This Data Processing Addendum (“DPA”) amends the Terms of Service (“Terms”) and is incorporated into and made part of the collective Agreement by reference. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail.
This DPA reflects the mutual agreement between Pinpointe and Customer on the terms governing the processing and security of personal data as defined within the General Data Protection Regulation (“GDPR”), effective in all European Economic Area (“EEA”) member states as of May 25, 2018. This DPA only applies to the extent that the GDPR applies to the processing of Personal Data of end users (“Data Subjects”) as defined by the regulation.
California CCPA / CPRA Addendum: In compliance with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), unless as described otherwise, the definitions of “Data Controller” includes “Business”; “Data Processor” includes “Service Provider”; “Data Subject” includes “Consumer”, “Personal Data” includes “Personal Information”; in each case as defined under the CCPA and any further amendment of definition as provided in the CPRA.
Personal Data Processing and Handling
Pinpointe and Customer (collectively, the “Parties”) acknowledge and agree that:
(i) In the context of this DPA, Pinpointe is a Data Processor of Personal Data as defined under the GDPR definition.
(ii) Customer appoints and authorizes Pinpointe to act as a processor of Personal Data that Customer controls and makes available to Pinpointe as part of Customer’s utilization of the Services.
(iii) Customer is a Data Controller or Data Processor, as applicable, of Personal Data under the GDPR. In the event that Customer is a Data Processor, Customer warrants to Pinpointe that Customer’s instructions and actions with respect to Personal Data, including its appointment of Pinpointe as another Data Processor, have been authorized by the relevant Data Controller.
(iv) Each of the Parties agree to comply with all rules and regulations in the handling of Personal Data under its respective control in accordance with the GDPR.
By entering into this DPA, Customer authorizes and instructs Pinpointe to process Personal Data only in accordance with applicable law, which may include, but not be limited to:
(i) Providing the processing and storage of Personal Data and any technical support as set for in the Agreement.
(ii) As further specified via Customer’s use of Pinpointe’s Services (including technical support) or via request by Customer and agreed to by Pinpointe.
(iii) As documented in and provided by the Terms of Service, Privacy Policy and this DPA, collectively known as the Agreement.
(iv) As further documented in any other written instructions given by the Customer and acknowledged by Pinpointe as constituting instructions for the purpose of this DPA.
Pinpointe will enact these Customer instructions unless EEA law to which Pinpointe is subject requires other processing or disposition of Personal Data by Pinpointe. In such an event, Pinpointe will notify Customer unless EEA law prohibits Pinpointe from doing so on the grounds of public interest.
Personal Data Security
Pinpointe uses reasonable measures to protect and secure Personal Data under its control against accidental or willful misuse, destruction, transfer, alteration, loss, unauthorized access or disclosure. Access to Pinpointe’s Services is via secure (https) portals to ensure secure transmission of login credentials and passwords. Access to Pinpointe’s servers and data is limited to authorized personnel whose functions require such access to perform their duties.
In the event Pinpointe becomes aware of a security breach that results in the accidental or willful misuse, destruction, transfer, alteration, loss, unauthorized access or disclosure of Personal Data on our servers (“Incident”), we will promptly inform Customer via Customer’s registered email address and/or Pinpointe’s in-application notifications of said Incident without undue delay. Pinpointe will take reasonable steps to secure and minimize any harm to Customer’s data. Customer is responsible for providing and maintaining a valid email address and agrees to notify Pinpointe of any changes to their registered email address on file with Pinpointe. Our notification of our response to an Incident shall not be construed as an acknowledgement of any fault or liability with respect to the Incident.
Customer agrees they are solely responsible for their use of Pinpointe’s Services, including securing their account credentials, the systems and devices Customer uses to access the Services. Pinpointe has no obligation to protect Customer’s Personal Data that Customer elects to store or transfer outside of Pinpointe’s systems.
Personal Data Deletion
The Services include mechanisms by which Customer may delete Personal Data as required, such as at the direction of a relevant Data Subject. The Personal Data will be removed from Pinpointe’s systems in a prompt time frame and within a maximum period of 15 days unless applicable laws require storage of such data for a specified period of time. Customer has the option of exporting all Personal Data prior to deletion.
Personal Data Rights
EEA Data Subjects have the right under the GDPR to view their Personal Data, update or correct it, or have their Personal Data be deleted (commonly referred to as “The Right To Be Forgotten”).
In the event Pinpointe receives a request from an EEA Data Subject regarding their Personal Data, we will advise Data Subject to forward their request to Customer. Customer is responsible for responding to such request using the features we provide as part of our Services. Pursuant to the terms of the Agreement, Pinpointe shall provide reasonable and timely assistance to Customer to enable Customer to comply with such Data Subject requests or such lawful requests by third-parties as mandated by law or regulation.
Customer agrees and warrants to use all reasonable means to verify the identity of the Data Subject (or other requesting third-party) making such requests regarding Personal Data before Customer modifies, shares or deletes said Personal Data.
California CCPA / CPRA Addendum: Pinpointe’s obligations regarding personal data rights and data subject requests by Data Subjects (as described above under the “Personal Data Rights” section ) in this DPA extend to rights requests under the CCPA and CPRA.
Personal Data Transfer
Customer agrees and warrants that it will use reasonable means to comply with all applicable laws when transferring Personal Data of those Data Subjects who reside in or are governed by EEA law and regulations.
DPA Changes
Pinpointe reserves the right to modify this DPA from time to time. In the event of a significant change to the terms and conditions herein, we will notify Customer via Customer’s registered email address or provide a notice on our website. Pinpointe suggests Customer periodically review our Terms of Service, Privacy Policy and this DPA for any additional information made available by Pinpointe therein.