BREADWARE DATA PROCESSING ADDENDUM
This Data Processing Addendum, including its Schedules (“DPA”) forms part of the Subscription Agreement (the “Agreement”) between Customer, acting on its own behalf, and Breadware Holding LLC, a Colorado Limited Liability Company (“Breadware”) with its principal business offices located at 245 East Liberty Street, Reno, NV 89501 for the purchase of subscription services (identified as “Subscription Services” in the applicable Agreement, and hereinafter defined as “Services”). Customer and Breadware are hereinafter referred to collectively as the “Parties” and individually each as a “Party.” The DPA reflects the Parties’ agreement with regard to the Processing of Personal Data. Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws in the name and on behalf of its Authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, Breadware may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
The terms used in this DPA shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Breaware, but has not signed its own Order Form with Breadware and is not a “Customer” as defined under this DPA.
“Business Purpose” shall have the same meaning as in the CCPA (Cal. Civ.C. § 1798.140) and its cognate terms shall be construed accordingly.
“CCPA” means the California Consumer Privacy Act of 2018, California Civil Code Section 1798.100, et seq., and, effective January 1, 2023, as amended by the California Privacy Rights Act of 2020 (“CPRA”), and its implementing regulations established by the California Attorney General or the California Privacy Protection Agency, as the case may be.
“Controller” means the entity which determines the purpose and means of the Processing of Personal Data.
“Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms.
“Data Breach” means a breach of security leading to the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, access to, or other Processing of Personal Data transmitted, stored, or otherwise Processed.
“Data Protection Laws” means any applicable federal, state, provincial and local laws, rules, regulations, directives, governmental requirements, and ordinances currently in effect and as they become effective relating in any way to the privacy, confidentiality, or security of Personal Data, including, in each case to the extent applicable, but not limited to, EU Data Protection Laws, and the California Consumer Privacy Act of 2018, as amended, including amendments by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§1798.100-1798.199) together with all regulations associated therewith, and any other applicable data protection or privacy legislation or regulation. In the event of a conflict between any of the applicable Data Protection Laws, the state of residence of the Consumer whose Personal Data is at issue shall control.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“Data Subject Request” means a request made by a Data Subject in accordance with the rights granted under Data Protection Laws, including but not limited to requests to know, delete and opt-out under the CCPA and requests to access, rectify, erase, restrict Processing, data portability, object to Processing and not to be subject to automated individual decision-making under EU Data Protection Laws.
“EU Data Protection Laws” means all data protection laws and regulations applicable in Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) with respect to the United Kingdom (“UK”), the U.K. GDPR; and (v) with respect to Switzerland, the Federal Act on Data Protection of 19 June 1992 (“FADP”).
“Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.
“Person” shall have the same meaning as in the CCPA (Cal. Civ.C. § 1798.140) and its cognate terms shall be construed accordingly.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws), where for each (i) or (ii), such data is Customer Data.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Information by Breadware or its Subprocessors, or in connection with and for the purposes of the provision of the Services, whether or not accomplished by automatic means, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and as defined by Data Protection Laws.
“Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Sale” or “Sell” shall have the same meaning as in the CCPA (Cal. Civ.C. § 1798.140) and its cognate terms shall be construed accordingly.
“Services” means the services and other activities to be supplied to or carried out by or on behalf of Breadware for Customer pursuant to the Agreement and the Order Form.
“Service Provider” shall have the same meaning as in the CCPA (Cal. Civ.C. § 1798.140) and its cognate terms shall be construed accordingly.
“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementating Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
“Subprocessor” means any person appointed by or on behalf of Breadware to assist in fulfilling its obligations with respect to providing the Services pursuant to the Breadware Subscription Agreement or this DPA. Subprocessors may include third parties or affiliates of Breadware but shall exclude Breadware employees, contractors, or consultants.
The terms, “Commission,” “Member State,” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
3. PROCESSING OF PERSONAL DATA.
3.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is a Controller or a Processor, Breadware is a Processor and that Breadware may engage Subprocessors pursuant to the requirements set forth in Section 7 “Subprocessors” below.
3.2 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Breadware as Processor (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws.
3.3 Breadware’s Processing of Personal Data. Breadware shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
3.4 Details of the Processing.
a. Subject matter. Breadware’s provision of the Services to Customer.
b. Duration. The Term of the Agreement plus the period from the end of the Term until deletion of all Customer Data.
c. Nature and Purpose. Breadware will process Personal Data for the purposes of providing the Services in accordance with this DPA.
d. Categories of Data. Data relating to individuals provided to Breadware via the Services, by (or at the direction of) Customer or by its Users.
e. Data Subjects. Data subjects include the individuals about whom data is provided to Breadware via the Services by (or at the direction of) Customer or by its Users.
3.5 Customer Instructions. Breadware shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the Data Protection Laws and/or (ii) if Breadware is unable to follow Customer’s instructions for the Processing of Personal Data.
