This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) is processed by Happyrobot under this Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable Data Protection Laws (defined below) and with due respect for the rights and freedoms of individuals whose Personal Data is processed.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
1.1. "Authorized Sub-Processor" means a third-party who has a need to know or otherwise access Customer's Personal Data to enable Happyrobot to perform its obligations under this DPA or the Agreement, and who is authorized under Section 4.2 of this DPA.
1.2. "Customer Personal Data" means any Personal Data processed by HappyRobot on behalf of Customer pursuant to the Agreement.
1.3. "Data Exporter" means Customer.
1.4. "Data Importer" means Happyrobot.
1.5. "Data Protection Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) US state privacy laws, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR" or "GDPR"), (iii) the Swiss Federal Act on Data Protection, (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (v) the UK Data Protection Act 2018; (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (xii) other privacy laws governing the processing of Personal Data or Personal Information; in each case, as updated, amended or replaced from time to time. The terms "processing," "processor," "controller," and "supervisory authority" shall have the meanings set forth under applicable Data Protection Laws.
1.6. "Data Subject" means an individual that is protected under any applicable Data Protection Law.
1.7. "EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time), the current version of which is available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
1.8. "ex-EEA Transfer" means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the "EEA"), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
1.9. "ex-UK Transfer" means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the "UK"), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.10. "Personal Data" or any such variation of the term (such as "Personal Information" or "Personally Identifiable Information") shall have the meaning set forth under applicable Data Protection Laws.
1.11. "Security Incident" means any confirmed unauthorized action by a known or unknown person which should reasonably be considered one of the following: an attack, penetration, unauthorized disclosure, misuse of system access, unauthorized access or intrusion (hacking), virus intrusion, or scan of Happyrobot's systems or networks, all to the extent they affect the security, confidentiality, or integrity of Customer Personal Data or Customer Confidential Information received, stored, processed, or maintained by Happyrobot.
1.12. "Standard Contractual Clauses" means the EU SCCs.
1.13. "UK Addendum" means the international data transfer addendum to the EU SCCs issued by the UK Information Commissioner for parties making restricted transfers under the UK GDPR, the current version of which is available at: https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf.
1.14. "UK IDTA" means the international data transfer agreement adopted by the United Kingdom and adopted by the UK Information Commissioner for parties making restricted transfers under the UK GDPR, the current version of which is available here: https://ico.org.uk/media2/migrated/4019538/international-data-transfer-agreement.pdf.
2.1. The Parties acknowledge and agree that: (a) Customer may process Personal Data on behalf of Customer End Clients in connection with services delivered by Customer utilizing the Platform, in which case Customer acts as a processor and Happyrobot acts as a sub-processor; (b) to the extent Customer processes Personal Data as a controller (such as Personal Data relating to Customer's own employees or business contacts), Happyrobot acts as a processor with respect to such Personal Data; (c) Customer represents and warrants that it has obtained all necessary consents or authorizations from Customer End Clients (or other applicable data controllers) and provided all legally required notices to engage Happyrobot as a sub-processor and to transfer Personal Data to Happyrobot for processing; and (d) Customer shall ensure that its instructions to Happyrobot are lawful and consistent with the instructions received from any applicable data controller.
2.2. Happyrobot shall not process Personal Data (i) for purposes other than those set forth in the Agreement and (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer.
2.3. The Parties agree that the details of the data processing subject to this DPA are outlined in Exhibit 1 to this DPA.
2.4. Following completion of the Services, at Customer's choice, Happyrobot shall return or delete Customer's Personal Data, unless further storage of such Personal Data is required or authorized by applicable Data Protection Laws. If return or destruction is impracticable or prohibited by law, rule, or regulation, Happyrobot shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule, or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.
2.5. CCPA. The Parties acknowledge that their relationship under the CCPA is governed by the CCPA Addendum to this DPA, listed in Exhibit 5.
