State Law Service Provider Addendum
This State Consumer Privacy Laws Addendum (“Addendum”) is incorporated into the applicable Master Services Agreement or similar contractual arrangement (“Agreement”) by and between Eisner Advisory Group LLC, EisnerAmper LLP and/or any of their subsidiaries as provided for under the Agreement (collectively, as applicable “Firm”) and the service provider as provided for under the Agreement (“Service Provider”), with an Effective Date as stipulated in the Agreement.
- Service Provider’s California Consumer Privacy Act Obligations
A. Service Provider acknowledges and agrees to comply with the applicable terms of the California Consumer Privacy Act of 2018 as amended (Cal. Civ. Code §§ 1798.100 - 1798.199) including applicable regulatory or other guidance ("CCPA"). The parties hereby agree that Service Provider is a "service provider" under the CCPA. Terms defined in the CCPA, including, without limitation, personal information, have the same meaning when used in this Section 1 of the Addendum unless otherwise defined herein. As a service provider for the Firm, Service Provider agrees:- Service Provider will not collect, retain, use, or disclose personal information it accesses, receives, or creates pursuant to the Agreement ("Firm Personal Information") for any purpose other than for the purposes set out in the Agreement and as permitted under the CCPA. Service Provider acknowledges that Firm is disclosing or making available Firm Personal Information to Service Provider only for the limited and specified purposes and services set for in the Agreement (“Services”).
- Service Provider will not sell or share Firm Personal Information.
- Service Provider will not collect, retain, use, or disclose Firm Personal Information for any commercial purpose other than the Services, nor for any purposes outside of its direct business relationship with Firm, unless expressly permitted under the CCPA. Service Provider will not combine or update Firm Personal Information with personal information that it receives from or on behalf of another person, or that Service Provider collects from its own interactions with a consumer, unless permitted under the CCPA and the Firm.
- Service Provider shall comply with all applicable sections of the CCPA with respect to Firm Personal Information and shall provide the level of privacy protection to Firm Personal Information as is required of businesses thereunder. Such compliance may include, without limitation, implementing reasonable security procedures and practices, appropriate to the nature of the Firm Personal Information, to protect that information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code § 1798.81.5.
- Service Provider will promptly notify Firm if it determines that it can no longer meet its obligations under applicable provisions of the CCPA.
- Service Provider shall comply with the Firm's right to take reasonable and appropriate steps to ensure that Service Provider uses Firm Personal Information in a manner consistent with Firm's obligations under the CCPA. These steps may include, without limitation, manual reviews and automated scans of Service Provider's information systems, and regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months.
- Service Provider shall comply with Firm's right, upon notice, to take reasonable and appropriate steps to stop and remediate use of Firm Personal Information that is unauthorized under the CCPA, including, without limitation, requiring Service Provider to provide documentation verifying that it no longer retains or uses Firm Personal Information of consumers that submitted to Firm a valid request to delete.
- In the event Service Provider is legally required to disclose personal information for a purpose unrelated to the Services, Service Provider will, unless legally prohibited, inform Firm of the legal requirement and give it reasonable opportunity to object to or challenge the disclosure.
- If the Services require the collection of Firm personal information by Service Provider directly from consumers on Firm's behalf, Firm will provide Service Provider a CCPA-compliant notice at collection that Service Provider shall make available to such consumers at or before collection of such information and in a manner and format consistent with the CCPA. Service Provider will not modify or alter such notice without Firm's written consent.
- Service Provider shall reasonably cooperate with Firm to comply with consumer requests made pursuant to the CCPA. In the event Service Provider receives requests directly from consumers, Service Provider will promptly inform Firm of such requests, but not later than five (5) days following receipt and reasonably cooperate with Firm in responding to them.
- If Service Provider subcontracts with another person in connection with the Services, Service Provider shall (a) notify Firm of the engagement and (b) have a written contract with such person that complies with CCPA, including with respect to such person's Service Provider's or contractors; and (c) be liable for the Services provided by its subcontractors to the same extent as if those services were provided by Service Provider.
- Service Provider’s Utah Consumer Privacy Act Obligations
A. Service Provider acknowledges and agrees to comply with the applicable terms of the Utah Consumer Privacy Act, as amended (Utah Code. Ann. §§ 13-61-101 to 13-61-404) including applicable regulatory or other guidance ("UCPA"). The parties hereby agree that Service Provider is a "processor" under the UCPA. Terms defined in the UCPA, including, without limitation, personal information, have the same meaning when used in this Section 2 of the Addendum unless otherwise defined herein. As a processor for the Firm, Service Provider agrees:- Service Provider will not collect, retain, use, or disclose personal information it accesses, receives, or creates pursuant to the Agreement ("Firm Personal Information") for any purpose other than for the purposes set out in the Agreement and as permitted under the UCPA. Service Provider acknowledges that Firm is disclosing or making available Firm Personal Information to Service Provider only for the limited and specified purposes and services set for in the Agreement (“Services”).