4. SALE AND USE OF PERSONAL DATA
4.1 Breadware will not sell or share the Personal Data Processed under this DPA for its own purposes or those of any third party or for any purpose other than for the limited and specified business purpose of performing the Services described in the Agreement.
4.2 Breadware shall not combine Personal Data that Breadware receives from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a Data Subject except to perform the Services.
5. RIGHTS OF DATA SUBJECTS
Breadware shall, to the extent legally permitted, promptly notify Customer of any complaint, dispute or request it has received from a Data Subject such as a Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Breadware shall not respond to a Data Subject Request itself, except that Customer authorizes Breadware to redirect the Data Subject Request as necessary to allow Customer to respond directly. Taking into account the nature of the Processing, Breadware shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Breadware shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Breadware is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Breadware’s provision of such assistance.
6. BREADWARE PERSONNEL
6.1 Confidentiality. Breadware shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Breadware shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
6.2 Reliability. Breadware shall take commercially reasonable steps to ensure the reliability of any Breadware personnel engaged in the Processing of Personal Data.
6.3 Limitation of Access. Breadware shall ensure that Breadware’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
6.4 Data Protection Officer. Breadware has appointed a data protection officer. The appointed person may be reached at [email protected].
7.1 Appointment of Subprocessors. Customer acknowledges and agrees that (a) Breadware’s Affiliates may be retained as Subprocessors; and (b) Breadware and Breadware’s Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. Breadware or a Breadware Affiliate has entered into a written agreement with each Subprocessor containing, in substance, data protection obligations no less protective than those in the Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Subprocessor.
7.2 List of Current Subprocessors. The current list of Subprocessors engaged in Processing Personal Data for the performance of each applicable Service, including a description of their processing activities and countries of location, is listed at [insert URL of Subprocessor List] (the “Subprocessor List”). Customer hereby consents to these Subprocessors, their locations and processing activities as it pertains to Personal Data.
7.3 Notification of New Subprocessors. Breadware shall notify Customer ten (10) days in advance of engaging a new Subprocessor to Process Personal Data in connection with the provision of the applicable Services if Customer opts in to receive such notification by clicking here and following the directions to subscribe to notifications.
7.4 Objection Right for New Subprocessors. Customer may object to Breadware’s use of a new Sub-processor by notifying Breadware promptly in writing within fifteen (15) days of receipt of Breadware’s notice. If Customer does not notify Breadware in writing of an objection within fifteen (15) days, Customer waives any objection that it may have had to the new Subprocessor. If Customer submits an objection in accordance with this section, the Parties agree to discuss Customer’s concerns in good faith with a view toward achieving a commercially reasonable resolution. If no such resolution can be reached within fifteen (15) calendar days, Breadware may, at its option, either (a) withdraw the objectionable Subprocessor and either perform the Services itself, or appoint a new Subprocessor in accordance with the terms of Section 7.3 of the DPA, or (b) permit Customer to suspend or terminate the Services and the Agreement in accordance with the termination provisions of the Agreement without liability to either Party (but Customer must pay any fees incurred for Services actually performed by Breadware prior to suspension or termination in accordance with the terms of the Agreement).
7.5 Liability. Breadware shall be liable for the acts and omissions of its Subprocessors to the same extent Breadware would be liable if performing the services of each Sub-processor directly under the terms of this DPA, unless otherwise set forth in the Agreement.
Breadware shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), and confidentiality and integrity of Personal Data. Breadware will implement, maintain, and periodically update as necessary a comprehensive written information security program, and will process, handle, store in place, and otherwise interact with Personal Data in accordance with such program. Breadware shall regularly monitor compliance with such program. Breadware shall not materially decrease the overall security of the Services during the subscription term.
9.1 Audit Request. Customer may contact Breadware to request an audit of Breadware’s Processing activities covered by this DPA. An On-Site Audit may be conducted by Customer either itself or through a Third-Party Auditor (as defined below in Section 9.4) selected by Customer when: (i) information available to Customer is not sufficient to demonstrate compliance with the obligations set out in this DPA and its Schedules; (ii) Customer has received notice from Breadware of a Customer Data Incident; or (iii) such an audit is required by Data Protection Laws.
9.2 Scope of Audit. Any audits will be limited to Customer Data Processing and storage facilities operated by Breadware or any of Breadware’s Affiliates. Customer acknowledges that Breadware operates a multi-tenant cloud environment. Accordingly, Breadware shall have the right to reasonably adapt the scope of any audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other Breadware customers’ information.
