California Consumer Privacy Act Service Provider Addendum
THIS CALIFORNIA CONSUMER PRIVACY ACT ADDENDUM (“Addendum”) supplements the Services Agreement (“Agreement”) entered into between EisnerAmper and/or its subsidiaries (Firm) and the third-party service provider identified in the applicable Agreement from whom services outlined therein are provided (Service Provider) (referred to collectively as the “Parties”).
WHEREAS, Firm desires to provide or make available to Service Provider, or permit Service Provider to access, create, collect, process, and/or disclose certain personal information for the purposes of providing some or all of the services described in the Agreement (Services), and on the condition that Service Provider abide by certain conditions and restrictions with respect to such information;
WHEREAS, Service Provider desires to access, create, collect, process and/or disclose certain of the Firm’s personal information as necessary and appropriate to perform the Services under the Agreement and at all times subject to the applicable conditions and restrictions;
NOW, THEREFORE, in consideration of the mutual covenants, and for continuing to perform the Services, the Parties agree as follows:
- Definitions. The terms used in this Addendum, including without limitation consumer, personal information, collect, and process, shall have the same definition as set forth in the California Consumer Privacy Act, as amended (CCPA), except as otherwise defined in this Addendum.
- CCPA Obligations. Service Provider acknowledges and agrees it is a “service provider” as that term is defined under the CCPA. Service Provider represents and warrants that any and all personal information in any format accessed, collected, created, processed, and/or disclosed in connection with or related in any way with its performance of the Services, including without limitation collecting such information on the Firm’s behalf, is of a confidential nature, and that Service Provider shall safeguard and hold all such personal information in confidence as described in this Addendum, and shall not be disclosed except when disclosure is required by law, is required in order to perform the Services, or where the Firm has authorized Service Provider in writing to disclose it. For purposes of this Addendum, Service Provider shall also refer to the Service Provider’s agents and/or subcontractors, if any.
In addition to any other applicable duties and obligations under the Agreement concerning such personal information, Service Provider represents and warrants it will, and cause any and all of its agents and subcontractors to, comply with all of the following duties and obligations as they relate to such personal information.
- Service Provider may not sell such personal information.
- Service Provider may not collect, process, create, retain, use, or disclose such personal information for any purpose other than for the sole purpose of performing the Services under the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the Services specified in the Agreement.
- Service Provider agrees to promptly delete and procure the deletion of all copies of such personal information relating to consumers, upon written request of Firm. Service Provider shall comply with a deletion request within ten (10) days of receipt from Firm. Service Provider shall provide Firm with a certification of deletion in a form approved by Firm.
- At Firm’s request within one month of the termination of the Agreement, Service Provider shall (a) return a complete copy of all such personal information to Firm by secure file transfer; and (b) procure the return of all other copies of such personal information collected or processed by any agent or subcontractor.
- In the event Service Provider transfers its assets to a third party as part of a merger, acquisition, bankruptcy, or other transaction in which a third party assumes control of all or part of Service Provider's assets, Service Provider shall provide Firm with prior written notice and any such personal information shall be excluded from Service Provider's assets for the purpose of the merger, acquisition, bankruptcy, or other transaction.
- Service Provider agrees to provide commercially reasonable assistance to enable Firm to respond to and comply with verifiable Consumer requests concerning such personal information pursuant to the CCPA. Service Provider shall provide Firm with requested information within ten (10) days of receipt from Firm.
- Service Provider shall notify Firm without undue delay of any request from a person seeking to exercise any rights under the CCPA, and shall not act on such request unless Service Provider has received written authorization from Firm.
- Service Provider agrees to ensure that any agent, including a subcontractor, to whom it provides or makes available, or it permits to access, create, collect, process, retain, and/or disclose such personal information agrees in writing to the same restrictions and conditions set forth in this Addendum with respect to such personal information. Service Provider shall provide Firm with a copy of any such agreement, upon request.
- Service Provider shall notify Firm without undue delay upon discovering an actual or suspected breach of the security of its systems affecting the Firm’s personal information, as defined in Cal. Civ. Code Sec. 1798.81.5(d)(1)(A), and provide Firm with sufficient information to allow Firm to assess the nature and scope of the incident or breach, and meet its obligations, if any, to report the breach under applicable data protection laws. Such notification by Service Provider to Firm shall, to the extent possible:
- describe the nature of the incident or breach;
- the categories of personal information concerned;
- the number of individuals potentially affected; and
- the measures taken or proposed to be taken to address the incident or breach.
- In cooperation with Firm, Service Provider shall investigate such incident or breach and take all necessary, appropriate, and commercially reasonable corrective action to remedy such incident or breach and prevent a recurrence of same.
- Service Provider certifies that it understands and acknowledges the foregoing responsibilities under this Addendum and will comply with them.
- Limitations of access, use and disclosure of personal information. Service Provider shall access, collect, maintain, process, handle, use, disclose and destroy all personal information, as defined in Cal. Civ. Code Sec. 1798.81.5(d)(1)(A) and other applicable law, in compliance with all applicable data privacy and protection laws, which shall include, but not be limited to, maintaining a comprehensive data privacy and security program that contains reasonable safeguards to secure such personal information from unauthorized access, acquisition, or disclosure.
- Sale of Information. The parties acknowledge and agree that the exchange of personal information between the parties does not form part of any monetary or other valuable consideration exchanged between the parties.
- Indemnification. Service Provider shall indemnify, defend and hold harmless Firm, its affiliates, members, directors, officers and employees (“Firm Indemnified Person”) from and against any and all costs, expenses, claims, suits, causes of action, penalties, or judgments (including reasonable attorneys’ fees) which may be imposed on or incurred by or instituted against any such Firm Indemnified Person relating to or arising out of: (a) any unauthorized access, use, processing, modification, destruction or disclosure of personal information, regardless of how that term is defined in this Addendum, caused by Service Provider or any of its agents or subcontractors that is not permitted under this Addendum or applicable law; and (b) breach of the duties or obligations under this Addendum by Service Provider or any of its agents or subcontractors.
- Term and Termination. The duties and obligations under this Addendum shall commence as of the effective date of the Agreement (or, if earlier, the first date any personal information, regardless of how that term is defined under this Addendum, was collected or accessed by, or provided to Service Provider), and shall terminate upon the later of the termination of the Addendum or the date Service Provider no longer maintains or has access to any such personal information.
- No third party beneficiary rights. Nothing in this Addendum, whether expressed or implied, is intended to confer any rights or remedies under or by reason of this Addendum on any persons other than the parties to it and their respective successors and permitted assigns.
- Entire Addendum. This Addendum sets forth the full and complete understanding of the Parties hereto with regard to its subject matter and shall replace and supersede any prior versions of this Addendum or provisions of the Agreement that are contrary and less protective of personal information, regardless of how that term is defined under this Addendum, than the provisions in this Addendum. No amendment or modification of this Addendum shall be binding unless duly executed in writing by each of the Parties hereto.
- Notices. Any notice which is to be given by one party to the other under this Addendum will be given in accordance with the instructions provided in the Agreement or, if there are no such instructions, to the signatory to the Agreement at the address provided in the Agreement.