USA State Privacy Addendum
Last Updated August 3, 2023
This USA State Privacy Addendum (“USASP Addendum”) is made by and between the customer that has entered into an Order Form as further identified below (“Customer”) and LiftLab Analytics, Inc. (“LiftLab”). This Addendum amends, is incorporated into, and forms part of the written or electronic terms of service or subscription agreement, including, where applicable, the Terms of Service (collectively, the “Agreement”) by and between Customer and LiftLab and applies where LiftLab processes Personal Information as defined by US Privacy Laws on behalf of Customer pursuant to the Agreement. This USASP Addendum will control in the event of any inconsistencies between this USASP Addendum and the Agreement.
All capitalized terms that are not expressly defined in this Addendum have the meaning ascribed to them in the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, any other United States state privacy legislation of similar scope to the aforementioned statutes that become enforceable after execution of this Addendum, and any implementing regulations adopted thereunder, as may be amended from time to time (collectively, “USASP Laws”).
1. The Parties agree that, for purposes of the USASP Laws, LiftLab meets all the requirements of a Service Provider or similar term within the USASP Laws and will act only as a Service Provider and not as a Third Party. LiftLab warrants that its use and processing of Personal Information will comply with the USASP Laws, and its performance under the Agreement will not cause Customer to be in violation of the USASP Laws.
2. The Parties agree that to the extent that Customer provides Personal Information to LiftLab, it does so as a condition precedent to LiftLab’s performance of the specific services described in the Agreement (“Services”) and that Personal Information is not exchanged for monetary or other valuable consideration.
3. LiftLab Obligations. In accordance with the USASP Laws and with respect to the Personal Information it receives from Customer, LiftLab:
(a) Will not sell or share the Personal Information it Collects pursuant to the Agreement;
(b) Will not collect, retain, use, process, or disclose the Personal Information except in accordance with the “Business Purpose”, or as otherwise permitted by the USASP Laws. If Customer has a Data Processing Addendum in place with LiftLab (“DPA”), the Business Purpose is described in the DPA and any annex thereto, and the terms of those sections are incorporated herein by this reference. If Customer does not have a DPA in place, the Business Purpose is described in section 3(c) below; and
(c) May process the Personal Information: (i) for the provision, administration, maintenance and improvement of the Services, including as initiated by users of the Services, (ii) as necessary for LiftLab to comply with law or governmental order, (iii) to prevent, detect, and investigate security incidents, (iv) to address malicious, deceptive, fraudulent, or illegal actions directed at LiftLab, and (v) in accordance with its rights and obligations as a Service Provider under the USASP Laws (altogether, the “Business Purpose”);
(d) Will not retain, use, or disclose the Personal Information outside of the specific business relationship between LiftLab and Customer, and as otherwise set forth in the Agreement unless expressly permitted by the USASP Laws.
(e) Will comply with all applicable sections of the USASP Laws, including, with respect to the Personal Information that it Collected pursuant to the Agreement, providing the same level of privacy protection as required of businesses by the USASP Laws.
4. Subcontractors. Customer agrees that LiftLab may engage other Service Providers, processors, or sub-processors (each a “Subcontractor”) as provided for, and in accordance with its obligations under the USASP Laws, to assist in performing its obligations to Customer, subject to written terms requiring the Subcontractor to protect the Personal Information to the standard required by the USASP Laws; and as protective of the Personal Information as this Addendum. LiftLab will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the Subcontractor that cause LiftLab to breach any of its obligations under this Addendum.
5. Consumer Requests. LiftLab will forward to Customer any USASP Laws rights requests related to Personal Information within 72 hours of receipt of such requests. Except as instructed by Customer or required by law, LiftLab will not respond to a USASP Law rights request or otherwise communicate with the individual making the request. LiftLab will provide Customer with all reasonable assistance and cooperation needed to allow Customer to respond to USASP Laws rights requests in compliance with USASP Laws, including providing Customer with access to Personal Information. When and as instructed by Customer, LiftLab will promptly delete all or part of the Personal Information from its records except as otherwise noted in the Agreement.
6. Security Measures. LiftLab will implement and maintain reasonable physical, technical, and organizational security measures appropriate to the nature of the Personal Information and in accordance with industry standards to protect the Personal Information against accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, and access. LiftLab will reasonably assist Customer in verifying LiftLab’s compliance with its obligations under this Addendum, including periodic remote review of records related to LiftLab’s security measures, at least once every 12 months.
7. Security Breach. In the event of an actual or suspected security breach or cyber security incident affecting the Personal Information, LiftLab will: (a) immediately take all necessary legal and security action to secure the Personal Information and the systems on which it resides; (b) notify Customer promptly, but in no event later than 72 hours after becoming aware of the breach, about the nature of the breach (e.g., what happened and when it happened), the affected Personal Information, and the measures LiftLab has taken to contain the breach or cyber security incident; and (c) provide Customer all reasonable cooperation and assistance for Customer to support its compliance with applicable laws including the USASP Laws.
8. LiftLab will inform Customer if it can no longer meet its obligations under this USASP Addendum. LiftLab certifies that it understands and will comply with the restrictions and obligations in this USASP Addendum.