2.6. Customer Obligations for Third-Party Service Delivery. Where Customer processes Personal Data on behalf of Customer End Clients in connection with services delivered utilizing the Platform, Customer represents, warrants, and covenants that: (a) it has lawful authority from each applicable Customer End Client (or other data controller) to engage Happyrobot as a sub-processor and to transfer Personal Data to Happyrobot for processing in accordance with this DPA; (b) it has entered into appropriate data processing agreements with Customer End Clients as required by applicable Data Protection Laws, including provisions that authorize Customer to engage sub-processors such as Happyrobot; (c) it will only provide Happyrobot with Personal Data for which it has obtained all necessary consents, authorizations, or other lawful bases from the applicable Customer End Clients or other data controller; (d) it will promptly notify Happyrobot of any data subject requests, regulatory inquiries, or complaints received from or on behalf of a Customer End Clients, and will be solely responsible for responding to such requests, inquiries, or complaints at its own cost and expense; (e) it will maintain accurate records of all Customer End Clients on whose behalf it processes Personal Data through the Platform and will provide such records to Happyrobot upon request within five (5) business days; (f) it will indemnify and hold harmless Happyrobot from and against any Losses arising from any claim by a Customer End Clients, data subject, or regulatory authority related to Customer's processing of Personal Data in connection with services delivered to Customer End Clients, including any claim that Customer lacked authority to engage Happyrobot as a sub-processor; (g) it acknowledges that Happyrobot may rely on Customer's representations and warranties in this Section 2.6 and may suspend or terminate Services immediately if any such representation or warranty proves to be materially false or misleading; and (h) any breach of this Section 2.6 shall constitute a material breach of this DPA for which there shall be no cure period.
3.1. Happyrobot shall ensure that any person it authorizes to process Personal Data is subject to a duty of confidentiality. Happyrobot shall ensure that such persons are prohibited from further disclosing Personal Data they receive pursuant to this Agreement except for the purpose of performing obligations under the Agreement or exercising any rights granted in the Agreement.
4.1. Customer acknowledges and agrees that Happyrobot may engage its sub-processors to access and process Customer Personal Data in connection with the Services.
4.2. Customer agrees that Happyrobot may use any Authorized Sub-Processors to process Customer Personal Data pursuant to the Agreement that are listed in Exhibit 4. Happyrobot will provide Customer with notice of any new sub-processors it uses in relation to the processing of Customer Personal Data by updating the List. Customer may have the right to object to the use of such additional sub-processors under applicable Data Protection Laws.
4.3. Happyrobot will enter into an agreement with its Authorized Sub-processors imposing on the Authorized Sub-Processors data protection obligations comparable to those imposed on Happyrobot under this DPA and consistent with applicable Data Protection Laws with respect to the protection of Customer Personal Data. Customer shall be solely responsible for: (a) ensuring that Customer has all necessary authorizations from Customer End Clients (or other applicable data controllers) to engage Happyrobot as a sub-processor; (b) responding to any inquiries from Customer End Clients regarding Happyrobot's data processing activities; and (c) flowing down any required information about sub-processors to Customer End Clients as required by applicable Data Protection Laws.
4.4. If Customer and Happyrobot have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data): (a) the above authorizations will constitute Customer's prior written consent to the subcontracting by Happyrobot of the processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses; and (b) the Parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Happyrobot to Customer pursuant to Clause 9(c) of the EU SCCs or the UK IDTA or UK Addendum (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by the Happyrobot beforehand, and that we will provide such copies only upon request by Customer.
5.1. Taking into account the context of the processing, Happyrobot shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Customer Personal Data. Such security measures shall be consistent with our security obligations in the Agreement. Exhibit 3 sets forth additional information about our technical and organizational security measures.
5.2. Happyrobot shall notify Customer of all known Security Incidents within the time periods required under applicable Data Protection Laws. Happyrobot's notice to Customer regarding such Security Incidents shall include all of the information required under applicable Data Protection Laws.
6.1. The Parties agree that Happyrobot may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. If we transfer Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, we will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.
6.2. Ex-EEA Transfers. The Parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
6.2.1. Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and Happyrobot is processing Personal Data for Customer as a processor pursuant to Section 2 of this DPA.
6.3. For each module, where applicable the following applies:
6.3.1. The optional docking clause in Clause 7 does not apply;
6.3.2. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 4.2 of this DPA;
6.3.3. In Clause 11, the optional language does not apply;
6.3.4. All square brackets in Clause 13 are hereby removed;
6.3.5. In Clause 17 (Option 1), the EU SCCs will be governed by Irish law;
6.3.6. In Clause 18(b), disputes will be resolved before the courts of Ireland;
6.3.7. Exhibit 2 to this DPA contains the information required in Annex I of the EU SCCs;
6.3.8. Exhibit 3 to this DPA contains the information required in Annex II of the EU SCCs; and
6.3.9. By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
6.4. Ex-UK Transfers. The Parties agree that ex-UK Transfers are made pursuant to the provisions in this section or the UK International Data Transfer Agreement ("IDTA"), whichever applies.
