|
DocuSign Envelope ID:90A54439-23B9-40AF-8246-BFCAAEAA529D
<br /> EXHIBIT B
<br /> Data Processing Addendum
<br /> This Data Processing Addendum (the "DPA') sets out the additional terms, requirements, and
<br /> conditions for which Submittable will obtain, handle, process, disclose, transfer, or store Personal
<br /> Information when providing Services under the TOS.
<br /> Capitalized terms not otherwise defined shall have the meaning given to them in the TOS. Except as
<br /> modified below, the terms of the TOS shall remain in full force and effect.
<br /> In consideration of the mutual obligations set out in this DPA, the parties hereby agree that the terms
<br /> and conditions set out below shall supplement the TOS.
<br /> 1. Definitions and Interpretation.
<br /> 1.1 The following definitions and rules of interpretation apply in this DPA.
<br /> "Authorized Affiliate" means any of Customer's Affiliate(s) which (a) is subject to the
<br /> Privacy and Data Protection Requirements, and (b) is permitted to use the Services pursuant to the
<br /> TOS, but has not signed its own Order Form and is not a "Customer" as defined under the TOS.
<br /> "Business Purpose" means the Services described in the TOS or any other purpose
<br /> specifically identified in Appendix A.
<br /> "Controller" means Customer.
<br /> "Data Subject" means an individual who is the subject of Personal Information.
<br /> "Personal Information" means any information Submittable Processes on behalf of
<br /> Customer or Customer's Authorized Affiliate under or in connection with the TOS that (a) identifies
<br /> or relates to an individual who can be identified directly or indirectly from that data alone or in
<br /> combination with other information in Submittable's possession or control, or (b) as the relevant
<br /> Privacy and Data Protection Requirements otherwise define as protected personal information.
<br /> Personal Information does not include End User Data which is Processed outside of the TOS.
<br /> "Privacy and Data Protection Requirements" means all applicable federal, state,
<br /> and foreign Laws and regulations relating to the processing, protection, or privacy of the Personal
<br /> Information, including where applicable, the guidance and codes of practice issued by regulatory
<br /> bodies in any relevant jurisdiction. This includes, but is not limited to, the Gramm-Leach-Bliley Act
<br /> (GLBA) (where applicable); the EU Data Protection Directive 95/46/EC (the "Directive") or, when
<br /> applicable, EU General Data Protection Regulation 2016/679 ("GDPR"), the implementing acts of the
<br /> foregoing by the Member States of the European Union; the Family Educational Rights and Privacy
<br /> Act, 20 USC 1232g and its implementing regulations (FERPA) (where applicable); the Health
<br /> Insurance Portability and Accountability Act, 45 CFR Part 160.103 and its implementing regulations
<br /> (HIPAA) (where applicable); and the Payment Card Industry Data Security Standards ("PCI-DSS").
<br /> "Processing, Processes, or Process" means any activity that involves the use of
<br /> Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise
<br /> include in the definition of processing, processes, or process. It includes obtaining, recording, or
<br /> holding the data, or carrying out any operation or set of operations on the data including, but not
<br /> limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing
<br /> also includes transferring Personal Information to third parties.
<br /> "Security Breach" means any act or omission that compromises the security,
<br /> confidentiality, or integrity of Personal Information or the physical, technical, administrative, or
<br /> organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or
<br /> Submittable Customer Terms of Service v1.1—Exhibit B Page 1 of 12
<br />
|