data protection practices through existing third-party certifications, audit reports, or compliance documentation, at Consultant’s sole discretion.
  4. If additional information is lawfully required and cannot be satisfied through documentation, Client may submit reasonable information security or audit questionnaires, which Consultant will complete in good faith.    
  5. Client shall bear all costs associated with any audit, including Consultant’s reasonable expenses and personnel time spent assisting with audits at Consultant’s then-current professional services rates ($250 per hour, minimum four hours per audit).  
  6. Client may not conduct more than one audit in any twelve (12) month period, and no audit may last more than one (1) business day.
  7. Client may not use any competitor of Consultant to conduct the audit.

 

  1. Costs. Client shall bear all costs associated with any audit, including Consultant’s reasonable expenses. Consultant may charge for its personnel time spent assisting with audits at its then-current professional services rates.

 

  1. Data Retention and Deletion. 

 

Upon termination of the MSA or any applicable Sales Contract, or upon Client’s written request, Consultant shall, at Client’s election, either return Personal Data to Client or delete such data within ninety (90) days, unless applicable law requires retention.

 

Where retention is required by law, Consultant shall securely isolate and protect Personal Data from any further Processing except as required by such law. Consultant may retain anonymized or aggregated data derived from Personal Data, provided that such data cannot reasonably be used to identify Client or any individual.

 

  1. Ownership of Data. 

 

All Personal Data Processed by Consultant in connection with the Services shall remain the sole property of Client. Nothing in this DPA shall be construed as granting Consultant any rights in or to Client’s intellectual property or Personal Data, except to the limited extent necessary for Consultant to perform the Services under the MSA and this DPA.

 

  1. Liability. 

 

Notwithstanding anything to the contrary in this DPA or the MSA:

 

  1. Aggregate Liability. Consultant’s total aggregate liability arising out of or related to this DPA or the Processing of Personal Data shall not exceed the lesser of: (1) the aggregate fees actually paid by Client to Consultant in the twelve (12) months immediately preceding the event giving rise to the claim; or (2) two hundred fifty thousand dollars ($250,000).

 

  1. Exclusion of Damages. In no event shall Consultant be liable for indirect, consequential, incidental, special, punitive, or exemplary damages or losses, including without limitation loss of profits, revenue, business opportunity, anticipated savings, goodwill, reputation, use, or data, regardless of the form of action, theory of liability, or whether Consultant was advised of the possibility of such damages.

 

  1. No Liability. Consultant shall have no liability whatsoever for any claim, loss, liability, damage, cost, or expense arising from or related to:

 

  1. any act or omission by Consultant that was requested, approved, or ratified by Client;
  2. Client’s failure to comply with its obligations under this DPA or applicable Data Privacy Laws;
  3. Client’s failure to provide accurate, complete, and timely information to Consultant;
  4. Client’s failure to obtain necessary consents or provide required notices under applicable Data Privacy Laws;
  5. the actions or omissions of any Subconsultant, provided Consultant has complied with its obligations under Section 5 of this DPA;
  6. force majeure events; or
  7. changes in applicable Data Privacy Laws.

 

  1. Direct Damages Only. Each Party’s liability under this DPA shall be limited to direct damages actually caused by its proven breach, subject to the limitations of the MSA.

 

  1. Miscellaneous. 

 

  1. Term and Termination. This DPA shall remain in effect for so long as Consultant Processes Personal Data on behalf of Client. Either Party may provide notice of noncompliance with applicable Data Privacy Laws and may terminate the affected Sales Contract if such noncompliance is not cured.

 

  1. Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions of the MSA, unless otherwise required by applicable Data Privacy Laws. In the event of ambiguity, this DPA shall be interpreted to achieve compliance with Data Privacy Laws.

 

  1. Recordkeeping. To the extent required by Data Privacy Laws, Consultant shall maintain complete and accurate records of categories of Processing activities performed on behalf of Client. Such records shall be made available to Client upon written request, subject to Consultant’s confidentiality and security obligations.

 

  1. Entire Agreement. This DPA, together with the MSA (including any Sales Contracts), constitutes the entire agreement of the Parties with respect to the Processing of Personal Data. Any schedules, exhibits, or attachments referenced in this DPA shall be incorporated by reference and form an integral part of this Agreement. In the event of a direct conflict between the terms of this DPA and the MSA regarding such subject matter, this DPA shall control.

 

  1. Severability. If any provision of this DPA is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect. The Parties shall negotiate in good faith to replace the invalid or unenforceable provision with a valid provision that most closely reflects the Parties’ original intent.

 

  1. Amendments. This DPA may only be amended by a written instrument executed by duly authorized representatives of both Parties.