6.4.1. Data Exports from the United Kingdom under the Standard Contractual Clauses. For ex-UK Transfers where the EU SCCs also apply, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner's Office ("ICO") and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses ("Approved Addendum") shall apply. The information required for Tables 1 and 3 of Part One of the Approved Addendum is set out in Exhibits 1, 2, and 3 of this DPA (as applicable). The information required for Table 2 is set out in Section 6 of this DPA. For the purposes of Table 4 of Part One of the Approved Addendum, the importer may end the Approved Addendum when it changes.
6.5. Transfers from Switzerland. The Parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
6.5.1. The terms "General Data Protection Regulation" or "Regulation (EU) 2016/679" as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the "FADP," and as revised as of 25 September 2020, the "Revised FADP") with respect to data transfers subject to the FADP.
6.5.2. The terms of the EU SCCs shall be interpreted to protect the data of legal entities in accordance with the Federal Act on Data Protection.
6.5.3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner ("FDPIC") of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
6.5.4. The term "EU Member State" as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
6.6. Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
6.6.1. As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Customer's Personal Data ("Government Agency Requests");
6.6.2. If, after the date of this DPA, the Data Importer receives any Government Agency Requests, Data Importer shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Data Importer may provide Customer's basic contact information to the government agency. If compelled to disclose Customer's Personal Data to a law enforcement or government agency, Data Importer shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Data Importer is legally prohibited from doing so. Data Importer shall not voluntarily disclose Personal Data to any law enforcement or government agency. Data Exporter and Data Importer shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Agency Requests; and
6.6.3. The Data Exporter and Data Importer will meet as needed to consider whether: (i) the protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be; (ii) additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and (iii) it is still appropriate for Personal Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the Parties, together with guidance provided by the supervisory authorities.
6.6.4. If Data Protection Laws require the Data Exporter to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to a Data Importer as a separate agreement, the Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Data Protection Laws.
6.6.5. If either: (i) any of the means of legitimizing transfers of Personal Data outside of the EEA or UK set forth in this DPA cease to be valid; or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, then Data Importer may by notice to the Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws.
7.1. Happyrobot shall notify Customer upon receipt of a request by a data subject to exercise the Data Subject's rights under applicable Data Protection Laws (such requests individually and collectively "Data Subject Request(s)"). If we receive a Data Subject Request in relation to Personal Data subject to the scope of the DPA, we will follow Customer's instructions in relation to complying with such Data Subject Request, including by completing the request on Customer's behalf to the extent that it is technically feasible. If Customer asks Happyrobot to provide technical assistance in responding to a Data Subject Request, Customer will provide adequate information to us in order for the request to be fulfilled, and Customer shall reimburse Happyrobot for its reasonable costs incurred in providing such assistance. Customer shall be solely responsible for responding to Data Subject Requests from individuals whose Personal Data is processed in connection with services delivered to Customer End Clients.
8.1. Happyrobot shall provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance.
8.2. Upon Customer's request and to the extent required under applicable Data Protection laws, Happyrobot shall allow for, and contribute to, reasonable audits and inspections by Customer or the Customer's designated auditor, Such audits shall only take place annually. If Customer and Happyrobot have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the Parties agree that the audits described in the EU SCCs and the UK IDTA and UK Addendum shall be carried out in accordance with this Section 8.2.
9.1. Except as expressly modified by the terms of this DPA, all the terms and conditions of the Agreement will remain in full force and effect and apply to the terms described in this DPA. To the extent there is any conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA will govern with respect to the subject matter hereof.
9.2. This DPA and the Agreement constitute the entire agreement between the Parties with respect to the subject matter hereof and merge all prior and contemporaneous communications. The Agreement will not be further modified except by a written agreement dated subsequent to the Effective Date and signed on behalf of both Parties.
9.3. This DPA shall remain in effect as long as Happyrobot processes Customer Personal Data.
Nature and Purpose of Processing: Happyrobot will process Customer's Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer's instructions as set forth in this DPA.
Duration of Processing: Happyrobot will process Customer's Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for our legitimate business needs; or (iii) by applicable law or regulation.
Categories of Data Subjects: Individuals employed by Customer, such as employees, managers, contractors, and members of the HR team; individuals whose Personal Data is processed in connection with services delivered by Customer to Customer End Clients, including employees, customers, and other individuals associated with Customer End Clients; and counterparties to Interactions conducted through the Platform.
