Data Processing Agreement

This Data Privacy Agreement (“DPA”) applies to any services agreement between Payactiv and Client (“Agreement”) and is incorporated by reference when the CCPA covers Client’s use of the Services and the processing of Personal Information. This DPA ensures that Payactiv’s processing of Personal Information complies with the CCPA. This DPA does not apply if Payactiv and Client executed a separate data processing agreement compliant with the CCPA.

1. Definitions

1.1. Capitalized terms used in this DPA have the meanings given below or, where not set out below, the meanings given in the Agreement or the CCPA.

1.2. CCPA: means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100, et seq., as may be amended from time to time, including but not limited to those amendments enacted by the California Privacy Rights Act of 2020, and any implementing regulations.

1.3. Client Personal Information: means the Personal Information provided by Client that Payactiv processes on behalf of Client in the course of performing the Services.

1.4. Eligible Employees: has the meaning in the Agreement.

1.5. Participating Employees: has the meaning in the Agreement.

1.6. Personal Information: means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household in so far as such information relates to a Consumer within the scope of the CCPA.

1.7. Personal Information Security Breach: means an unauthorized access and exfiltration, theft, or disclosure as a result of Payactiv’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the Personal Information, as described in subdivision (a)(1) of Cal. Civ. Code §1798.150.

1.8. Services: has the meaning in the Agreement.

1.9. Terms that are defined within the CCPA that appear in this DPA, including but not limited to “Business,” “Commercial Purpose,” “Consumer,” “Service Provider,” “process,” “collect,” “sell,” and “share,” have the meanings defined in the CCPA.

1.10. In this DPA: references to Sections of the CCPA are to those Sections as amended by the CPRA.

2. Application

2.1. This DPA only applies to the extent that Client or Eligible Employees are subject to the CCPA. Payactiv shall not have any liability to Client or Eligible Employees to the extent the basis of liability arises from a violation of CCPA or any other applicable law by Client or Eligible Employees, failure by Client to obtain necessary consents to use Personal Information or provide necessary opt-outs, or failure by Client to fully comply with the Agreement or this DPA (collectively, “Failures”). Client shall indemnify, defend, and hold Payactiv harmless from any claims, demands, allegations, damages, losses, liabilities, fines, penalties, costs and expenses (including reasonable attorneys’ fees and costs) arising from such Failures.

2.2. Except as set out in this DPA or the Agreement, Client is fully responsible for compliance with all applicable laws.

2.3. With regard to Client Personal Information processed in accordance with the Agreement, Client is the Business and Payactiv is a Service Provider.

3. Data Processing Terms

3.1. Compliance with CCPA. Payactiv will comply with all sections of the CCPA that apply to it as a Service Provider during the course, scope, and performance of its obligations as a Service Provider.

3.2. Business Purposes. Payactiv will process Client Personal Information only for purposes of (a) delivering the Services; (b) ensuring the security and integrity of the Client Personal Information is reasonably necessary and proportionate for these purposes; (c) undertaking internal research for technological development and demonstration; and (d) for related purposes or as otherwise permitted by the CCPA (the “Business Purposes”).

3.3. Retention. Payactiv shall only retain Client Personal Information to deliver the Services and comply with its legal obligations. The Services may provide Client and Participating Employees with controls that may be used to retrieve, block access to, correct, or delete content, and some content may be subject to user-defined retention or access periods. Upon termination of the Agreement, Payactiv will delete all Personal Information obtained from Client and not otherwise needed to provide Services to enrolled users or to comply with audit or compliance requirements.

3.4. Use Restriction. Payactiv shall only process Client Personal Information for limited and specified purposes (a) set forth in Section 3.2; (b) in accordance with Client’s documented instructions, including those provided in the Agreement; (c) as necessary to comply with legal obligations; (d) as permitted by the CCPA; or (e) as otherwise agreed to in writing with Client. Payactiv shall not: (a) retain, use or disclose Client Personal Information for any purpose other than for the Business Purposes or as otherwise permitted by the CCPA; (b) retain, use, or disclose Client Personal Information for a Commercial Purpose other than providing the Services or as otherwise permitted by the CCPA; (c) Sell or Share Client Personal Information; (d) retain, use or disclose Client Personal Information outside of the direct business relationship between Payactiv and the Client, Participating Employees, or Eligible Employees; or (e) combine Client Personal Information with Personal Information received from or on behalf of any other person or collected from Payactiv’s own interaction with a consumer, except as specifically allowed under the CCPA. The foregoing does not apply to any information that is no longer Personal Information, including by application of Deidentification or aggregation techniques that meet the requirements of applicable law.

