This Data Processing Agreement (“DPA”) is entered into by and between Client and HCM Unlocked LLC®, a limited liability company organized and existing under the laws of Florida, with its principal place of business at 1221 Brickell Avenue, Suite 900, Miami, Florida 33131 (hereinafter “HCM Unlocked” or “Consultant”).

 

This DPA is incorporated into and forms an integral part of the Master Service Agreement, as defined below, between the Client and Consultant (collectively, the “Parties”). In the event of a conflict between the terms of this DPA and the MSA with respect to the subject matter herein, the terms of this DPA shall govern. Any prior data protection agreements between the Parties are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in the MSA.

​

1. Definitions. For purposes of this DPA, the following terms shall have the meanings specified below:

 

"Applicable Laws" means only those US Federal, State, or Local Laws and Rules related to cyber security, data protection and privacy that: (i) are explicitly and specifically applicable to Consultant in its role as a Service Provider in the performance of Services under the MSA; (ii) have been identified in writing by Client to Consultant prior to the execution of this Agreement or any applicable Sales Contract; (iii) are in effect as of the Effective Date of this Agreement; and (iv) apply to the specific Services being provided by Consultant. "Applicable Laws" shall not include: (i) laws that apply solely to Client in its capacity as a Business or data controller; (ii) laws that would require Consultant to fundamentally alter its business operations or Services; (iii) laws of jurisdictions outside the United States unless Consultant has expressly agreed in writing to comply with such laws; or (iv) any laws enacted after the Effective Date unless Consultant has expressly agreed in writing to comply with such laws. Client shall be solely responsible for identifying all Applicable Laws relevant to its business and for notifying Consultant in writing of any specific compliance requirements under such laws that apply to Consultant's Services. Applicable Laws include, but are not limited to, the following to the extent they meet the criteria above:

 

(a). NYDFS Cybersecurity Regulation, 23 NYCRR Part 500

(b). The Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6821 et seq.

(c). FTC Financial Privacy Rule, 16 CFR Part 313

(d). FTC Safeguards Rule, 16 CFR Part 314

(e). The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, including Sections 261 through 264 requiring standards for the electronic exchange, privacy and security of health information (collectively known as the Administrative Simplification provisions)

(f). California Consumer Privacy Act (CCPA), Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), including as amended by the CPRA and any implementing regulations

(g). California Privacy Rights Act of 2020 (CPRA), (2020 Cal. Legis. Serv. Proposition 24, codified at Cal. Civ. Code §§ 1798.100 et seq.), and its implementing regulations, as amended or superseded from time to time

 

"Breach Event" means any incident where security is compromised, resulting in unintentional or illegal destruction, misplacement, modification, or unauthorized sharing or access to Personal Data that has been transmitted, stored, or otherwise processed.

 

"Business" means Client, as defined in §1798.140 of the CCPA, who determines the purposes and means of the Processing of Personal Information and on whose behalf Consultant Processes Personal Data pursuant to this Agreement and the MSA.

 

"Collects," "Collected," or "Collection" means gathering, obtaining, receiving, or accessing any Personal Data pertaining to a Consumer by any means, including, but not limited to, receiving information from the Consumer, either actively or passively, or by observing the Consumer's behavior, as further defined in §1798.140 of the CCPA. For clarity, Consultant Collects Personal Information solely on behalf of Client and as directed by Client.

 

“Consumer” means a natural person who is a California resident, as defined in §1798.140 of the CCPA, about whom Client has provided Personal Information to Consultant solely for Processing pursuant to the MSA. For purposes of this Agreement, Consumer shall only include individuals whose Personal Information was provided to Consultant by or on behalf of Client.

 

"Data Privacy Laws" means all applicable laws and regulations relating to the processing, privacy, and/or use of Personal Data, as applicable to either party or the Services, including jurisdictional, industry-specific, or data-specific laws and regulations.

