Last updated: June 16, 2023 (“Effective Date”)
This Data Processing Agreement (“DPA”) is incorporated into and made part of the Terms of Use (“Terms”) between you (“Customer”) and Plz Fix Inc. (“Company”). Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Terms. This DPA prevails over any conflicting term of the Terms, but does not otherwise modify the Terms.
To the extent Data falls within the scope of the General Data Protection Regulation or the United Kingdom General Data Protection Regulation, the terms of this DPA apply to the processing of any Customer Personal Data (as defined in the DPA). To the extent Data falls within the scope of any U.S. state privacy laws or their implementing regulations, only the terms of the U.S. State Data Processing Agreement in Appendix 3 apply to the processing of any Personal Data (as defined in Appendix 3).
1.1 In this DPA:
a. “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Processor,” and “Supervisory Authority,” have the meaning given to them in the GDPR.
b. “Customer Personal Data” means any Data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Customer or Customer’s customers are the Controller, and which is Processed by Company to provide the Service;
c. “Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the United Kingdom General Data Protection Regulation, and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland and the United Kingdom, each as applicable, and as may be amended or replaced from time to time;
d. “Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
e. “International Data Transfer” means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
f. “Sub-processor” means a Processor engaged by Company to Process Customer Personal Data;
g. “Standard Contractual Clauses” means the clauses annexed to EU Commission Implementing Decision EU 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European parliament and of the Council;
h. “UK Addendum” means the addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
2.1 This DPA applies to Processing of Customer Personal Data by Company to provide the Service.
2.2 The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix 1.
2.3 Customer is a Controller and appoints Company as a Processor on behalf of Customer in relation to the purposes set out in Appendix 1. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
2.4 If Customer is a Processor on behalf of other Controller(s), then Customer is the single point of contact for Company; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); and is responsible for compliance with the requirements of Data Protection Law applicable to Processors.
2.5 Customer acknowledges that Company may Process Personal Data relating to the operation, support, or use of the Service for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Company is the Controller for such Processing and will Process such data in accordance with Data Protection Law. Such Processing shall not be subject to the terms of this DPA.
3.1 Company will Process Customer Personal Data to provide the Service and in accordance with Customer’s documented instructions.
3.2 The Controller’s instructions are documented in this DPA, the Terms, and any applicable statement of work.
3.3 Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Company may charge a reasonable fee to comply with any additional instructions.
3.4 Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s documented instructions.
4.1 Company personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
5.1 Taking into account the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to provide a level of security appropriate to the risk, including the measures set out on our security page.
5.2 Customer acknowledges that the security measures on our security page are appropriate in relation to the risks associated with Customer’s intended Processing, and will notify Company prior to any intended Processing for which Company’s security measures may not be appropriate.
5.3 Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay.
6.1 Customer hereby authorizes Company to engage Sub-processors. A list of Company’s current Sub-processors is available here.
6.2 Company will enter into a written agreement with Sub-processors which imposes the same obligations as required by Data Protection Law.
6.3 Customer may object to the addition of a Sub-processor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company’s notification of the intended change. Customer and Company will work together in good faith to address Customer’s objection. If Company chooses to retain the Sub-processor, Company will inform Customer at least thirty (30) days before authorizing the Sub-processor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant part of the Service, and may terminate the relevant part of the Service within thirty (30) days.
7.1 Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
7.2 Company will maintain records of Processing of Customer Personal Data in accordance with Data Protection Law.
7.3 Company may charge a reasonable fee for assistance under this Section 7. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.
8.1 Company shall maintain a program to provide compliance with the obligations set out in this DPA.
8.2 Company shall obtain appropriate third-party certifications and/or audits. Upon Customer’s request, and subject to the confidentiality obligations set forth in this DPA, Company shall make available to the Customer information regarding Company’s compliance with the obligations set forth in this DPA in the form of a copy of Company’s then most recent third-party audit report or certification.
8.3 Company and Customer each bear their own costs related to an audit.
9.1 Customer hereby authorizes Company to perform International Data Transfers to any country deemed adequate by the EU Commission; on the basis of appropriate safeguards in accordance with Data Protection Law or pursuant to the Standard Contractual Clauses and UK Addendum referred to in Section 9.2 and 9.3 respectively.
