|
<br />Submittable Customer Terms of Service
<br />v1.4
<br /> Page 12 of 28
<br />EXHIBIT B
<br />DAT A PROCESSING ADDENDUM
<br />
<br />This Data Processing Addendum (the “DPA”) sets out the additional terms, requirements, and conditions for which
<br />Submittable will obtain, handle, process, disclose, transfer, or store Personal Information when providing Services under
<br />the TOS to the extent required by Privacy and Data Protection Requirements. Capitalized terms not otherwise defined shall
<br />have the meaning given to them in the TOS. Terms not otherwise defined shall have the meanings set forth in the applicable
<br />Privacy and Data Protection Requirements. Except as modified below, the terms of the TOS shall remain in full force and
<br />effect. The Parties agree to the terms and conditions of this DPA only to the extent required by Privacy and Data Protection
<br />Requirements.
<br />1. Additional Definitions.
<br />“Affiliate” means any other individual, corporation, partnership, joint venture, limited liability entity, governmental
<br />authority, unincorporated organization, trust, association, or other entity that directly or indirectly, through one or
<br />more intermediaries, controls, is controlled by, or is under common control with either Customer or Submittable as
<br />the case may be.
<br />“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Privacy and Data Protection
<br />Requirements, and (b) is permitted to use the Services pursuant to the TOS, but has not signed its own Order Form
<br />and is not a “Customer” as defined under the TOS.
<br />“Business” has the same meaning given to the term in the CCPA.
<br />“Business Purpose” means the Services described in the TOS. “Controller” has the same meaning given to the
<br />term in the GDPR.
<br />“Data Subject” means an individual who is the subject of Personal Information.
<br />“Personal Information” means any information Submittable Processes on behalf of Cus tomer under or in
<br />connection with the TOS that identifies or relates to an individual who can be identified directly or indirectly from
<br />that data alone or in combination with other information in Submittable’s possession or control.
<br />“Privacy and Data Protection Requirements” means, only to the extent applicable, the Gramm -Leach-Bliley Act
<br />(“GLBA”); the EU Data Protection Directive 95/46/EC (the “Directive”), EU General Data Protection Regulation
<br />2016/679 (“GDPR”), the implementing acts of the foregoing by the Member States of the European Union; the UK
<br />Data Protection Act of 2018 and the UK General Data Protection Regulation; the Family Educational Rights and
<br />Privacy Act, 20 USC 1232g and its implementing regulations (“FERPA”); the Health Insurance Portability and
<br />Accountability Act, 45 CFR Part 160.103 and its implementing regulations (“HIPAA”); the Payment Card Industry
<br />Data Security Standards (“PCI-DSS”); and the California Consumer Privacy Act of 2018 and its implementing
<br />regulations (“CCPA”).
<br />“Processing, Processes, or Process” means any activity performed on Personal Information including collecting,
<br />obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data.
<br />“Processor” has the same meaning given to the term in the GDPR.
<br />“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss of, alteration,
<br />or unauthorized access, disclosure, or acquisition of Personal Information transmitted, stored, or otherwise
<br />Processed.
<br />“Service Provider” has the same meaning given to the term in the CCPA.
<br />“Standard Contractual Clauses” means the clauses annexed to the EU Commission Implementing Decision
<br />2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries
<br />pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31 -
<br />61), as amended from time to time.
<br />“Sub-processor” means any third-party engaged by Submittable, or by a Submittable Sub-processor to Process
<br />Personal Information under the Services.
<br />“Supervisory Authority” means an independent public authority which is established by an EU Member State
<br />pursuant to the GDPR.
<br />DocuSign Envelope ID: 367666E5-0A49-40C9-BFB5-74D495BAB8F1
|