Data Protection


September 22, 2023

1. Scope, Order of Precedence, andTerm

1.1. This Data Protection Addendum (this “DPA”) is part of theagreement(s)(the “Agreement”) between POSaBIT, Inc., a Washington corporationwith a business address at 15 Lake Bellevue Dr #101, Bellevue, WA 98005(“POSaBIT”), and the signatory to the Agreement (“Customer”), as agreedpursuant to the terms of such Agreement. This DPA sets forth the obligations ofthe Parties with respect to the Processing of Personal Data.

1.2. The effective date of the DPA is the date of the Agreement.

1.3. This DPA applies only with respect to the Personal Data the Parties Processin connection with the activities contemplated by the Agreement.

1.4. In the event of a conflict between this DPA and the Agreement, theDPA will control to the extent necessary to resolve the conflict. In the eventthe Parties use an International Data Transfer Mechanism and there is aconflict between the obligations in that International Data Transfer Mechanismand this DPA, the International Data Transfer Mechanism will control except asspecified in this DPA.

1.5. The term of this DPA is coterminous with the Agreement, except forobligations that survive past termination as specified below.

2. Definitions

The following terms have the meanings set forth below. All capitalizedterms not defined in this DPA will have the meanings set forth in theAgreement.

2.1. “Controller” means the entity that determines the purposesand means of the Processing of Personal Data.

2.2. “Data Protection Law” means all data protection and privacylaws applicable to the processing of Personal Data under the Agreement.

2.3. “Data Subject” means an identified or identifiable natural person.

2.4. “De-identified Data” means a data set that does not containany Personal Data. Aggregated data is De-identified Data. To “De-identify”means to create De-identified Data from Personal Data.

2.5. “Personal Data” means information that identifies, relatesto, describes, is reasonably capable of being associated with, or couldreasonably be linked, directly or indirectly, with a Data Subject. PersonalData includes equivalent terms in other Data Protection Law, such as theCCPA-defined term “Personal Information,” as context requires.

2.6. “Personal Data Breach” means a confirmed breach of securitythat caused an accidental or unlawful destruction, loss, alteration,unauthorized disclosure of, or access to Personal Data, or an event thatqualifies as a reportable data breach under applicable Data Protection Law.

2.7. “Process” or “Processing” means any operation or setof operations that a Party performs on Personal Data, including collection,recording, organization, storage, adaptation or alteration, retrieval,consultation, use, disclosure by transmission, dissemination or otherwisemaking available, alignment or combination, blocking, erasure or destruction.

2.8. “Processor” means an entity that processes Personal Data onbehalf of another entity.

2.9. “Sell” has the meaning assigned to it in the CaliforniaConsumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and any successor law.

2.10. “Sensitive Data” means the following types and categories ofdata: data revealing racial or ethnic origin, political opinions, religious orphilosophical beliefs, or trade union membership; genetic data; biometric data;data concerning health, including protected health information governed by theHealth Insurance Portability and Accountability Act; data concerning a naturalperson's sex life or sexual orientation; government identification numbers(e.g., SSNs, driver’s license); payment card information; nonpublic personalinformation governed by the Gramm Leach Bliley Act; an unencrypted identifierin combination with a password or other access code that would permit access toa data subject’s account; and precise geolocation.

2.11. “Services” has the meaning assigned to it in the Agreement. “Activities”means the same thing as Services.

2.12. “Subprocessor” means a Processor engaged by a Party who isacting as a Processor.

3. Security and Confidentiality

3.1. Security Controls. POSaBIT will maintain a writteninformation security policy that defines security controls that are based onits assessment of risk to Personal Data that it Processes and its informationsystems. POSaBIT’s security controls are described in Schedule 2.

3.2. Confidentiality. Without limiting POSaBIT’s confidentialityobligations in the Agreement, POSaBIT will ensure that its employees,independent contractors, and agents are subject to an obligation to keepPersonal Data confidential.

4. Description of the Parties’Personal Data Processing Services and Statuses of the Parties

4.1. Schedule 1 describes the purposes of the Parties’ Processing, thetypes or categories of Personal Data involved in the Processing, and thecategories of Data Subjects affected by the Processing.

