State Law Client Addendum

THIS STATE LAW PRIVACY ADDENDUM (Addendum) supplements the Master Services Agreement or Engagement Agreement (Agreement) entered into between Eisner Advisory Group LLC, EisnerAmper LLP and/or their respective subsidiaries (collectively, “Service Provider”) and the customer identified in the applicable Agreement to whom services outlined therein are provided ("Customer") (referred to collectively as the “Parties”), solely to the extent that the provision of services to Customer pursuant to such Agreement requires that Service Provider access, create, collect, process, retain, or disclose personal information of consumers, as defined below.

WHEREAS, EisnerAmper LLP and Eisner Advisory Group LLC are independently owned firms that practice in an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. EisnerAmper LLP is a licensed CPA firm that provides attest services, and Eisner Advisory Group LLC and its subsidiary entities provide tax and business consulting services to clients and provide staff and other administrative resources to EisnerAmper LLP. Eisner Advisory Group LLC and its subsidiary entities are not licensed CPA firms;

WHEREAS, Customer desires to provide or make available to Service Provider, or permit Service Provider to access, create, collect, process, retain, or disclose certain personal information for the purposes of providing some or all of the services described in the Agreement (Services);

WHEREAS, Service Provider desires to access, create, collect, process, retain, and/or disclose certain of the Customer’s personal information as necessary and appropriate to perform the Services under the Agreement;

NOW, THEREFORE, in consideration of the mutual covenants, and for continuing to perform the Services, the Parties agree as follows.

California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (“CCPA/CPRA”) Provisions 

The following California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 provisions (“Provisions”) are incorporated into Agreement by and between Service Provider and Customer with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that the personal information is covered by the CCPA/CPRA.

1. Definitions. The following definitions and rules of interpretation apply in these Provisions:
   1. CCPA means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General or the California Privacy Protection Agency, as applicable. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in these Provisions.
   2. “Contracted Business Purposes” means the Services described in the Agreement.
   3. CPRA means the California Privacy Rights Act of 2020 which amended the CCPA, and any related regulations or guidance provided by the California Attorney General or the California Privacy Protection Agency, as applicable. Terms defined in the CPRA, including sensitive personal information and sharing, carry the same meaning in these Provisions.
   4. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide or permit the Service Provider to access personal information for processing in accordance with their instructions.
      
      
2. Service Provider’s CCPA/CPRA Obligations
   1. Service Provider will only collect, use, retain, or disclose personal information collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal information access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. For example, and without limitation, the Service Provider may make internal use of personal information to build or improve the quality of its services, provided such use is not to perform services on behalf of another person. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
   2. Service Provider will not collect, use, retain, disclose, or otherwise make personal information collected pursuant to the Agreement available for Service Provider’s own commercial purposes, outside of the Contracted Business Purposes, or in a way that does not comply with the CCPA/CPRA, nor will it sell or share personal information belonging to Customer. If a law requires the Service Provider to disclose personal information collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
   3. Service Provider may not combine personal information collected pursuant to the Agreement with personal information that it receives from or on behalf of another person or persons, or that Service Provider may collect from its own interaction with the customer, except as otherwise permitted under the CCPA/CPRA.
   4. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons requiring the Service Provider to provide, amend, limit, transfer, or delete the personal information collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing of personal information collected pursuant to the Agreement, except where otherwise required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the CCPA/CPRA, and (ii) in the case of deletion of personal information collected pursuant to the Agreement, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider.
   5. If the Contracted Business Purposes require the collection of personal information directly from consumers on the Customer’s behalf, Service Provider will provide a CCPA/CPRA-compliant notice at collection (described under CCPA/CPRA Sec. 1798.100) addressing categories of personal information collected and the purpose(s) of their use or collection that the Customer specifically pre-approves in writing. Service Provider will not modify or alter the notice in any way without the Customer’s prior written consent.
   6. Service Provider will maintain reasonable and appropriate technical and organizational measures to protect personal information collected pursuant to the Agreement.
      
      
3. Assistance with Customer’s CCPA/CPRA Obligations
   1. To the extent related to the Contracted Business Purposes, Service Provider will reasonably cooperate and assist Customer with meeting the Customer’s CCPA/CPRA compliance obligations and responding to verifiable consumer requests as required under the CCPA/CPRA with respect to personal information collected pursuant to the Agreement, taking into account the nature of the Service Provider’s processing and the information available to the Service Provider. In its role as service provider and with respect to personal information collected pursuant to the Agreement, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under this Agreement and the CCPA/CPRA.
   2. To the extent required by the CCPA/CPRA, Service Provider will permit Customer to take reasonable and appropriate steps to ensure Service Provider uses personal information collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the applicable provisions of the CCPA/CPRA.
   3. Service Provider must notify Customer promptly if it receives any complaint, notice, or communication that directly or indirectly relates either Party’s compliance with the CCPA/CPRA with respect to personal information collected pursuant to the Agreement, or if Service Provider determines it cannot meet its obligations under the applicable provisions of the CCPA/CPRA.
   4. The Service Provider will permit Customer, upon thirty (30) days advance written notice, to take reasonable and appropriate steps to stop and remediate the use of personal information collected pursuant to the Agreement that is unauthorized under the CCPA/CPRA and these Provisions.
      