 

“Master Service Agreement” and “MSA” means the provisions set forth in the HCM Unlocked LLC® Master Service Agreement Key Commercial Terms, the provisions set forth in the HCM Unlocked LLC® Master Service Agreement Terms and Conditions, and any Sales Contracts executed by the Parties and referenced herein, including Schedules, Exhibits, Addendums, or Amendments to same.

 

"Parties" means the Consultant and Client collectively.

 

"Personal Data" refers to any information that is tied to an identified or identifiable natural person that is protected as personal data, personal information, or personally identifiable information under applicable Data Privacy Laws, and includes personal information as defined by §1798.140 of the CCPA as submitted to Consultant by Client.

 

"Personnel" refers to the employees or other individuals who are in a contractual relationship with the Client, including employees or other individuals who are in a contractual relationship via the Consultant.

 

"Processing" means actions performed by the Consultant on the Personal Data whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

 

"Sell," "Selling," "Sale," or "Sold" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Data by one business to another business or a third party for monetary or other valuable consideration, as defined in §1798.140 of the CCPA. For clarity, Consultant does not and will not Sell Personal Information in its capacity as a Service Provider.

 

"Service Provider" means Consultant, as defined in §1798.140 of the CCPA, that Processes Personal Information on behalf of Client pursuant to a written contract for a Business Purpose, provided that the contract prohibits the Consultant from: (i) Selling or Sharing the Personal Information; (ii) retaining, using, or disclosing the Personal Information for any purpose other than for the Business Purpose specified in the contract; (iii) retaining, using, or disclosing the Personal Information outside of the direct business relationship between the Service Provider and the Business; or (iv) combining the Personal Information with Personal Information that it receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer.

 

"Services" means any products or services provided by the Consultant pursuant to the MSA.

 

"Share" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Information by a Business to a third party for cross-context behavioral advertising, as defined in §1798.140 of the CCPA. For clarity, Consultant does not and will not Share Personal Information in its capacity as a Service Provider.

 

"Subconsultant" or "Subcontractor" refers to any third party appointed by the Consultant to assist in fulfilling its obligations in providing Services to the Controller.

​

2. Purpose and Scope

 

(a). The purpose of this DPA is to define the conditions under which Consultant shall process Personal Data on behalf of the Client.

 

(b). This DPA applies only where, and to the extent that, Consultant processes Personal Information and other protected information that is subject to the Data Privacy Laws on behalf of Client as a Consultant in the course of providing the Services pursuant to the MSA and any applicable Sales Contract.

 

(c). Processing obligations under this DPA will begin on the Effective Date of the MSA and any applicable Sales Contract and run until the end of the Consultant's provision of Services to the Client, subject to the provisions regarding retention of data as set forth herein.

 

3. Client Responsibilities and Warranties. Client warrants and represents that:

 

(a). Client is a business and appoints Consultant to collect and process Personal Data for its Business Purpose, as defined hereinbelow.

 

(b). Client has sole responsibility for the quality, accuracy, and legality of the Personal Data and the means by which Client acquired such data.

 

(c). Client is solely responsible for compliance with its own obligations as a business under the applicable Data Privacy Laws.

 

(d). Client has provided and will continue to provide all necessary notices and has obtained (or shall obtain) all consents and rights necessary under the applicable Data Privacy Laws for Consultant to collect and process the Personal Information for its Business Purpose.

 

(e). Client acknowledges that Consultant does not receive Personal Information as considerationfor any services provided to Client.

​

(f). Client shall indemnify, defend, and hold harmless Consultant from any claims, damages, liabilities, costs, or expenses arising from Client's failure to comply with its obligations under this DPA or applicable Data Privacy Laws.
 