- Service Provider will not sell Firm Personal Information.
- Service Provider will ensure each person processing Firm Personal Information under the Agreement is subject to a duty of confidentiality with respect to the personal data.
- If a law requires the Service Provider to disclose Firm Personal Information collected pursuant to the Agreement for a purpose unrelated to the Services, the Service Provider must first inform the Firm of the legal requirement and give the Firm a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Firm fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement.
- Service Provider will promptly comply with any reasonable Firm request or instruction from authorized persons at the Firm reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete Firm Personal Information, or to stop, mitigate, or remedy any unauthorized processing of Firm Personal Information collected pursuant to the Agreement, except where required.
- Service Provider will delete or return all Firm Personal Information obtained or created in connection with the Services to Firm and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such data.
- Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to Firm Personal Information collected, access, or maintained pursuant to the Agreement.
- To the extent permitted under the Agreement, Service Provider may use subcontractors to provide the Services provided that it must first provide the Firm with an opportunity to reasonably object without unreasonable delay. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under this Addendum with respect to Firm Personal Information. Service Provider be liable for the Services provided by its subcontractors to the same extent as if those services were provided by Service Provider.
- Service Provider’s Virginia Consumer Data Privacy Act Obligations
A. Service Provider acknowledges and agrees to comply with the applicable terms of the Virginia Consumer Data Privacy Act, as amended (Va. Code. Ann. §§ 59.1-571 to 59.1-581) including applicable regulatory or other guidance ("VCDPA"). The parties hereby agree that Service Provider is a "processor" under the VCDPA. Terms defined in the VCDPA, including, without limitation, personal information, have the same meaning when used in this Section 3 of the Addendum unless otherwise defined herein. As a processor for the Firm, Service Provider agrees:- Service Provider will not collect, retain, use, or disclose personal information it accesses, receives, or creates pursuant to the Agreement ("Firm Personal Information") for any purpose other than for the purposes set out in the Agreement and as permitted under the VCDPA. Service Provider acknowledges that Firm is disclosing or making available Firm Personal Information to Service Provider only for the limited and specified purposes and services set for in the Agreement (“Services”).
- Service Provider will not sell Firm Personal Information.
- Service Provider will ensure each person processing Firm Personal Information under the Agreement is subject to a duty of confidentiality with respect to the personal data.
- If a law requires the Service Provider to disclose Firm Personal Information collected pursuant to the Agreement for a purpose unrelated to the Services, the Service Provider must first inform the Firm of the legal requirement and give the Firm a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Firm fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement.
- Service Provider will promptly comply with any reasonable Firm request or instruction from authorized persons at the Firm reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete Firm Personal Information, or to stop, mitigate, or remedy any unauthorized processing of Firm Personal Information collected pursuant to the Agreement, except where required.
- At the request of the Firm, the Service Provider shall arrange for a qualified and independent assessor to conduct an assessment of the Service Provider's policies and technical and organizational measures in support of its obligations under the VCDPA with respect to Firm Personal Information using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Service Provider shall provide a report of such assessment to the Firm upon written request.
- Upon the reasonable request of the Firm and no less than thirty (30) days advance notice, Service Provider will make available to the Firm information necessary to demonstrate Service Provider's compliance with its obligations under the VCDPA with respect to Firm Personal Information.
- Service Provider will delete or return all Firm Personal Information obtained or created in connection with the Services to Firm and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such data.
- Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to Firm Personal Information collected, access, or maintained pursuant to the Agreement.
- To the extent permitted under the Agreement, Service Provider may use subcontractors to provide the Services provided that it must first provide the Firm with an opportunity to reasonably object without unreasonable delay. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under this Addendum with respect to Firm Personal Information. Service Provider be liable for the Services provided by its subcontractors to the same extent as if those services were provided by Service Provider.
- Service Provider’s Colorado Privacy Act Obligations
A. Service Provider acknowledges and agrees to comply with the applicable terms of the Colorado Privacy Act, as amended (Col. Rev. Stat. §§ 6-1-1301 et seq.) including applicable regulatory or other guidance ("CPA"). The parties hereby agree that Service Provider is a "processor" under the CPA. Terms defined in the CPA, including, without limitation, personal information, have the same meaning when used in this Section 4 of the Addendum unless otherwise defined herein. As a processor for the Firm, Service Provider agrees:- Service Provider will not collect, retain, use, or disclose personal information it accesses, receives, or creates pursuant to the Agreement ("Firm Personal Information") for any purpose other than for the purposes set out in the Agreement and as permitted under the CPA. Service Provider acknowledges that Firm is disclosing or making available Firm Personal Information to Service Provider only for the limited and specified purposes and services set for in the Agreement (“Services”).
