Data Processing Addendum

Created: May 28, 2024

Last Updated: June 3, 2024

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) supplements and form part of the agreement for the provision of services (the “Agreement”) between ORCA Analytics, Inc. (“Company”) and the customer of such services (“Customer”) (collectively, “the parties”).

1. Definitions & Scope

1.1 In this DPI:

  1. “Customer Personal Data” means any Personal Data that Customer provides to Company or that Company collects, obtains or otherwise Processes on behalf of Customer in connection with the Services.
  2. “Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable individual.
  3. “Processing” (including its cognate "Process”) means any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  4. “Security Incident” means a breach of security that results in unauthorized or unlawful access to Personal Data by a third party.
  5. “Services” means the services that Company provides to Customer pursuant to the Agreement.
  6. “Privacy Laws” means all laws and regulations that apply to the Processing of Personal Data in connection with the Services, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), the Colorado Privacy Act of 2021, the Virginia Consumer Data Protection Act of 2021, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, and any regulations promulgated pursuant to the foregoing that are binding upon the parties.

2. Customer Personal Data

2.1 Company agrees that it will Process Customer Personal Data only in accordance with this DPA. When Company Processes Customer Personal Data, it will:

  1. Process the Customer Personal Data in accordance with Customer's documented instructions as provided in the Agreement, this DPA, or as Customer otherwise instructs Company in connection with the Services;
  2. assist Customer, taking into account the nature of the Processing and the information available to Company, in complying with Customer's obligations to respond to requests concerning Customer Personal Data from individuals under applicable Privacy Laws;
  3. implement physical, technical and organizational measures designed to ensure a level of security appropriate to the risk, and notify Customer in the event of a confirmed Security Incident affecting Customer Personal Data;
  4. only entrust the Processing of Personal Data to contractors, agents and other entities that act as subcontractors for the purpose of providing the Services (“Subprocessors”) that have agreed to substantially similar protections for Customer Personal Data as described in this Section 2; and
  5. upon termination of the Agreement, if instructed by Customer, permit Customer to delete or obtain copies of Customer Personal Data consistent with the functionality of the Services and applicable law.

2.2 Company will not (a) sell Customer Personal Data; (b) retain, use, combine, or disclose Customer Personal Data for any purpose other than as permitted under this DPA; or (c) retain, use, or disclose Customer Personal Data other than in the context of the direct relationship with Customer as described in this DPA.

2.3 Customer is responsible for the lawfulness of the Processing of Customer Personal Data in connection with the Services. Customer will provide all required notices and obtain all required consents, permissions and rights necessary under Privacy Laws to disclose Customer Personal Data to Company in connection with the Services, and for Company to Process Customer Personal Data in connection with the Services.

2.4 Company will make available to Customer at Customer’s request information which is necessary to demonstrate compliance with this DPA. Such information may include confidential summary reports ("Audit Report") prepared by third-party security professionals, in which case Customer agrees to accept such Audit Report, subject to confidentiality requirements, in satisfaction of the information requirements in this Section 2.6. Where required by Privacy Laws, Customer may request, at Customer's cost, Company to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Company customers or suppliers, Company's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Company’s normal business activities.

3. General

3.1 If there is any conflict between this DPA and the Agreement, the DPA will prevail to the extent of that conflict.

3.2 If any provision of the DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of the DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

3.3 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.