9.2. By signing this DPA, Customer and Company hereby agree to conclude the provisions of module two (controller to processor) of the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows:
9.3. By signing this DPA, Customer and Company conclude the UK Addendum which is hereby incorporated and applies to International Data Transfers outside the United Kingdom. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Company, their details are set forth in this DPA and the Terms; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B), II and III to the “Approved EU SCCs” are Appendixes 1 and 2 to the Terms; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
9.4. If the Standard Contractual Clauses or the UK Addendum are amended, updated, or invalidated, Customer and Company will work together in good faith to reasonably resolve such non-compliance.
10.1 Customer will send notifications, requests and instructions under this DPA to Company’s legal department via email to legal@flippr.ai. Company will send notifications under this DPA to Customer’s contact email address.
11.1 To the extent permitted by applicable law, where Company has paid damages or fines, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the damages or fines.
12.1 This DPA is terminated upon the termination of the Terms.
12.2 Upon termination of the Terms of Service, the Company will, upon Customer’s request, return Customer Personal Data in Company’s possession to the Customer or securely destroy such Customer Personal Data unless applicable laws prevent the Company from returning or destroying all or part of Customer Personal Data.
13.1 This DPA will take effect on the DPA Effective Date and, notwithstanding the expiration of the Term, will remain in effect until, and automatically expire upon, Flippr’s deletion of all Customer Personal Data as described in this DPA. This DPA may only be modified by both Company and Customer agreeing in writing to new Terms as published on Flippr’s Site.
14.1 If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Data exporter(s): The Data Exporter (or Business/Controller) is the Customer that is a party to the DPA.
Data importer(s): The Data Importer (or Service Provider/Processor) is Flippr, a provider of document workflow and productivity solutions.
As detailed in the DPA. The competent authority for data transfers subject to the UK Addendum is the Information Commissioner’s Office in the UK.
Policies set out on our security page are hereby incorporated herein.
This U.S. State Privacy Law Data Processing Agreement (“U.S. State DPA”) is incorporated and made part of the Terms of Use (the “Terms”) between you, on behalf of you and your affiliates (“Customer”), and Plz Fix Inc. (“Vendor”) (each a “Party” and collectively the “Parties”) for so long as Vendor processes Personal Data on behalf of Customer. This U.S. State DPA prevails over any conflicting terms of the Terms.
1. Definitions. For the purposes of this U.S. State DPA:
1.1. “State Privacy Laws” means, collectively, all U.S. state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals’ Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information). State Privacy Laws include the following:
1.1.1. California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199) (“CPRA”);
1.1.2. Colorado Privacy Act (Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313) (“ColoPA”);
1.1.3. Connecticut Personal Data Privacy and Online Monitoring Act (Public Act No. 22-15) (“CPOMA”);
1.1.4. Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61-404) (“UCPA”); and
1.1.5. Virginia Consumer Data Protection Act (Virginia Code Ann. §§ 59.1-575 to 59.1-585) (“VCDPA”).
1.2. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. Where applicable, Personal Data shall be interpreted consistent with the same or similar term under State Privacy Laws.
1.3. “Share,” “Shared,” and “Sharing” have the meaning defined in the CPRA.
1.4. “Sale” and “Selling” have the meaning defined in the State Privacy Laws.
1.5. “Controller” means “Controller” or “Business” as those terms are defined in the State Privacy Laws.
1.6. “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in the State Privacy Laws.
1.7. “Consumer” has the meaning defined in the State Privacy Laws.
1.8. “Processing,” “Process,” and “Processed” have the meaning defined in the State Privacy Laws.
1.9. “Company Personal Data” means Personal Data provided by Customer to, or which is collected on behalf of Customer by, Vendor to provide services to Customer pursuant to the Terms.
1.10. In the event of a conflict in the meanings of defined terms in the State Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
2. Scope, Roles, and Termination
2.1. Applicability - This U.S. State DPA applies only to Vendor’s Processing of Company Personal Data for the nature, purposes, and duration set forth in the Terms.
2.2. Roles of the Parties - For the purposes of the Terms and this U.S. State DPA, Customer is the Party responsible for determining the purposes and means of Processing Company Personal Data as the Controller and appoints Vendor as a Processor to Process Company Personal Data on behalf of Customer for the limited and specific purposes set forth in the Terms.
2.3. Obligations at Termination - Upon termination of the Terms, except as set forth therein or herein, Vendor will discontinue Processing and destroy or return Company Personal Data in its or its subcontractors and sub-processors possession without undue delay. Vendor may retain Company Personal Data to the extent required by law but only to the extent and for such period as required by such law and always provided that Vendor shall ensure the confidentiality of all such Company Personal Data.