- Service Provider will not sell Firm Personal Information.
- Service Provider will ensure each person processing Firm Personal Information under the Agreement is subject to a duty of confidentiality with respect to the personal data.
- If a law requires the Service Provider to disclose Firm Personal Information collected pursuant to the Agreement for a purpose unrelated to the Services, the Service Provider must first inform the Firm of the legal requirement and give the Firm a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Firm fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement.
- Service Provider will promptly comply with any reasonable Firm request or instruction from authorized persons at the Firm reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete Firm Personal Information, or to stop, mitigate, or remedy any unauthorized processing of Firm Personal Information collected pursuant to the Agreement, except where required.
- At the request of the Firm, the Service Provider shall arrange for a qualified and independent assessor to conduct an assessment of the Service Provider's policies and technical and organizational measures in support of its obligations under the CPA with respect to Firm Personal Information using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Service Provider shall provide a report of such assessment to the Firm upon written request.
- Upon the reasonable request of the Firm and no less than thirty (30) days advance notice, Service Provider will make available to the Firm information necessary to demonstrate Service Provider's compliance with its obligations under the CPA with respect to Firm Personal Information.
- Service Provider will delete or return all Firm Personal Information obtained or created in connection with the Services to Firm and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such data.
- Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to Firm Personal Information collected, access, or maintained pursuant to the Agreement. Service Provider will reasonably cooperate with the Firm to allocate responsibilities concerning the security of personal data collected pursuant to the Agreement and to implement the applicable measures.
- To the extent permitted under the Agreement, Service Provider may use subcontractors to provide the Services provided that it must first provide the Firm with an opportunity to reasonably object without unreasonable delay. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under this Addendum with respect to Firm Personal Information. Service Provider shall be liable for the Services provided by its subcontractors to the same extent as if those services were provided by Service Provider.
- Service Provider’s Obligations Concerning Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring
A. Service Provider acknowledges and agrees to comply with the applicable terms of the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, as amended (S.B. No. 6) including applicable regulatory or other guidance ("Act"). The parties hereby agree that Service Provider is a "processor" under the Act. Terms defined in the Act, including, without limitation, personal information, have the same meaning when used in this Section 5 of the Addendum unless otherwise defined herein. As a processor for the Firm, Service Provider agrees:- Service Provider will not collect, retain, use, or disclose personal information it accesses, receives, or creates pursuant to the Agreement ("Firm Personal Information") for any purpose other than for the purposes set out in the Agreement and as permitted under the Act. Service Provider acknowledges that Firm is disclosing or making available Firm Personal Information to Service Provider only for the limited and specified purposes and services set for in the Agreement (“Services”).
- Service Provider will not sell Firm Personal Information.
- Service Provider will ensure each person processing Firm Personal Information under the Agreement is subject to a duty of confidentiality with respect to the personal data.
- If a law requires the Service Provider to disclose Firm Personal Information for a purpose unrelated to the Services, the Service Provider must first inform the Firm of the legal requirement and give the Firm a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event the Firm fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement.
- Service Provider will promptly comply with any reasonable Firm request or instruction from authorized persons at the Firm reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete Firm Personal Information, or to stop, mitigate, or remedy any unauthorized processing of Firm Personal Information collected pursuant to the Agreement, except where required.
- At the request of the Firm, the Service Provider shall arrange for a qualified and independent assessor to conduct an assessment of the Service Provider's policies and technical and organizational measures in support of its obligations under the Act with respect to Firm Personal Information using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Service Provider shall provide a report of such assessment to the Firm upon written request.
- Upon the reasonable request of the Firm and no less than thirty (30) days advance notice, Service Provider will make available to the Firm information necessary to demonstrate Service Provider's compliance with its obligations under the Act with respect to Firm Personal Information.
- Service Provider will delete or return all Firm Personal Information obtained or created in connection with the Services to Firm and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such data.
- Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to Firm Personal Information collected, access, or maintained pursuant to the Agreement.
- To the extent permitted under the Agreement, Service Provider may use subcontractors to provide the Services provided that it must first provide the Firm with an opportunity to reasonably object without unreasonable delay. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under this Addendum with respect to Firm Personal Information. Service Provider shall be liable for the Services provided by its subcontractors to the same extent as if those services were provided by Service Provider.