DPA US

This Data Protection Addendum (“DPA”) is incorporated by reference into and forms a part of the agreement between the Customer (“Controller”) and Unipie Inc., a company incorporated in the United States with its principal place of business at 1401 21st ST STE 5305, Sacramento, CA 95811, United States (“Unipie”, “Processor”), pursuant to which Unipie provides the Services to the Customer (the “Agreement”).

By executing the applicable Order Form, the Customer agrees to the terms of this DPA, which shall be effective as of the Effective Date of the Order Form. No separate signature is required for this DPA to be binding.

This DPA applies to the extent that Unipie processes Personal Data on behalf of the Customer in the course of providing the Services, where such processing is subject to the US Privacy Laws (as defined below). Capitalized terms not otherwise defined in this DPA shall have the meanings given to them in the Agreement. The Parties agree that the terms and conditions of this DPA shall govern the processing of Customer Personal Data and shall prevail over any conflicting provisions in the Agreement with respect to such processing.

The Controller and the Processor are hereinafter collectively referred to as the “Parties” and individually as a “Party”.

1. Definitions

Consumer: Shall have the meaning set forth under the US Privacy Laws, as applicable.

Controller: Shall have the meaning defined under the US Privacy Laws and also include, whenever applicable, the term “business”, as defined in the CCPA.

Personal Data: Shall have the meaning set forth under the US Privacy Laws and also include, whenever applicable, the term “personal information”, as defined in the CCPA. For the purpose of this DPA, reference is exclusively made to the categories of Personal Data, as may be more detailed described in the Agreement, contained within the data or set of data that the Processor processes on behalf of the Controller, in connection with the provision of the services subject matter of the Agreement.

Processor: Shall have the meaning given under the US Privacy Laws and also include, whenever applicable, the term “service provider”, as defined in the CCPA.

Sell / Selling: Shall have the meaning set forth in the US Privacy Laws, as applicable.

Share / Sharing: Shall have the meaning defined under the CCPA.

US Privacy Laws: Refers to applicable US state privacy laws, including, but not limited to:

• California Consumer Privacy Act, as amended by the California Privacy Rights Act and relevant regulations issued by the California Privacy Protection Agency (the “CCPA”)
• Virginia Consumer Data Protection Act (the “VCDPA”)
• Colorado Privacy Act and relevant rules issued by the Colorado Attorney General (the “CPA”)
• Connecticut Data Privacy Act (the “CTDPA”)
• Utah Consumer Privacy Act (the “UCPA”)
• Texas Data Privacy and Security Act (“TDPSA”)
• Florida Digital Bill of Rights (“FDBR”)
• Oregon Consumer Privacy Act (“OCPA”)

Any other terms, including, among others, “business”, “business purpose”, “commercial purpose”, “process” or “processing”, used but not otherwise defined in the DPA or Agreement, shall have the meaning set forth under the US Privacy Laws, as applicable.

2. General Obligations

The Processor acknowledges that the Controller is disclosing Personal Data only in relation to the limited and specified business purposes agreed between Parties in the Agreement.

The Processor shall not retain, use, disclose, or otherwise process Personal Data for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing Personal Data for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by the US Privacy Laws, as applicable.

The Processor undertakes to comply with all requirements set forth in the US Privacy Laws, as applicable, and to provide the same level of privacy protection that they impose on the Controller, in relation to the processing of Consumers’ Personal Data.

3. Data Retention and Deletion

The Processor shall return or delete all Personal Data once the provision of the services has been completed, or sooner, if directed so by the Controller, unless the retention of Personal Data is required by law.

Unless otherwise directed by the Controller, the Processor shall retain Personal Data after the termination of the Agreement and the completed provision of the services for the period agreed upon in the Agreement solely for the purpose of providing the Controller an export of it or to continue the provision of the services under a follow up agreement as may be agreed with the Controller. After the expiration of this retention period, the Processor shall delete all Personal Data.

