DATA PROTECTION SCHEDULE 1: US DATA PROTECTION ADDENDUM
1 Scope
1.1 This Addendum applies only to the extent that GetKambium Processes Subscriber Personal Data under or in connection with this Agreement.
2 Definitions
“Covered Incident” means any instance in which GetKambium becomes aware of actual access to or acquisition of Subscriber Confidential Information that was not authorized in writing by the Subscriber;
“Subscriber Personal Data” means any Personal Data Processed arising from this Agreement or otherwise on behalf of the Subscriber, including Personal Data provided to GetKambium by the Subscriber, collected by GetKambium on the Subscriber’s behalf, or generated by a user;
“Personal Data” means any information (a) relating to an identified or identifiable individual, (b) that is ‘personal information’, ‘personal data’, or analogous variations of such terms under applicable laws related to privacy, data security or protection of information about individuals, or (c) linked to, associated with, or combined with information identified in (a) or (b) above. Personal Data includes, without limitation, identification number, location data, online identifier, or any one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, including but not limited to an individual’s name, signature, address, telephone number, email address, employee identification number, Social Security or Social Insurance number, driver’s license number, other government-issued identification number, financial account number including but not limited to credit or debit card number, credit report information, password, PIN, account credentials (e.g., username and password), biometric data, medical or health data, answers to security questions, or any other authentication information;
“Process” or “Processing” (or derivatives) means any operation or set of operations which is performed on information or on sets of information, including by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, viewing, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.
3 Handling of Subscriber Personal Information
3.1 Limitation of Processing. GetKambium will or may Process Subscriber Personal Data solely to the extent necessary to perform its obligations under the Agreement and for the purposes of this Agreement.
3.2 Geographic Limitation on Data Storage and Access. Unless otherwise agreed by the parties in writing, GetKambium will make available to any requesting party who is legally entitled to request the Personal Information, including the Subscriber or end user customers, in the United States any Personal Information, stored communications data or call identifying information (including, for example, and without limitation, call detail records and CPNI) of the Subscriber and its end user customers. Notwithstanding the preceding sentence, the Subscriber acknowledges and agrees that GetKambium may access but not store Subscriber Personal Information, stored communications data or call identifying information from offshore locations.
3.3 Deletion. On written request from the Subscriber, GetKambium will delete from GetKambium’s systems all Subscriber Personal Information, including copies, unless this requirement conflicts with an applicable law(s) or conflicting contractual commitments to the Subscriber.
3.4 De-Identified Data. GetKambium will not, unless otherwise mutually agreed to in writing, re-identify any De-Identified Data with any Personal Data or otherwise perform functions that would re-identify the data. GetKambium has implemented technical and business Safeguards, aligned with industry standards, designed to prohibit the re-identification of De-Identified Data. “De-Identified Data” means Subscriber Personal Data that has been scrubbed, hashed, encrypted or otherwise obscured to remove any information that is reasonably linked to an identified or identifiable individual. Data that is readable only with a key or other technical measure is not De-Identified Data if GetKambium has access to the associated key or measure.
3.5 Data Subject Access Requests. GetKambium will make commercially reasonable efforts to notify the Subscriber, in a timely manner, of:
(a) any individual’s request to access, modify, delete or correct Subscriber Personal Information; and
(b) any complaint received by GetKambium relating to the Processing of Subscriber Personal Information.
3.6 Third Party Legal Process. Unless prohibited by an applicable law or court order, GetKambium will make commercially reasonable efforts to notify the Subscriber in writing of any third-party legal process relating to an event impacting Subscriber Personal Information.