3.5. Subcontractors. Payactiv acknowledges that the restrictions and obligations under the CCPA and this DPA apply even if Payactiv engages subcontractors to perform services on its behalf. Service Provider will establish contracts with its subcontractors that comply with the CCPA.

4. Security

4.1. Technical Measures. Payactiv has implemented and will maintain commercially reasonable and appropriate technical and organizational measures in relation to the Services, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. This includes measures relating to the physical security of facilities used to deliver Services, measures to control access rights to assets and relevant networks, and processes for testing these measures.

5. Individual Rights

5.1. Respect. If Payactiv receives a request from an individual with respect to Client Personal Information, Payactiv will confirm that their request relates to Client and attempt to redirect the individual to exercise that right through Client (and may provide Client’s basic contact information to enable them to do this).

5.2. Assistance. When required by the CCPA, Client will inform Service Provider of any Consumer request that requires Service Provider’s compliance, and will provide Service Provider with the information within Client’s possession that is necessary for Service Provider to comply with the request. Taking into account the nature of the Services and Personal Information available to Payactiv, where Payactiv holds Client Personal Information, Payactiv will provide assistance in relation to individual rights requests in so far as this is technically possible and where Client does not have the ability to address the request without Payactiv’s assistance (including access, deletion, and correction requests). Client is responsible for determining that the Consumer request has been verified and that the requestor is the individual whose Personal Information is being sought. Client assumes sole responsibility for (and Payactiv bears no responsibility for) Personal Information provided in good faith to Client in reliance on this Section. Client may be responsible for costs incurred by Payactiv in connection with Payactiv’s provision of such assistance.

6. Compliance

6.1. Demonstration of Compliance. Upon request by Client, Payactiv will make available to Client information demonstrating that Payactiv uses Client Personal Information in a manner consistent with its obligations under the CCPA.

6.2. Certificate of Compliance. Payactiv will notify Client if it determines that it can no longer meet its obligations under the CCPA. Upon such notice, Client will have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Client Personal Information by Payactiv.

6.3. Legal Requests. The obligations set out in this DPA shall not restrict Payactiv’s ability to comply with (a) federal, state, or local laws; (b) a court order or subpoena to provide information; or (c) a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Payactiv shall not be in breach of this DPA or the Agreement if Payactiv responds to such a request in compliance with applicable law.

6.4. Disclosure of Requests to Client. If Payactiv receives a valid and binding request or order of a governmental body (e.g., a court order, law enforcement demand or other local equivalent) relating to Client Personal Information, Payactiv will attempt to redirect the requestor to seek disclosure directly from Client (and may provide Client’s basic contact information to enable them to do this this).

7. General

7.1. This DPA shall remain in force until the earlier of: (i) the termination or expiry of the Agreement or (ii) Payactiv ceasing to process Personal Information.

7.2. If any part of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable, or illegal, the other terms shall remain in force. Any invalid, unenforceable, or illegal term will be interpreted to give effect to the Parties’ commercial intention. If that is not possible, it will be severed but the rest shall remain in full force.

7.3. Except where this DPA conflicts with the Agreement, all other provisions of the Agreement remain unchanged. In the event of conflict between this DPA and the terms of the Agreement, this DPA shall prevail so far as the subject matter concerns the processing of Client Personal Information. This DPA together with the Agreement is the final, complete, and exclusive agreement of the Parties with respect to the subject matter of it and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter. No other representations or terms shall apply or form part of this DPA. 

7.4. Payactiv’s liability under or in connection with this DPA is subject to the limitations on liability contained in the Agreement.

7.5. This DPA and the Agreement shall be interpreted as broadly as necessary to implement and comply with the mandatory provisions of the CCPA. The Parties agree that this DPA shall be interpreted in favor of their intent to comply with the CCPA and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the CCPA.

7.6. This DPA shall be governed by the governing law of the State of California.