9.3 Reasonable Exercise of Rights. An audit shall be conducted by Customer or its Third-Party Auditor: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services used by Customer; (ii) up to one time per year with at least four (4) weeks advance written notice, and if an emergency justifies a shorter notice period, Breadware will use good faith efforts to accommodate the audit request; and (iii) during Breadware’s normal business hours, under reasonable duration and shall not unreasonably interfere with Breadware’s day-to-day operations. Before any audit commences, Customer and Breadware shall mutually agree upon the scope, timing, and duration of the audit and reimbursement rate for which Customer shall be responsible. Breadware may charge a fee based on Breadware’s reasonable costs for any audit under this section 9. Breadware will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of Breadware.
9.4 Third-Party Auditor. A Third-Party Auditor means a third-party independent contractor that is not a competitor of Breadware. An audit can be conducted through a Third Party Auditor if: (i) prior to the audit, the Third-Party Auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement to protect Breadware’s proprietary information; (ii) the costs of the Third-Party Auditor are at Customer’s expense; and (iii) Breadware may objct in writing to a Third-Party Auditor appointed by Customer to conduct any audit under this Section 9 if the auditor is, in Breadware’s reasonable opinion, not suitably qualified or independent, a competitor of Breadware, or otherwise manifestly unsuitable. Any such objection by Breadware will require Customer to appoint another auditor or conduct the audit itself.
9.5 Findings. Customer must promptly provide Breadware with information regarding any non-compliance discovered during the course of an audit.
10. DATA PROTECTION IMPACT ASSESSMENT
Upon Customer’s request, Breadware shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Breadware. Accordingly, Breadware’s may adapt assistance provided to the Customer to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other Breadware customers’ information. Breadware may charge a fee based on Breadware’s reasonable costs for any Customer request under this section 10. Breadware will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such work.
11. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
Breadware maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by Breadware or its Subprocessors of which Breadware becomes aware (a “Customer Data Incident”). Breadware shall make reasonable efforts to identify the cause of such Customer Data Incident and take such steps as Breadware deems necessary and reasonable to remediate the cause of such a Customer Data Incident to the extent the remediation is within Breadware’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users, and/or unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewall or networked systems.
12. PROCESSING LOCATION; DATA TRANSFERS
12.1 Regions. Breadware will process Personal Data in the United States of America, Canada, and, Europe, (collectively, the “Processing Locations”). Breadware will not transfer Personal Data outside of the Processing Locations except as necessary to provide the Services, or as necessary to comply with the law or valid and binding order of a governmental body.
12.2 Application of Standard Contractual Clauses. The Standard Contractual Clauses will only apply to Personal Data subject to the GDPR that is transferred, either directly or via onward transfer, to any Third Country, (each a “Data Transfer”).
a. When Customer is acting as a controller, the Controller-to-Processor Clauses will apply to a Data Transfer.
b. When Customer is acting as a processor, the Processor-to-Processor Clauses will apply to a Data Transfer. Taking into account the nature of the processing, Customer agrees that it is unlikely that Breadware will know the identity of Customer’s controllers because Breadware has no direct relationship with Customer’s controllers and therefore, Customer will fulfill Breadware’s obligations to Customer’s controllers under the Processor-to-Processor Clauses.
13. RETURN AND DELETION OF CUSTOMER DATA
Breadware shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Agreement. Until Customer Data is deleted or returned, Breadware shall continue to comply with this DPA and its Schedules.
14. AUTHORIZED AFFILIATES
14.1 Contractual Relationship. The Parties acknowledge and agree that, by executing the Agreement, Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Breadware and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 14 and Section 15. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is a party only to this DPA. All access to and use of the Services and Content by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
14.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Breadware under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
14.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to this DPA with Breadware, it shall to the extent required under applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
a. Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Breadware directly by itself, the Parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA, not separately for each Authorized Affiliate individually, but in a combined manner for itself and all of its Authorized Affiliates together (as set forth, for example, in Section 14.3.b, below).
b. The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Breadware and its Subprocessors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.
15. LIMITATION OF LIABILITY
To the extent permitted by applicable Data Protection Laws, Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Breadware, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ Section of the Agreement, and any reference in such Section to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement and all DPAs together.
For the avoidance of doubt, Breadware’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
16. ENTIRE AGREEMENT; CONFLICT
This DPA incorporates the Standard Contractual Clauses by reference. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. Nothing in this document varies or modifies the Standard Contractual Clauses.
From time to time, Breadware may revise the DPA to make reasonable and proportionate changes (a) based on new Data Protection Laws and regulations and (b) that reflect changes to existing Data Protection Laws.
Breadware may further modify this DPA (including any Policies incorporated) at any time by posting a revised version on the website or by otherwise notifying you. The modified terms will become effective upon posting or, if we notify you by email, as stated in the email message. By continuing use of the Rise Platform after the effective date of any modifications to this DPA, you agree to be bound by the modified terms. It is your responsibility to check the website regularly for modifications to this DPA. We last modified this DPA on the effective date at the beginning of this DPA.
By signing below, each Party acknowledges that it has read and understood the terms of this DPA and agrees to be bound by them.