4.2. Schedule 1 lists the Parties’ statuses under relevant DataProtection Law.

5. International Data Transfer

5.1. Some jurisdictions require that an entity transferring Personal Datato, or accessing Personal Data from, a foreign jurisdiction take extra measuresto ensure that the Personal Data has special protections (an “InternationalData Transfer Mechanism”).The Parties will comply with any International DataTransfer Mechanism that may be required by applicable Data Protection Law.Before Customer transfers to POSaBIT, or permits POSaBIT to access, PersonalData originating from a jurisdiction that requires an International DataTransfer Mechanism, Customer will notify POSaBIT of the relevant requirementand the Parties will work together in good faith to fulfill the requirements ofthat International Data Transfer Mechanism.

6. Data Protection Generally

6.1. Compliance. The Parties will comply with their respectiveobligations under Data Protection Law and their privacy notices. The Partieswill notify each other if they are no longer able to comply with applicableData Protection Law.

6.2. Lawful Basis of Processing. If Customer is required by DataProtection Law to have a lawful basis of Processing Personal Data, such asconsent, Customer represents and warrants that it collects Personal Dataconsistent with such requirement.

6.3. Cooperation.

6.3.1. Governmental and Investigatory Requests. If either Partyreceives any type of request or inquiry from a governmental, legislative,judicial, law enforcement, or regulatory authority (e.g. the Federal TradeCommission, the Attorney General of a U.S. state, or a European data protectionauthority), or faces an actual or potential claim, inquiry, or complaint inconnection with the Parties’ Processing of Personal Data (collectively, an“Inquiry”), the receiving Party with notify the other Party without undue delayunless such notification is prohibited by applicable law. If requested by thereceiving Party, the other Party will provide the receiving Party withinformation relevant to the Inquiry to enable the receiving Party to respond tothe Inquiry.

6.3.2. Other Requirements of Data Protection Law. Upon request,the Parties will provide relevant information to each other to fulfill theirrespective obligations (if any) to conduct data protection impact assessmentsor prior consultations with data protection authorities.

6.4. De-identified, Anonymized, or Aggregated Data. The Partiesmay create De-identified Data from Personal Data and Process the De-identifiedData for any purpose.

7. POSaBIT’s Obligations as a Processor

7.1. The obligations set forth in this Section 7 apply only in connectionwith POSaBIT’s Processing of Personal Data of Customers in its capacity asCustomer’s Processor in connection with the Services; these obligations do notapply to POSaBIT in its capacity as a Controller.

7.2. Scope of Processing.

7.2.1. POSaBIT will Process Personal Data solely in connection with the Services,to carry out its obligations under the Agreement, and to carry out Customer’sdocumented instructions. POSaBIT will not Process Personal Data received from Customerin connection with the Agreement for any other purpose, unless required byapplicable law, and will not Sell Personal Data received from Customer inconnection with the Agreement.

7.2.2. Notwithstanding anything to the contrary, the Parties agree thatPOSaBIT may, and Customer instructs POSaBIT to, Process Personal Data forinternal operations that support the Services, including to detect datasecurity incidents; protect against fraudulent or illegal activity; ensuresafety; debug, troubleshoot, or repair products and services; provide customerservice; maintain or service accounts; undertake internal research fortechnological development; and build or improve the quality of POSaBIT’sproducts and services.

7.2.3. Processing any Personal Data received from Customer in connectionwith the Agreement outside the scope of the Agreement will require priorwritten agreement between POSaBIT and Customer by way of written amendment tothe Agreement.

7.2.4. POSaBIT will notify Customer if it believes that it cannot follow Customer’sinstructions or fulfil its obligations under the Agreement because of a legalobligation to which POSaBIT is subject, unless POSaBIT is prohibited by lawfrom making such notification.

7.3. Data Subjects’ Requests to Exercise Rights. POSaBIT willpromptly inform Customer if POSaBIT receives a request from a Data Subject toexercise their rights with respect to their Personal Data under applicable DataProtection Law. Customer will be responsible for responding to such requests.POSaBIT will not respond to such Data Subjects except to acknowledge theirrequests. POSaBIT will provide Customer with commercially reasonableassistance, upon request, to help Customer to respond to a Data Subject’srequest.

7.4. POSaBIT’s Subprocessors. POSaBIT and its Subprocessors willenter into agreements that require the Subprocessor to meet obligations thatare no less protective of Personal Data than this DPA.7.5. Personal DataBreach. POSaBIT will notify Customer without undue delay of a Personal DataBreach affecting Personal Data POSaBIT Processes in connection with theServices. Upon request, POSaBIT will provide information to Customer about thePersonal Data Breach to the extent necessary for Customer to fulfill anyobligations it has to investigate or notify authorities, except that POSaBITreserves the right to redact information that is confidential or competitivelysensitive. Notifications will be delivered to the contact addresses listed inthe Agreement. Customer agrees that email notification of a Personal DataBreach is sufficient. Customer agrees that it will notify POSaBIT if it changesits contact information. Customer agrees that POSaBIT may not notify Customerof security-related events that do not result in a Personal Data Breach.

