Legal — Data Processing Addendum

DATA PROCESSING ADDENDUM – KAGR LLC

This Data Processing Addendum (“DPA“) is effective as of the Effective Date of the Master Client Agreement (the “Agreement”) by and between Client and KAGR LLC (“KAGR”). This DPA is supplemental to the Agreement. Any capitalized terms used in this DPA without definition have the meanings given to them in the Agreement.

  1. Definitions
    1. For the purposes of this DPA:
      1. CCPA” means the California Consumer Protection Act.
      2. Data Protection Laws” means all applicable laws and regulations related to privacy and the handling of personal data under the Agreement including without limitation GDPR and CCPA.
      3. EEA” means the European Economic Area.
      4. GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
      5. The terms “Controller“, “Processor“, “processing“, and “special categories of data” have the meanings given to them in the Data Protection Laws.
  2. Applicability of DPA. This DPA will apply to the extent that KAGR processes Personal Data falling within the scope of the Data Protection Laws on behalf of Client in the course of KAGR providing Services to Client.
  3. Roles and Responsibilities
    1. Roles of the Parties. As between KAGR and Client, Client is the Controller of the Personal Data that is provided to KAGR for processing under the Agreement and KAGR shall process the Personal Data as a data Processor on behalf of Client.
    2. Client Processing of Personal Data. Client shall be responsible for:
      1. Complying with all Data Protection Laws in respect of its use of the KAGR Services, its processing of the Personal Data, and any processing instructions it issues to KAGR;
      2. Ensuring it has the right to transfer, or provide access to, the Personal Data to KAGR for processing pursuant to the Agreement and this DPA; and
      3. Ensuring that it shall not disclose (nor permit any individual to disclose) any special categories of data or Sensitive Data to KAGR for processing absent KAGR’s express written request to do so.
    3. KAGR’s processing of Personal Data. KAGR shall retain, use, disclose and otherwise process the Personal Data only for the purposes described in the Agreement and/or applicable SOW between KAGR and Client, and in accordance with any additional lawful, documented instructions provided by Client to KAGR in writing.
  4. Sub-processing
    1. Sub-processors. Client agrees that KAGR may engage KAGR affiliates and third party sub-processors (“Sub-processors“) to process Personal Data on KAGR’s behalf provided that:
      1. KAGR imposes on such Sub-processors data protection terms that require it to protect the Personal Data to the standard required by Data Protection Laws; and
      2. Between KAGR and Client, KAGR shall be liable for any breach of this DPA caused by a Sub-processor.
  5. International Transfers
    1. International transfers. Client shall not request or instruct KAGR, and KAGR shall have no obligation, to transfer Personal Data from any jurisdiction to any other jurisdiction (the EEA constituting a single jurisdiction for this purpose), without Client confirming in writing to KAGR that such request complies with Data Protection Laws. Client authorizes KAGR to process Personal Data in the United States and KAGR agrees, upon Client’s request, to execute the standard contractual clauses for processors as approved by the European Commission (with Client as ‘data exporter’ and KAGR as ‘data importer’ as defined therein), where required.  
  6. Cooperation
    1. Individual’s rights. KAGR shall provide reasonable assistance to Client, where possible, to enable Client to respond to requests from individuals seeking to exercise their rights under Data Protection Laws. In the event that an individual’s request is made directly to KAGR, KAGR shall promptly inform Client of the same.
    2. KAGR shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance needed to fulfil Client’s obligations under the Data Protection Laws.
  7. Return/Deletion of Personal Data. Within 90 days of termination or expiration of the Agreement, KAGR shall delete the Personal Data in KAGR’s possession, or return the Personal Data to Client upon written request. This requirement shall not apply (a) to the extent that KAGR is required by Applicable Law, to retain some or all of the Personal Dataor (b) to the extent that KAGR is allowed by Applicable Law (including Data Protection Laws) to retain Personal Data archived on backup systems.
  8. Miscellaneous
    1. Except as amended by this DPA, the Agreement will remain in full force and effect.
    2. Any claims brought under this DPA shall be subject to the Agreement, including but not limited to the limitations of liability set forth in the Agreement.
    3. If there is a conflict between this DPA and the Agreement, the DPA will control.