      
4. Subcontracting
   1. Service Provider may use subcontractors to provide the Contracted Business Services. Any subcontractor used must qualify as a service provider under the CCPA/CPRA to the extent any such subcontractor would be required to collect, use, maintain, or disclose personal information collected pursuant to the Agreement hereunder, and Service Provider may not make any disclosures of personal information collected pursuant to the Agreement to the subcontractor that the CCPA/CPRA would treat as a sale or sharing of personal information.
   2. Service Provider will notify Customer in the event it engages any other person to assist Service Provider in processing personal information collected pursuant to the Agreement for a business purpose on behalf of the Customer, and in such case, the engagement shall be pursuant to a written contract that includes the applicable obligations in these Provisions, to the extent required by the CCPA/CPRA.
      
      
5. General
   1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
   2. Both Parties will comply with all applicable requirements of the CCPA/CPRA when collecting, using, retaining, or disclosing personal information collected pursuant to the Agreement, including providing the same level of privacy protections required thereunder.
   3. Service Provider understands these Provisions and the CCPA/CPRA’s restrictions and prohibitions on selling or sharing personal information collected pursuant to the Agreement and retaining, using, or disclosing personal information collected pursuant to the Agreement outside of the Parties’ direct business relationship, and it will comply with them.
   4. For avoidance of doubt, the Provisions apply only to the extent required under the CCPA. For example, and without limitation, these Provisions do not apply to personal information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). The Provisions also do not apply to any protected health information that is collected, processed, sold, or disclosed pursuant to the federal Health Insurance Portability and Accountability Act, and implementing regulations.

Utah Consumer Privacy Act (“UCPA”) Provisions

If applicable, the provisions in this section concerning the Utah Consumer Privacy Act (“Provisions”) are incorporated into the Agreement by and between Service Provider and Customer, with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that Customer is a controller as defined under UCPA and the personal data is covered by the UCPA.

1. Definitions. The following definitions and rules of interpretation apply in these Provisions:
   1. UCPA means the Utah Consumer Privacy Act, as amended (Utah Code. Ann. §§ 13-61-101 to 13-61-404), and any related regulations or guidance provided by the Utah Attorney General. Terms defined in the UCPA, including personal data, carry the same meaning in these Provisions.
   2. “Contracted Business Purposes” means the Services described in the Agreement.
   3. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide the Service Provider with personal data for processing in accordance with their instructions.
      
      
2. Service Provider’s UCPA Obligations
   1. Service Provider will only collect, use, retain, or disclose personal data collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal data access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
   2. Service Provider will not sell personal data collected pursuant to the Agreement belonging to Customer.
   3. Service Provider will ensure each person processing personal data under this Agreement is subject to a duty of confidentiality with respect to the personal data.
   4. If a law requires the Service Provider to disclose personal data collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
   5. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete the personal data collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing or personal data collected pursuant to the Agreement, except where required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the UCPA, and (ii) in the case of deletion of personal data, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider collected pursuant to the Agreement. In its role as processor, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under these Provisions and the UCPA.
   6. Service Provider will delete or return all personal data obtained or created in connection with the Contracted Business Purposes to Customer and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such personal data.
   7. Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to personal data collected pursuant to the Agreement.
      
      
3. Subcontracting
   1. Service Provider may use subcontractors to provide the Contracted Business Services. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under these Provisions solely with respect to personal data under the UCPA collected pursuant to the Agreement.
      
      
4. General
   1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
   2. Both Parties will comply with all applicable requirements of the UCPA when collecting, using, retaining, or disclosing personal data collected pursuant to the Agreement.

Virginia Consumer Data Privacy Act (“VCDPA”) Provisions

If applicable, the provisions in this section concerning the Virginia Consumer Data Privacy Act (“Provisions”) are incorporated into the Agreement by and between Service Provider and Customer, with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that Customer is a controller as defined under VCDPA and the personal data is covered by the VCDPA.

