Data Processing Addendum

This Data Processing Addendum (the “DPA”) is attached to, and incorporates in the entirety, the Master Services Agreement by and between you and Esimatrix (the “MSA”) and  is immediately effective upon your use of any Service (the “Effective Date”). Capitalized terms not expressly defined in this DPA shall have the meaning found in the MSA.

  1. Definitions. Capitalized terms which are used throughout this DPA are defined in the section in which they are first used or expressly modified as follows:
    1. “Covered Data Breach” means a breach of Esimatrix’s security that (i) directly results in the unintended loss or unauthorized disclosure of Covered PII on systems managed or controlled by Esimatrix and (ii) does not arise from any negligent, reckless, or intentional act or omission by any Covered User. 
    2. “Covered PII” means any PII Processed as a result of the Services. 
    3. “Data Subject” means any natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to such natural person’s cultural, digital, economic, financial, mental, physical, physiological, or social identity. 
    4. “Personal Identifiable Information” or “PII” means data that identifies, makes relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to a Data Subject but excluding any Data that is (i) publicly and lawfully made available from federal, state, or local government records, (ii) publically and lawfully made available by the applicable Data Subject, (iii) is reasonably de-identified or obfuscated; or (iv) aggregated. 
  2. Instructions. You instruct Esimatrix to Process Covered PII consistent with the provisions of the Agreement. You shall be required to provide written, supplemental instructions to to Esimatrix, with at least thirty (30) calendar days Notice, if you wish for Esimatrix to Process Covered PII in a manner that is inconsistent or supplemental to the terms of the Terms of Service. You shall be solely responsible and liable for determining if your instructions to Esimatrix for the Processing of Covered PII are consistent with the Terms of Service and applicable law. 
  3. Authority. Esimatrix shall be permitted to Process Covered PII as instructed by you, provided that Esimatrix:
    1. implements and continues to implement technical and organizational measures in such a manner that Esimatrix’s provision of the Services complies, at a minimum, with the requirements of this DPA; 
    2. engages TSPs to Process Covered PII after obtaining assurances of compliance with applicable law; and
    3. in the event of a Covered Data Breach, communicates to you (i) a written Notice promptly and without undue delay upon Esimatrix’s validation of the Covered Data Breach; and (ii) information reasonably necessary for your compliance with your data breach notification obligations.
  4. General Processing of PII. The Processing of Covered PII by Esimatrix will be used in furtherance of providing the Services to you and as otherwise permitted by the Terms of Service. Esimatrix is prohibited from disclosing or transferring Covered PII to any non-Esimatrix entity or party, except (i) in connection to the ordinary and necessary Processing of Covered PII by a Esimatrix Representative or TSP that has executed an agreement to comply with the material terms of this DPA prior to any such Processing or (ii) where required by law. 
  5. Processing European Covered PII 
    1. Applicability. This §5 shall only apply to the Processing of European Covered PII arising out of or relating to this DPA. 
    2. Additional Definitions.
      1. “Data Controller” and “Data Exporter” shall have the meanings defined in the EU Model Contract. 
      2. “Data Importer” and “Data Processor” shall have the meanings defined in the EU Model Contract. 
      3. “EU Model Contract” means the Data Processor Agreement and the Standard Contractual Clause C(2010)593 issued by the European Union European Commission, Directorate of General Justice as provided by Esimatrix to you during your onboarding process.    
      4. “European Covered PII” means any Covered PII is sourced from (i) any of the following countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom; or (ii) otherwise in the European Union. 
      5. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data found here (or in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union), and the implementing regulations therein. 
      6. “Subprocessor” shall have the meaning prescribed by the GDPR. 
    3. EU Model Contract. You shall be required to review and consent to the EU Model Contract found here if the use of the Services by any Covered User requires Esimatrix or any Covered User to Process European Covered PII.