4. Consulting Obligations.

 

(a). Processing Limitations. Consultant shall only collect and process Personal Data upon lawful documented instructions from Client, including those in the MSA, this DPA, and Client's configuration of the Services or as otherwise necessary to provide the Services (the "Business Purpose"). Consultant shall not:

 

(i). Sell or Share the Personal Data;

(ii). Retain, use, or disclose the Personal Data for any purpose other than for the Business Purpose, including for a commercial purpose other than providing its Services under the MSA, unless permitted by the applicable Data Privacy Laws;

(iii). Retain, use, or disclose the Personal Data outside of the direct business relationship between the Consultant and Client;

(iv). Process the Personal Data for targeted and/or cross-context behavioral advertising;

(v). Combine Personal Data with any other data if and to the extent this would be inconsistent with the limitations on service providers under the applicable Data Privacy Laws.

 

(d). Compliance with Laws. Consultant shall process Personal Data in accordance with applicable Data Privacy Laws, provided that Client has informed Consultant in writing of all specific requirements under such laws that apply to Consultant's processing activities. Consultant shall notify Client in writing if it reasonably determines that it cannot meet its obligations under the applicable Data Privacy Laws. Upon such notification and reasonable opportunity for Consultant to address the issue, Client may take reasonable and appropriate steps to remediate unauthorized use of Personal Information. Consultant shall immediately inform the Client if any instruction relating to the Personal Data infringes or may infringe any Data Privacy Laws, but Consultant shall have no obligation to independently verify the lawfulness of Client's instructions

 

(e). Confidentiality. Both Parties shall maintain the confidentiality of Personal Data and shall not disclose such data except as expressly permitted under the terms of this DPA or as required by applicable law. Consultant shall ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations.

 

(f). Data Security. Consultant shall implement and maintain appropriate security procedures and practices appropriate to the nature of the Personal Information to protect the Personal Information from and against a Breach Event, in line with Consultant's security program. The determination of what security measures are “appropriate” shall be at Consultant's sole discretion, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

 

(g). Breach Notification. Consultant shall promptly notify the Client of a Breach Event involving the Client’s data, or in any event within forty-eight (48) hours. Consultant shall provide timely information relating to the Breach Event as it becomes known or as reasonably requested by Client, to the extent necessary for Client to fulfill its own notification obligations under applicable Data Privacy Laws. Client shall be solely responsible for any notifications to affected individuals, regulatory authorities, or other third parties as required by law.

 

(h). Assistance. Upon Client's written instructions and at Client's expense, Consultant shall use reasonable efforts to assist Client in: (i) deleting and amending Personal Data in accordance with a verified Consumer's request, except where and to the extent permitted to retain the Personal Data pursuant to an exemption under the applicable Data Privacy Laws; (ii) responding to verified Consumer requests received by Client to provide information as it relates to the Collection of Personal Data for the Business Purpose. Upon Client's instruction and upon proof of such a communication, Consultant shall provide reasonable assistance to Client to enable Client to respond to any correspondence, enquiry, or complaint received from a Consumer, or any State or Federal agency in connection with the collection and processing of the Personal Information. Consultant shall assist the Client in performing impact assessments for data protection risks.

 

5. Subcontractors. Client agrees Consultant may engage third-party Subcontractors to process Personal Data in connection with the provision of the Services. Consultant shall enter into written agreements with such Subcontractors that contain substantially similar obligations as this DPA. Consultant shall remain liable for the performance of any such Subcontractors that fail to fulfill their data protection obligations, subject to the limitations of liability set forth in the MSA. Consultant shall not be required to disclose the identities of its Subcontractors or provide details of its agreements with them, except as required by applicable law.

 

6. Audits and Monitoring

 

(a). To the extent required by applicable Data Privacy Laws, Client may take reasonable and appropriate steps to help ensure that the Personal Data is used by Consultant in a manner consistent with Client's obligations under the applicable Data Privacy Laws.

 

(b). Client may audit Consultant's compliance with the terms of this DPA once annually, subject to the following conditions: (a) Such audits shall be conducted during normal business hours, with reasonable advance notice to Consultant (not less than thirty (30) days), and subject to Consultant's security and confidentiality requirements. (b) Client must send Consultant notice in writing of a request to conduct an audit. (c) Subject to the confidentiality obligations set forth in this DPA, Consultant shall make available to Client information regarding Consultant's compliance with the obligations set forth in this DPA in the form of third-party certifications and audits. (d) If Client identifies areas that have not been covered that it is lawfully permitted to audit under this DPA, then Client may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Consultant's compliance with this DPA.