7.6. Deletion and Return of Personal Data. At the expiration ortermination of the Agreement and upon written request by Customer to POSaBIT,POSaBIT will, without undue delay, (1) return all Personal Data (includingcopies thereof) to Customer and/or (ii) destroy all Personal Data (including copiesthereof), except to the extent reasonably necessary to meet POSaBIT’s legalcompliance obligations or pursuant to POSaBIT’s records management and backupprogram and policies (including retention reasonable required for theenablement of internal and external audits) or the Parties otherwise expresslyagree in writing. For any Personal Data that POSaBIT retains after expirationor termination of the Agreement (for example, because POSaBIT is legallyrequired to retain the information), POSaBIT will continue to comply with thedata security and privacy provisions of this DPA and POSaBIT will De-identifysuch Personal Data (if any) to the extent feasible.

7.7. Audits.

7.7.1. Scope. The terms of this Section 7.7 apply not withstanding any thing to the contrary. Customer agrees that POSaBIT’s obligationsunder this Section7.7 are limited to the Personal Data POSaBIT Processes inconnection with the Services.

7.7.2. Request. Upon written request that includes a statement ofreasons for the request, POSaBIT will make available to Customer applicabledocumentation that is responsive to Customer’s request, including third-partyaudit reports or certifications to the extent they are available. To the extentthat such audit reports or certifications do not satisfy Customer’s request,POSaBIT will provide Customer or Customer’s designated third party (whichCustomer agrees may not be a competitor to POSaBIT) with the information andaccess to facilities necessary to demonstrate compliance with Data ProtectionLaw.

7.7.3. Access to Facilities. If Customer requires access toPOSaBIT’s facilities (the “Inspection”), Customer will provide POSaBITwith written notice at least 60 days in advance. Such written notice willspecify the things, people, places, or documents to be made available. Suchwritten notice, and anything produced in response to it (including any derivativework product such as notes of interviews), will be considered confidentialinformation and will remain confidential information in perpetuity or thelongest time allowable by applicable law after termination of the Agreement.Such materials and derivative work product produced in response to theInspection will not be disclosed to anyone without the prior written permissionof POSaBIT unless such disclosure is required by applicable law. If disclosureis required by applicable law, Customer will give POSaBIT prompt written noticeof that requirement and an opportunity to obtain a protective order to prohibitor restrict such disclosure except to the extent such notice is prohibited byapplicable law or order of a court or governmental agency. Customer agrees tonegotiate in good faith with POSaBIT before seeking to exercise such audit oron-site inspection right more frequently than once per twelve (12) monthperiod. Customer will make every effort to cooperate with POSaBIT to schedulethe Inspection at a time that is convenient to POSaBIT. Customer agrees that ifit uses a third party to conduct the Inspection, the third party will signanon-disclosure agreement. Customer agrees that the Inspection will only concernPOSaBIT’s architecture, systems, policies, records of processing, dataprotection impact assessments, and procedures relevant to its obligations asset forth in the Agreement. Customer agrees that POSaBIT shall be allowed toprotect or redact the names and identifying or proprietary information of otherPOSaBIT customers during the Inspection.

7.8. Additional Terms. As a condition to Customer’s access and useof any documentation, reports, materials or facilities under this Section 7(either directly or through a third party), POSaBIT may require Customer toagree to certain terms and conditions requested by POSaBIT, includingadditional confidentiality and nondisclosure requirements, covenants to complywith POSaBIT’s policies, and the requirement to implement and comply with amutually agreed upon inspection plan.

Schedule 1: Description of Personal Data Processing

Schedule 2: Technical and Organizational Security Measures

POSaBIT has implemented a written information security policy that addresses:

  • Roles and responsibilities for managing security controls.
  • Employee disciplinary measures.
  • Exceptions management.
  • Risk assessments.
  • Employee training.
  • Asset management and encryption.
  • Physical and environmental security.
  • Access controls.
  • Logging and monitoring.
  • Incident response.
  • Business continuity and disaster recovery.
  • Mobile devices and telework.

Furthermore, POSaBIT uses a secure, third-party solution to facilitate transfers of Personal and confidential data to and from its clients. POSaBIT also performs a 3rd party security review annually to review its security procedures and practices.