1. Definitions: The following definitions and rules of interpretation apply in these Provisions:
   1. VCDPA means the Virginia Consumer Data Privacy Act, as amended (Va. Code. Ann. §§ 59.1-571 to 59.1-581), and any related regulations or guidance provided by the Virginia Attorney General. Terms defined in the VCDPA, including personal data, carry the same meaning in these Provisions.
   2. “Contracted Business Purposes” means the Services described in the Agreement.
   3. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide the Service Provider with personal data for processing in accordance with their instructions.
      
      
2. Service Provider’s VCDPA Obligations
   1. Service Provider will only collect, use, retain, or disclose personal data collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal data collected pursuant to the Agreement access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
   2. Service Provider will not sell personal data collected pursuant to the Agreement belonging to Customer.
   3. Service Provider will ensure each person processing personal data under these provisons is subject to a duty of confidentiality with respect to the personal data collected pursuant to the Agreement.
   4. If a law requires the Service Provider to disclose personal data collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
   5. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete the personal data collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing of personal data collected pursuant to the Agreement, except where required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the VCDPA, and (ii) in the case of deletion of personal data collected pursuant to the Agreement, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider. In its role as processor, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under this Agreement and the VCDPA.
   6. The Service Provider may arrange for a qualified and independent assessor to conduct an assessment of the Service Provider’s policies and technical and organizational measures in support of its obligations under the VCDPA with respect to personal data collected pursuant to the Agreement using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Service Provider shall provide a report of such assessment to Customer upon written request.
   7. Upon the reasonable request of Customer and no less than thirty (30) days advance notice, Service Provider will make available to Customer information necessary to demonstrate Service Provider’s compliance with its obligations under the VCDPA with respect to personal data collected pursuant to the Agreement to the extent required thereunder.
   8. Service Provider will delete or return all personal data obtained or created in connection with the Contracted Business Purposes to Customer and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such personal data.
   9. Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to personal data collected pursuant to the Agreement.
      
      
3. Subcontracting
   1. Service Provider may use subcontractors to provide the Contracted Business Services. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under these Provisions solely with respect to personal data collected pursuant to the Agreement under the VCDPA.
      
      
4. General
   1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
   2. Both Parties will comply with all applicable requirements of the VCDPA when collecting, using, retaining, or disclosing personal data collected pursuant to the Agreement.

Colorado Privacy Act (“CPA”) Provisions

If applicable, the provisions in this section concerning the Colorado Privacy Act (“Provisions”) are incorporated into the Agreement by and between Service Provider and Customer, with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that Customer is a controller as defined under CPA and the personal data is covered by the CPA.

1. Definitions. The following definitions and rules of interpretation apply in these Provisions:
   1. CPA means the Colorado Privacy Act, as amended (Col. Rev. Stat. §§ 6-1-1301 et seq.), and any related regulations or guidance provided by the Colorado Attorney General. Terms defined in the CPA, including personal data, carry the same meaning in these Provisions.
   2. “Contracted Business Purposes” means the Services described in the Agreement.
   3. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide the Service Provider with personal data for processing in accordance with their instructions.
      
      
2. Service Provider’s CPA Obligations
   1. Service Provider will only collect, use, retain, or disclose personal data collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal data collected pursuant to the Agreement access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
   2. Service Provider will not sell personal data collected pursuant to the Agreement belonging to Customer.
   3. Service Provider will ensure each person processing personal data under these Provisions is subject to a duty of confidentiality with respect to the personal data collected pursuant to the Agreement.
   4. If a law requires the Service Provider to disclose personal data collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
   5. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete the personal data collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing of personal data collected pursuant to the Agreement, except where required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the CPA, and (ii) in the case of deletion of personal data collected pursuant to the Agreement, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider. In its role as processor, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under these Provisions and the CPA.
   6. The Service Provider may arrange for a qualified and independent assessor to annually conduct an assessment of the Service Provider’s policies and technical and organizational measures in support of its obligations under the CPA with respect to personal data collected pursuant to the Agreement using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Service Provider shall provide a report of such assessment to Customer upon written request.
   7. Upon the reasonable request of Customer and no less than thirty (30) days advance notice, Service Provider will make available to Customer information necessary to demonstrate Service Provider’s compliance with its obligations under the CPA with respect to personal data collected pursuant to the Agreement.
   8. Service Provider will delete or return all personal data obtained or created in connection with the Contracted Business Purposes to Customer and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such personal data.
   9. Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to personal data collected pursuant to the Agreement. Service Provider will reasonably cooperate with Customer to allocate responsibilities concerning the security of personal data collected pursuant to the Agreement and to implement the applicable measures.
      
      
3. Subcontracting
   1. Service Provider may use subcontractors to provide the Contracted Business Services provided that it must first provide Customer with an opportunity to reasonably object without unreasonable delay.
   2. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under these Provisions solely with respect to personal data under the CPA collected pursuant to the Agreement.
      