Categories of Personal Data: Full name. Work email address. Work phone number. Job title. Department. In-app communications such as comments, messages, or other forms of user-generated content within the platform.
Sensitive Data or Special Categories of Data: Customer is prohibited from providing sensitive personal data or special categories of data to Happyrobot.
The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs.
Data Exporter(s): The Data Exporter is the Customer entity that accepts the Agreement and uses the Services. The Data Exporter's identity and contact details are those provided by Customer in connection with its account, Order Form, or use of the Services. Activities relevant to the data transferred: As described in Section 2 of the Data Processing Agreement (DPA). By accessing or using the Services, or otherwise agreeing to the Agreement, the Customer is deemed to have agreed to and executed this Exhibit and the Standard Contractual Clauses incorporated herein. Role (controller/processor): Controller
Data importer(s): Name: Happyrobot, Inc. Address: 2440 3rd Street, San Francisco, CA 94107, USA. Email: legal@happyrobot.ai. Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA. Signature and date: This Exhibit 2 will be deemed executed upon the date of execution of the DPA to which it is attached. Role (controller/processor): Processor
Data Subjects: The Data Exporter may submit personal data to the Data Importer through its software, services, systems, products, and/or technologies, the extent of which is determined and controlled by the Data Exporter in compliance with applicable data protection laws and regulations, and which may include but is not limited to Personal Data relating to the following categories of data subjects: Names and roles of individuals employed by Customer, such as employees, managers, contractors, and members of the HR team, as well as other individuals related to their use of the Services.
Categories of Personal Data: The Personal Data transferred concern the following categories of data: Full name. Work email address. Work phone number. Job title. Department. In-app communications such as comments, messages, or other forms of user-generated content within the platform.
Special Category Personal Data (if applicable): Data Exporters are prohibited from providing sensitive data or special categories to Data Importer.
Nature of the Processing: Data is processed in order for Happyrobot to offer its Services to Customer.
Purposes of Processing: To fulfill each party's obligations under the Agreement.
Duration of Processing and Retention (or the criteria to determine such period): During the term of the Agreement.
Frequency of the transfer: During the term of the Agreement on a periodic basis and/or at the discretion of Customer.
Recipients of Personal Data Transferred to the Data Importer: The list includes the sub-processors identified in Exhibit 4.
The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13.
Measures of pseudonymisation and encryption of personal data: Use strong encryption protocols for data both at rest and in transit. Ensure that encryption keys are stored securely and separately from the encrypted data.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: Ensure that the hardware and software used in processing the Personal Data are reliable and protected against all kinds of malicious software and viruses.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: Have a secure method of disposal for back-ups containing the Personal Data.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing: Conduct regular security audits, vulnerability assessments. Implement a continuous monitoring system for security threats and compliance with security policies. Review and update security policies and procedures periodically based on the assessment results.
Measures for user identification and authorization: Maintain a role-based access control (RBAC) system to ensure users have access only to the data necessary for their job functions. Regularly review and update user access rights.
Measures for the protection of data during transmission: Use secure transmission protocols, such as TLS (Transport Layer Security), to encrypt data in transit.
Measures for the protection of data during storage: Implement secure method of storing Personal Data and control access to the Personal Data. Data is encrypted.
Measures for ensuring events logging: Implement comprehensive logging and monitoring of all access and changes to personal data. Ensure logs are tamper-proof and regularly reviewed for suspicious activities. Maintain logs in a secure, centralized system with restricted access.
Measures for ensuring system configuration, including default configuration: Ensure systems are configured securely by default, following best practices and security guidelines. Regularly review and update system configurations to address emerging threats and vulnerabilities.
Measures for internal IT and IT security governance and management: Provide an appropriate level of information governance for all Personal Data. Take reasonable steps to ensure the reliability of individuals who have access to the Personal Data, including but not limited to ensuring all such individuals understand the confidential nature of the Personal Data and the issues which arise if proper care is not taken in the use of the Personal Data and that all such individuals are properly trained in how to comply with Data Protection Laws prior to accessing the Personal Data.
Measures for certification/assurance of processes and products: Conduct regular internal and external audits to ensure compliance with security standards and certifications. SOC 2 Type 2 audit completed.
Measures for ensuring data minimization: Implement data minimization principles by collecting only the personal data necessary for specific purposes and provided by Customers. Regularly review data collection practices.
Measures for ensuring limited data retention: Establish and enforce data retention policies that specify the minimum period for retaining personal data. Regularly review stored data and securely delete or anonymize data that is no longer needed for its intended purpose.
