Service Provider Agreement for Data Processors
- Definitions. The following definitions and rules of interpretation apply in this agreement (the “Service Provider Agreement”):
(a) “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this Service Provider Agreement.
(b) “Service Provider” means a for-profit entity that both processes personal information on behalf of Greenhouse Software, Inc., solely in relation to the Interseller product offering (“Interseller”) and receives that information for business purposes pursuant to the terms herein.
- Service Provider’s CCPA Obligations
(a) Service Provider will only collect, use, retain, or disclose personal information for the Contracted Business Purposes for which Customer provides or permits access to personal information.
(b) Service Provider will not collect, use, retain, disclose, sell, or otherwise make personal information available for Service Provider’s own commercial purposes or in a way that does not comply with the CCPA. If a law requires the Service Provider to disclose personal information for a purpose unrelated to the Contracted Business Purpose, the Service Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
(c) Service Provider will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.
(d) Service Provider must promptly comply with any Customer request or instruction requiring the Service Provider to provide, amend, transfer, or delete the personal information, or to stop, mitigate, or remedy any unauthorized processing.
(e) If the Contracted Business Purposes require the collection of personal information from individuals on the Customer’s behalf, Service Provider will always provide a CCPA-compliant notice addressing use and collection methods that the Customer specifically pre-approves in writing. Service Provider will not modify or alter the notice in any way without the Customer’s prior written consent.
(f) If the CCPA permits, Service Provider may aggregate, deidentify, or anonymize personal information so it no longer meets the personal information definition, and may use such aggregated, deidentified, or anonymized data for its own business purposes. Service Provider will not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.
- Assistance with Customer’s CCPA Obligations
(a) Service Provider will reasonably cooperate and assist Customer with meeting the Customer’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of the Service Provider’s processing and the information available to the Service Provider.
(b) Service Provider must notify Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates either party’s compliance with the CCPA. Specifically, the Service Provider must notify the Customer within ten (10) working days if it receives a verifiable consumer request under the CCPA.
(a) Service Provider may use subcontractors to provide the Contracted Business Services. Any subcontractor used must qualify as a service provider under the CCPA and Service Provider cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.
(b) For each subcontractor used, Service Provider will give Customer an up-to-date list disclosing:
- The subcontractor’s name, address, and contact information.
- The type of services provided by the subcontractor.
- The personal information categories disclosed to the subcontractor in the preceding 12 months.
(c) Service Provider remains fully liable to the Customer for the subcontractor’s performance of its Service Provider Agreement obligations.
- CCPA Warranties and Certification
(a) Both parties will comply with all applicable requirements of the CCPA when collecting, using, retaining, or disclosing personal information.
(b) Service Provider certifies that it understands this Service Provider Agreement and the CCPA’s restrictions and prohibitions on selling personal information and retaining, using, or disclosing personal information outside of the parties’ direct business relationship, and it will comply with them.
(c) Service Provider warrants that it has no reason to believe any CCPA requirements or restrictions prevent it from providing any of the Contracted Business Purposes or otherwise performing under this Service Provider Agreement. Service Provider must promptly notify the Customer of any changes to the CCPA’s requirements that may adversely affect its performance under this Service Provider Agreement.
Personal Information Processing Purposes and Details
Contracted Business Purposes: To assist Interseller with its business purposes and otherwise providing its Services.
Personal Information Categories: This Service Provider Agreement involves the following types of Personal Information, as defined and classified in CCPA Cal. Civ. Code § 1798.140(o).
|A. Identifiers.||A real name, online identifier, email address, or other similar identifiers.|
|B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||Telephone number, employment, employment history, or other similar identifiers. Some personal information included in this category may overlap with other categories.|
|C. Protected classification characteristics under California or federal law.||None|
|D. Commercial information.||None|
|E. Biometric information.||None|
|F. Internet or other similar network activity.||None|
|G. Geolocation data.||None|
|H. Sensory data.||None|
|I. Professional or employment-related information.||Work history, employment history, or other similar identifiers.|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||None|
|K. Inferences drawn from other personal information.||None|