No items found.

Data Processing Addendum

This Data Processing Addendum (including its Exhibits) (“DPA”) forms part of and is subject to the terms and conditions of the Terms of Service entered into between Haus Analytics, Inc. (“Haus”) and Customer. Customer and Haus may be referred to herein as a “party” and together as the “parties.”

  1. Subject Matter and Duration.
    1. Subject Matter. This DPA reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Haus’s execution of the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its Exhibits conflicts with the Agreement, this DPA shall control.
    2. Duration and Survival. This DPA will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this DPA if it is completed after the effective date of the Agreement. Haus will Process Customer Personal Data until the relationship terminates as specified in the Agreement.
  2. Definitions.  For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.
    1. Customer Personal Data” means Personal Data Processed by Haus on behalf of Customer.
    2. Data Protection Laws” means any laws, rules, or regulations, as amended from time to time, relating to privacy, security, or data protection applicable to a party in the performance of its obligations under this DPA, including, as applicable (i) those of the United States, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199 (the “CCPA”); Colorado Privacy Act (Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313); Connecticut Personal Data Privacy and Online Monitoring Act (Public Act No. 22-15); Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61-404); and Virginia Consumer Data Protection Act (Virginia Code Ann. §§ 59.1-575 to 59.1-585); (ii) those of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, including Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”), the GDPR as applicable in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018, the UK Data Protection Act 2018 (“UK GDPR"), and the Swiss Federal Data Protection Act (“FADP”) (collectively, “European Data Protection Law”); and (iii) those of any other relevant jurisdictions.
    3. Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
    4. Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    5. Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Haus.
    6. Services” means the services that Haus performs under the Agreement.
    7. Subprocessor(s)” means Haus’s authorized vendors and third-party service providers that Process Customer Personal Data.
  3. Processing Terms for Customer Personal Data.
    1. Documented Instructions. Haus shall Process Customer Personal Data to provide the Services in accordance with the Agreement, this DPA, any applicable Order Form, and any written instructions agreed upon by the parties. Haus will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
    2. Authorization to Use Subprocessors. To the extent necessary to fulfill Haus’s contractual obligations under the Agreement, Customer hereby authorizes Haus to engage Subprocessors. Customer acknowledges that Subprocessors may further engage vendors.
    3. Haus and Subprocessor Compliance. Haus shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this DPA; and (ii) remain responsible to Customer for Haus’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
    4. Right to Object to Subprocessors. A list of Haus’s current Subprocessors is located at Haus’s Trust Portal, located at https://trust.haus.io/. Where required by Data Protection Laws, Haus will notify Customer via email prior to engaging any new Subprocessors that Processes Customer Personal Data and allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
    5. Confidentiality. Any person authorized to Process Customer Personal Data must be subject to a duty of confidentiality, contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality.
    6. Personal Data Inquiries and Requests. Where required by Data Protection Laws, Haus agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
    7. Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation. Where required by Data Protection Laws, Haus agrees to provide reasonable assistance and information to Customer where, in Customer’s judgement, the type of Processing performed by Haus requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities. Customer shall reimburse Haus for all non-negligible costs Haus incurs in performing its obligations under this Section.
    8. Demonstrable Compliance. Haus agrees to provide information reasonably necessary to demonstrate compliance with this DPA upon Customer’s reasonable request; cooperate with supervisory authorities in accordance with applicable Data Protection Laws; and maintain records of all categories of processing activities carried out on behalf of Customer, unless exempt under applicable Data Protection Laws.
    9. California Specific Terms. To the extent that Haus’s Processing of Customer Personal Data is subject to the CCPA, this Section shall also apply. Customer discloses or otherwise makes available Customer Personal Data to Haus for the limited and specific purpose of Haus providing the Services to Customer in accordance with the Agreement and this DPA. Haus shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Haus; and (vii) unless otherwise permitted by the CCPA, not combine Customer Personal Data with Personal Data that Haus (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Customer may: (1) take reasonable and appropriate steps agreed upon by the parties to help ensure that Haus Processes Customer Personal Data in a manner consistent with Customer’s CCPA obligations; and (2) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Customer Personal Data by Haus.
    10. Service Optimization. Where permitted by Data Protection Laws, Haus may Process Customer Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
    11. Aggregation and De-Identification. Haus may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.
  4. Information Security Program. Haus has implemented and will maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with the security measures described at Haus’s Trust Portal, located at https://trust.haus.io/ (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Haus may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
  5. Security Incidents. Upon becoming aware of a Security Incident, Haus agrees to provide written notice without undue delay and within forty-eight (48) hours following discovery of the Security Incident to Customer’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
  6. Audits and Assessments. Where Data Protection Laws afford Customer an audit or assessment right, Customer (or its appointed representative) may carry out an audit or assessment of Haus’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit or assessment must be: (i) conducted during Haus’s regular business hours; (ii) with reasonable advance notice to Haus; (iii) carried out in a manner that prevents unnecessary disruption to Haus’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority having proper jurisdiction.
  7. Customer Personal Data Deletion. At the expiry or termination of the Agreement, Haus will delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Haus’s data retention schedule), except where Haus is required to retain copies under applicable laws, in which case Haus will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
  8. Customer’s Obligations. Customer represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Customer Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Customer’s practices with respect to the Processing of Customer Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated by the Agreement; and (iv) Haus’s Processing of Customer Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Customer and any third party.
  9. Processing Details.
    1. Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.  
    2. Duration. The Processing will continue until the expiration or termination of the Agreement.
    3. Categories of Data Subjects. Customer employees.
    4. Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Haus is the performance of the Services, user authentication, and recordkeeping.
    5. Types of Customer Personal Data. Customer Personal Data may include user first name, last name, and company email address.
    6. Special Category Data. The Services are not intended for Processing of Special Category Data. Customer agrees that Special Category Data will not be uploaded or otherwise Processed using the Services.
  10. Contact Information. Customer and Haus agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for Haus is legal@hausanalytics.com.