Measures for ensuring accountability: Assign clear roles and responsibilities for data protection and security within the organization. Implement a data protection management system to monitor compliance with data protection laws and policies. Maintain documentation of processing activities and security measures.
Measures for allowing data portability and ensuring erasure: Implement processes and tools to facilitate data portability requests, ensuring data is provided in a commonly used, machine-readable format. Establish procedures for responding to data erasure requests promptly and securely delete personal data from all systems and backups.
Technical and organizational measures of sub-processors: Ensure sub-processors implement equivalent security measures as those required by the data importer. Conduct due diligence and regular audits of sub-processors to verify compliance with security and data protection standards. Include contractual obligations for sub-processors to adhere to security measures and data protection laws.
Happyrobot may use the following Authorized Sub-Processors to process Personal Data pursuant to the Agreement, including by transferring Personal Data to such entities:
1. MongoDB, Inc. 2. Twilio, Inc. 3. Stripe, Inc. 4. Auth0, Inc. 5. Deepgram, Inc. 6. Elevenlabs, Inc. 7. Cartesia AI, Inc. 8. OpenAI, Inc. 9. Microsoft Corporation. 10. BaseTen Labs, Inc. 11. Anthropic PBC. 12. Google LLC. 13. Amazon Web Services LLC. 14. Groq, Inc. 15. OpenPipe, Inc. 16. Clickhouse, Inc. 17. Cartesia AI, Inc.
To the extent applicable, this CCPA addendum ("Addendum") regulates the processing of Personal Information (as defined in the CCPA) of California residents pursuant to the CCPA by Happyrobot under the Agreement and the DPA. To the extent that there is any inconsistency between this Addendum and the Agreement or the DPA with regard to the processing of Personal Information regulated under the CCPA, this Addendum shall control.
1. Definitions. Any capitalized term in this Addendum that is not otherwise defined in the DPA shall have the meaning given to that term in the CCPA.
2. Representations and Warranties
2.1. Happyrobot represents and warrants that it is a Service Provider or Contractor for the purposes of the services it provides to Customer pursuant to the DPA and the Agreement.
3. Happyrobot's Processing of Customer Personal Data
3.1. Happyrobot shall process Customer Personal Data it receives pursuant to the Agreement only for the limited and specified purposes outlined in Exhibit 1 and is prohibited from using Customer Personal Data for any other purpose.
3.2. Happyrobot shall comply with all applicable sections of the CCPA, including by providing the same level of protection to Customer Personal Data as required by Customer under the law.
3.3. Happyrobot agrees that Customer has the right to take reasonable and appropriate steps to ensure that it uses Customer Personal Data that it receives from or process on behalf of Customer in a manner consistent with Customer's obligations under the CCPA.
3.4. Happyrobot agrees that Customer has the right to take reasonable and appropriate steps to stop and remediate its unauthorized use of Customer Personal Data.
3.5. Happyrobot shall notify Customer as soon as possible after it determines that it can no longer meet its obligations under the CCPA.
3.6. If Happyrobot engages Sub-Processors in relation to providing services to Customer pursuant to the Agreement, it shall have a contract with the Sub-Processor that complies with the CCPA and has the same restrictions on the processing of Customer Personal Data as outlined in this Addendum.
4. Restrictions on Happyrobot's Use of Personal Data
4.1. Happyrobot shall not Sell or Share Customer Personal Data it receives from or processes on behalf of Customer, for purposes outside of those outlined in the DPA and exhibits incorporated by reference in the DPA.
4.2. Happyrobot shall not retain, use, or disclose Customer Personal Data it receives from or processes on behalf of Customer for any purpose (including any Commercial Purpose) other than for the purposes specified in the Agreement, DPA, and except as otherwise permitted by the CCPA.
4.3. Happyrobot shall not retain, use, or disclose Customer Personal Data it receives from or processes on behalf of Customer outside of the direct business relationship between Happyrobot and Customer, except as otherwise permitted under the CCPA.
4.4. Happyrobot shall not combine the Customer Personal Data with Personal Data it receives from or on behalf of another person or which it collects from its own interaction with another individual, provided that we may combine Personal Data to perform any Business Purpose, such as to analyze how users interact with Services, or as otherwise permitted under the CCPA.
5. Consumer Requests
5.1. Customer agrees to: (i) inform Happyrobot of any consumer request made pursuant to the CCPA that they must assist Customer to comply with and (ii) provide the information necessary for Happyrobot to comply with the request.