      
4. General
   1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
   2. Both Parties will comply with all applicable requirements of the CPA when collecting, using, retaining, or disclosing personal data collected pursuant to the Agreement.

Connecticut’s Act concerning personal data privacy and online monitoring (“Act”) Provisions

If applicable, the provisions in this section concerning the Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (“Provisions”) are incorporated into the Agreement by and between Service Provider and Customer, with an effective date the same as for the Agreement. The obligations of this section of the Addendum shall apply solely to the extent that Customer is a controller as defined under the Act and the personal data is covered by the Act.

1. Definition.: The following definitions and rules of interpretation apply in these Provisions:
   1. Act means the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, as amended (S.B. No. 6), and any related regulations or guidance provided by the Connecticut Attorney General. Terms defined in the Act, including personal data, carry the same meaning in these Provisions.
   2. “Contracted Business Purposes” means the Services described in the Agreement.
   3. “Authorized Persons” means the persons or categories of persons that authorize Customer to provide the Service Provider with personal data for processing in accordance with their instructions.
      
      
2. Service Provider’s Obligations Under the Act
   1. Service Provider will only collect, use, retain, or disclose personal data collected pursuant to the Agreement as reasonably necessary and proportionate to achieve the Contracted Business Purposes for which Customer provides or permits personal data collected pursuant to the Agreement access in accordance with the Customer’s instructions from Authorized Persons, and as permitted under the Agreement or as required by law. Service Provider will not be obligated to follow instructions from any persons at the Customer other than Authorized Persons.
   2. Service Provider will not sell personal data collected pursuant to the Agreement belonging to Customer.
   3. Service Provider will ensure each person processing personal data under these Provisions is subject to a duty of confidentiality with respect to the personal data collected pursuant to the Agreement.
   4. If a law requires the Service Provider to disclose personal data collected pursuant to the Agreement for a purpose unrelated to the Contracted Business Purposes, the Service Provider must first inform the Customer of the legal requirement and give the Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice. In the event Customer fails to respond promptly and Service Provider determines, in its sole discretion, such disclosure is required by law, Service Provider may make the disclosure and shall not be liable therefor in any way under the Agreement or these Provisions.
   5. Service Provider will promptly comply with any reasonable Customer request or instruction from Authorized Persons reasonably necessary for Service Provider to provide, amend, limit, transfer, or delete the personal data collected pursuant to the Agreement, or to stop, mitigate, or remedy any unauthorized processing of personal data collected pursuant to the Agreement, except where required; provided, however, that the obligations in this paragraph shall (i) extend only to requests made by consumers or those authorized to act on behalf of consumers under the Act, and (ii) in the case of deletion of personal data collected pursuant to the Agreement, apply only to the extent the deletion is impossible or involved disproportionate effort. Service Provider reserves the right to charge Customer its then current fees for responding to such requests or instructions. The obligations in this paragraph are subject to the nature of the processing and information available to Service Provider. In its role as processor, Service Provider will not be required to comply with a request submitted directly to Service Provider by a consumer, but shall promptly inform Customer of the request and reasonably cooperate with Customer as required under these Provisions and the Act.
   6. The Service Provider may arrange for a qualified and independent assessor to conduct an assessment of the Service Provider’s policies and technical and organizational measures in support of its obligations under the Act with respect to personal data collected pursuant to the Agreement using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Service Provider shall provide a report of such assessment to Customer upon written request.
   7. Upon the reasonable request of Customer and no less than thirty (30) days advance notice, Service Provider will make available to Customer information necessary to demonstrate Service Provider’s compliance with its obligations under the Act with respect to personal data collected pursuant to the Agreement to the extent required thereunder.
   8. Service Provider will delete or return all personal data obtained or created in connection with the Contracted Business Purposes to Customer and delete any existing copies of same upon termination of the Agreement, except where applicable law requires or permits Service Provider to retain copies of such personal data.
   9. Service Provider will maintain reasonable and appropriate technical and organizational measures appropriate to the applicable risk related to personal data collected pursuant to the Agreement.
      
      
3. Subcontracting
   1. Service Provider may use subcontractors to provide the Contracted Business Services. Any subcontractor used must agree in writing to meet substantially similar obligations as Service Provider under this Provisions solely with respect to personal data under the Act collected pursuant to the Agreement.
      
      
4. General
   1. Nothing in the Agreement or these Provisions, whether expressed or implied, is intended to confer any rights or remedies under or by reason of same on any persons, including consumer, other than the Parties to it and their respective successors and permitted assigns, nor shall any provisions give any third parties any right of subrogation or action against any Party to the Agreement.
   2. Both Parties will comply with all applicable requirements of the Act when collecting, using, retaining, or disclosing personal data collected pursuant to the Agreement.