 

(c). Client shall bear all costs associated with any audit, including Consultant's reasonable expenses in facilitating such audit. Consultant reserves the right to charge Client for any time spent assisting with audits at Consultant's then-current professional services rates.

 

7. Data Retention and Deletion. Upon receipt of Client's written request, Consultant shall (at Client's election) return Personal Data or close Client's account and delete all Personal Information within ninety (90) days of the termination of the MSA or any applicable Sales Contract. This requirement shall not apply to the extent Consultant is required by applicable law to retain some or all of the Personal Data, which Consultant shall securely isolate and protect from any further processing, except to the extent required by applicable law. Consultant may retain anonymized or aggregated data derived from Personal Data that does not identify or could not reasonably be used to identify Client or any data subject.

 

8. Ownership of Data. All Personal Data processed by the Consultant in performing the Services shall remain the property of the Client. Nothing in this DPA shall be construed as granting Consultant any rights to Client's intellectual property or any rights in or to the Personal Data beyond those specified in this DPA or the MSA.

 

9. Liability. Notwithstanding anything to the contrary in the MSA or this DPA, Consultant's total aggregate liability arising out of or related to this DPA or the processing of Personal Data shall not exceed the limitations set forth in the MSA. In no event shall Consultant be liable for any indirect, consequential, incidental, special, punitive, or exemplary damages or losses, including but not limited to loss of profits, revenue, business opportunity, anticipated savings, goodwill, reputation, use, or data, regardless of the form of action or the basis of the claim, even if Consultant has been advised of the possibility of such damages. Consultant shall have no liability whatsoever for any claim, loss, liability, damage, cost, or expense incurred by Client or any third party arising from or related to: (a) Any act or omission by Consultant that was requested, approved, or ratified by Client; (b) Client's failure to comply with its obligations under this DPA or applicable Data Privacy Laws; (c) Client's failure to provide accurate, complete, and timely information to Consultant; (d) Client's failure to obtain necessary consents or provide required notices under applicable Data Privacy Laws; (e) The actions of any Subcontractor to the extent Consultant has met its obligations under Section 5 of this DPA; (f) Force majeure events; (g) Changes in applicable Data Privacy Laws. Each Party's liability under this DPA is limited to the amount of damages directly caused by its breach of this DPA, subject to the limitations set forth in the MSA.

 

10. Miscellaneous

​

(a). Term and Termination. This DPA shall not terminate automatically with the termination or expiration of the MSA or any Sales Contract but shall continue while Consultant holds the data of Client. Both Parties can provide notice to the other Party for noncompliance with the applicable Data Privacy Laws and have the right to terminate the Sales Contract for failure to fulfill the terms of the DPA.

​

(b). Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the MSA, unless required otherwise by the applicable Data Privacy Laws. Both parties agree that this DPA shall be interpreted in favor of their intent to comply with the applicable Data Privacy Laws and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the applicable Data Privacy Laws.

​

(c). Recordkeeping. Consultant shall maintain complete, accurate, and up-to-date written records of all categories of processing activities carried out on behalf of Client, to the extent required by applicable Data Privacy Laws. Such records shall be made available to Client upon written request and subject to reasonable confidentiality protections.

 

(d). Entire Agreement. This DPA, together with the MSA, represents the entire understanding between the Parties with respect to the processing of Personal Data. In the event of a direct conflict between this DPA and the MSA with respect to the subject matter of this DPA, the terms of this DPA shall control.

 

(e). Severability. If any provision of this DPA is found by a court of competent jurisdiction to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the Parties shall negotiate in good faith to substitute a valid, legal, and enforceable provision that achieves, to the extent possible, the business purposes and intent of such invalid or unenforceable provision.

 

(f). Amendments. This DPA may only be modified by a written amendment signed by authorized representatives of both Parties.

​

​