3. Compliance
3.1. Compliance with Obligations - In addition to the representations and warranties set forth in the Terms, Vendor further represents and warrants that Vendor, its employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the State Privacy Laws, (b) shall provide the level of privacy protection required by the State Privacy Laws, (c) shall provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the State Privacy Laws, and (d) understand and shall comply with this U.S. State DPA. Upon the reasonable request of Customer, Vendor shall make available to Customer all information in Vendor’s possession necessary to demonstrate Vendor’s compliance with this subsection.
3.2. Compliance Assurance - Customer has the right to take reasonable and appropriate steps to ensure that Vendor uses Company Personal Data consistent with Customer's obligations under applicable State Privacy Laws and the security measures attached hereto in Appendix 2 and incorporated herein.
3.3. Compliance Monitoring - Customer has the right to monitor Vendor’s compliance with this U.S. State DPA through measures, including, but not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other annual technical and operational testing at least once every 12 months.
3.4. Compliance Remediation - Vendor shall notify Customer no later than five business days after determining that it can no longer meet its obligations under applicable State Privacy Laws. Upon receiving notice from Vendor in accordance with this subsection, Customer may direct Vendor to take reasonable and appropriate steps to stop and remediate unauthorized use of Company Personal Data.
4. Restrictions on Processing
4.1. Limitations on Processing - Vendor will Process Company Personal Data solely as instructed in the Terms and this U.S. State DPA. Except as expressly permitted by the State Privacy Laws, Vendor is prohibited from (i) Selling or Sharing Company Personal Data, (ii) retaining, using, or disclosing Company Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Terms, (iii) retaining, using, or disclosing Company Personal Data outside of the direct business relationship between the Parties, and (iv) combining Company Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable State Privacy Laws.
4.2. Confidentiality - Vendor shall ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Company Personal Data.
4.3. Subcontractors; Sub-processors - Vendor’s current subcontractors and sub-processors are available at https://flippr.ai/legal/subprocessors. Vendor shall notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Vendor shall ensure that Vendor’s subcontractors or sub-processors who Process Company Personal Data on Vendor’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to Vendor in this U.S. State DPA and the Terms with respect to Company Personal Data, as well as to comply with the applicable State Privacy Laws.
4.4. Right to Object - Customer may object in writing to Vendor’s appointment of a new subcontractor or sub-processor on reasonable grounds by notifying Vendor in writing within 30 calendar days of receipt of notice in accordance with Section 4.3. In the event Customer objects, the Parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution.
5. Consumer Rights
5.1. Vendor shall provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to State Privacy Law-related Consumer rights requests regarding Company Personal Data.
5.2. Customer shall inform Vendor of any Consumer request made pursuant to the State Privacy Laws that they must comply with. Customer shall provide Vendor with the information necessary for Vendor to comply with the request.
5.3. Vendor shall not be required to delete any Company Personal Data to comply with a Consumer’s request directed by Customer if retaining such information is specifically permitted by applicable State Privacy Laws; provided, however, that in such case, Vendor will promptly inform Customer of the exceptions relied upon under applicable State Privacy Laws and Vendor shall not use Company Personal Data retained for any purpose other than provided for by that exception.
6. Deletion of Company Personal Data
6.1. Upon direction by Customer, and in any event no later than 30 days after receipt of a request from Customer, Vendor shall promptly delete Company Personal Data as directed by Customer, unless Vendor is required by law to retain such data, in which case Vendor shall, on ongoing basis, isolate and protect the security and confidentiality of such Personal Data and prevent any further processing except to the extent required by such law and shall destroy or return to Customer all other Personal Data not required to be retained by Vendor by law.
7. Deidentified Data
7.1. In the event that Customer discloses or makes available Deidentified data (as such term is defined in the State Privacy Laws) to Vendor, Vendor shall not attempt to reidentify the information.
8. Security
8.1. Vendor and Customer shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect Company Personal Data from unauthorized access, destruction, use, modification, or disclosure.
8.2. Vendor shall fully comply with the security measures attached in Appendix 2.
9. Sale of Data
9.1. The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Terms or this U.S. State DPA.
10. Changes to Applicable Privacy Laws
10.1. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the State Privacy Laws.