Notwithstanding the foregoing, the Processor shall be entitled to retain, even after the provision of the services has been completed and the termination of the Agreement, all information necessary to demonstrate orderly and compliant processing, in accordance with statutory retention periods.

4. Data Use and Sharing Restrictions

The Processor shall not Sell nor Share any Consumers’ Personal Data unless agreed in the Agreement.

The Processor shall not retain, use, or disclose Personal Data outside of the direct relationship with the Controller.

The Processor shall not combine the Personal Data it receives from the Controller with personal data it receives from or on behalf of another person(s) or entity(ies) or that it collects from its own interaction with the Consumer, provided that the Processor may combine Personal Data to perform any business purpose identified by the US Privacy Laws, as applicable, or to aggregate and anonymize the Personal Data for statistical purposes to improve services.

5. Confidentiality and Security

The Processor represents and guarantees that each person processing Personal Data within its organization is subject to a strict duty of confidentiality.

The Processor undertakes to strictly follow and adhere to the instructions of the Controller, including, among others, those regarding the return or destruction of Personal Data, and to assist the Controller in meeting its obligations under the US Privacy Laws, specific reference being made, inter alia, to those concerning the security of the processing and the notification of a breach of security.

The Parties undertake to implement and adopt all necessary technical and organizational measures to ensure a level of security of Personal Data that is appropriate taking into account the context of the processing and in relation to the risks associated with the processing of the Personal Data in their availability.

6. Compliance and Cooperation

The Processor shall assist the Controller in responding to Consumers’ requests for the exercise of the rights granted under the US Privacy Laws, including by, among others, providing access to, correcting, or deleting Personal Data in its availability or honoring opt-out requests. The Processor shall also notify its own sub-processors, service providers, and/or contractors and ensure that such requests are complied with.

If the Processor receives a Consumer request to delete Personal Data that the Processor processes on behalf of the Controller, the Processor shall inform the Consumer that it should submit the request directly to the Controller and, when feasible, provide the Consumer with relevant contact information.

The Processor shall enter into written agreements with each of its own sub-processors, service providers, and/or contractors that process Personal Data on its behalf. Such agreements shall set forth terms that are at least as restrictive as those imposed on the Processor under this DPA and guarantee the same level of privacy protection, including the prohibition to Sell and Share Consumers’ Personal Data.

The Processor undertakes to notify the Controller whenever it becomes aware that it can no longer meet its obligations under the US Privacy Laws, as applicable.

7. Controller's Rights and Assessment

The Controller shall have the right to take reasonable and appropriate steps to ensure that the Processor processes Personal Data in a manner consistent with the Controller's obligations under the US Privacy Laws, as applicable, and to stop and request a remediation of the Processor’s unauthorized and/or unlawful processing of Personal Data.

Upon reasonable request of the Controller, the Processor shall make available all information in its possession, which may be necessary to demonstrate its compliance with the requirements of the US Privacy Laws, as applicable.

The Processor shall allow reasonable assessments by the Controller. This includes, by way of example, providing the Controller with all necessary information to conduct and document data protection assessments.

8. No Consideration

Notwithstanding any contrary provision contained in the Agreement, the Processor’s access to Personal Data is not part of the consideration exchanged by the Parties under the Agreement.

9. Duration of this DPA

Notwithstanding the expiration of the Agreement, this DPA will remain in effect until, and automatically expire upon, the Processor’s deletion or return of all Personal Data to the Controller.

10. Conflicts

In the event of any conflict or inconsistency between this DPA and the terms of the Agreement, this DPA shall prevail concerning any processing of Personal Data, notwithstanding any statement to the contrary in the Agreement.

11. Notices and Communication

Any notice or communication, including but not limited to those regarding data subject requests to be served under this DPA, shall be delivered in English to:

If to the Customer:
Customer Contact in the applicable Order Form, unless specified otherwise in the Order Form.

If to Unipie:
Richard Einhorn, richard@minoa.io
or at such other address as the Parties may indicate to each other in writing.

‍