    4. Relationship of Covered Users and Esimatrix. The following table shall be deemed to identify and establish the legal and transactional status of Covered Users and Esimatrix, with respect to the Processing of European Covered PII, as between: 
      BlankYou and Your End UsersYou and EsimatrixYour End Users and EsimatrixData ExporterEnd UserYou and Your RepresentativesNone, direct transactions and interactions between End User and Esimatrix prohibited.Data ControllerEnd UserYou and Your RepresentativesData ImporterYou and Your RepresentativesEsimatrixData ProcessorYou and Your RepresentativesYou and Your RepresentativesSubprocessorYour TSPsEsimatrixBlank
    5. Conditions Precedent to Use. Each Party, individually and jointly, represents, warrants, and certifies that (i) such Party has read, understands, and consents to the EU Model Contract and GDPR with respect to the Processing of European Covered PII; (ii) you are deemed to solely be in control, responsible, and liable for the Processing of European Covered PII by Covered Users; (iii) Esimatrix is deemed to be a Processor with respect to the Processing of your European Covered PII; (iv) Esimatrix is deemed to be your Subprocessorwith respect to the Processing of any other Covered User’s European Covered PII; (v) Esimatrix is deemed to have no direct legal relationship or transactional engagement with any End User; (vi) Esimatrix shall be required to secure and maintain the confidentiality of European Covered PII in Esimatrix’s possession consistent with the EU Model Contract and GDPR; (vii) Esimatrix shall Process European Covered PII only as instructed by the Terms of Service; (viii) each Party shall reasonably cooperate with the other Party’s obligations to respond to valid data disclosure requests; (ix) each Party shall destroy, deliver, or return all European Covered PII to the applicable Party within thirty (30) days of the termination of this DPA except where otherwise permitted under the GDPR or the Terms of Service. 
  6. Processing California Covered PII.
    1. Applicability. This §6 shall only apply to the Processing of California Covered PII arising out of or relating to this DPA. 
    2. Additional Definitions.
      1. “California Covered PII”  means any Covered PII is sourced from the State of California, United States of America.
      2. “CCPA” means the California Consumer Protection Act, Cal. Civ. Code § 1798.100 et seq., found here and the implementing regulations therein. 
      3. “Data Controller” shall have the meaning assigned to a “business” as defined by the CCPA. 
      4. “Data Processor” shall have the meaning assigned to a “service provider” as defined by the CCPA. 
      5. “Subprocessor” means any Data Processor that Processes California Covered PII on behalf of a non-consumer Data Processor for a business purpose in the context of the CCPA. 
    3. Relationship of Covered Users and Esimatrix. The following table shall be deemed to identify and establish the legal and transactional status of Covered Users and Esimatrix, with respect to the Processing of California Covered PII, as between: 
      BlankYou and Your End UsersYou and EsimatrixYour End Users and EsimatrixData ControllerEnd UserYou and Your RepresentativesNone, direct transactions and interactions between End User and Esimatrix prohibited.Data ProcessorYou and Your RepresentativesYou and Your RepresentativesSubprocessorYour TSPsEsimatrixBlank
    4. Conditions Precedent to Use. Each Party, individually and jointly, represents, warrants, and certifies that (i) such Party has read, understands, and consents to the CCPA with respect to the Processing of California Covered PII; (ii) Company is deemed to solely be in control, responsible, and liable for the Processing of California Covered PII by any Covered User; (iii) Esimatrix is deemed to be a Subprocessor of Company with respect to the Processing of any California Covered PII arising out of or relating to your use of the Services; (iv) Esimatrix is deemed to have no direct legal relationship or transactional engagement with any End User; (v) Esimatrix shall be required to secure and maintain the confidentiality of California Covered PII in Esimatrix’s possession consistent with the CCPA; (vi) Esimatrix shall Process California Covered PII only as instructed by the Agreement; (vii) each Party shall reasonably cooperate with the other Party’s obligations to respond to valid data disclosure requests; (viii) each Party shall destroy, deliver, or return all California Covered PII to the applicable Party within thirty (30) days of the termination of this DPA except where otherwise permitted under the CCPA or the MSA.
  7. Amendment. This DPA is attached to amends the Agreement solely with respect to the subject matter herein. In the event of any conflict of terms between (i) this DPA and (ii) the MSA, the NDA, and/or any mutually executed SLA, SPA, SUP, or Service Order, this DPA shall be deemed controlling and prevailing without exception.