3.7 Compelled Disclosures. GetKambium agrees that it will not release Subscriber Personal Data to any government, entity or individual except when legally required to do so. If GetKambium receives a legal demand or other request for release of Subscriber Personal Information, GetKambium will provide written notice to the Subscriber, so that the Subscriber, at its election, may seek a protective order or other appropriate relief at its sole cost and expense. If the Subscriber does not seek a protective order or other appropriate relief, GetKambium will cooperate with the Subscriber, at the Subscriber’s expense, with respect to the production and delivery of Subscriber Personal Data to ensure compliance with all governing laws and relevant Subscriber policies. If GetKambium is prohibited by applicable law from providing notice to the Subscriber of a legal demand for Subscriber Personal Information, GetKambium will abide by all federal and state law governing release of such data.
3.8 No Third-Party Sales of Information. GetKambium must not sell, rent, transfer, share, disclose or otherwise make available or communicate orally, in writing, or by electronic or other means, whether for monetary or other valuable consideration or for any other reason, identifiable Subscriber Personal Data to any third party, including, without limitation, any subcontractors, without the express written consent of the Subscriber. GetKambium’s use of Subscriber Personal Data will be limited to only that which is necessary to deploy, maintain, or repair the equipment and/or systems designated in GetKambium’s scope of work.
3.9 Certification. This Addendum is GetKambium’s certification, to the extent required by the California Consumer Privacy Act or any other legislation requiring a similar attestation, that GetKambium understands the Personal Data use and sharing limitations in this Agreement, that GetKambium is acting as a service provider to the Subscriber under this Agreement, and will comply with all restrictions on the processing of Personal Data set out in this Agreement.
4 Privacy and Information Security Measures
4.1 GetKambium has established, implemented, and will maintain during the Term, certain measures designed to
(a) address privacy risks related to the development and management of existing and new products and services that Process Personal Information;
(b) protect the privacy and confidentiality of Personal Information,
(c) address industry standard security risks related to the development and management of existing and new products and services that Process Personal Data and
(d) protect the security of Personal Data in each case,
containing controls and procedures appropriate to GetKambium’s size and complexity, the nature and scope of GetKambium’s activities, and the sensitivity of the information processed.
5 Notification and Cooperation
5.1 Covered Incidents. GetKambium will notify the Subscriber of a Covered Incident as soon as commercially practical, and within the timeframe required by applicable law. Where GetKambium is required, by applicable law, to investigate a Covered Incident, GetKambium will keep the Subscriber fully informed at all stages of its investigation, and of all actions taken in response, in line with applicable law.
5.2 Additional Actions. GetKambium will reasonably assist the Subscriber in investigating, remedying and taking any other action that the Subscriber deems necessary regarding any Covered Incident.
6 Additional Requirements Applicable Only if GetKambium Processes Cardholder Information.
6.1 Security of Cardholder Information. This clause 6 only applies to the extent GetKambium Processes Personal Data relating to the use of credit or debit card accounts, including the account numbers, cardholder names, expiration dates, service codes, track data (e.g., magnetic stripe or chip), PINs or PIN blocks (collectively, “Cardholder Information”).
6.2 PCI Standards. GetKambium will remain in compliance with the current versions of all rules, regulations, and industry standards adopted or required (a) by any entity offering or supporting payment card brands (collectively, “Card Brands”) whose Cardholder Information is Processed by GetKambium under this Agreement, and (b) by the Payment Card Industry Security Standards Council (the “Council”), in either case relating to privacy, data security or the safeguarding, disclosure or handling of Cardholder Information, including the Payment Card Industry Data Security Standards, the Payment Card Industry’s Payment Application Data Security Standard, the Payment Card Industry’s PIN Transaction Security requirements, Visa’s Cardholder Information Security Program and Payment Application Best Practices, American Express’s Data Security Operating Policy, MasterCard’s Site Data Protection Program and POS Terminal Security program, and the analogous security programs implemented by Card Brands (collectively referred to as the “PCI Standards”).
7 Order of precedence.
7.1 If there is any conflict or inconsistency between this Addendum and any provision of the general terms and conditions of the Agreement, such conflict or inconsistency will be resolved by giving precedence to this Addendum.