Tenstreet Data Processing Addendum
Last Updated: December 20, 2022
This Data Processing Addendum (“DPA”) is entered into by and between Tenstreet, LLC (“Tenstreet”) and Client and is hereby incorporated into, and amends, the Master Service Agreement in place between Tenstreet and Client (each a “Party” and, collectively, the “Parties”). If the Parties already have an existing Data Processing Agreement in place, such Data Processing Agreement shall be controlling and shall supersede the provisions of this DPA.
- Definitions: Unless otherwise defined below, all capitalized terms have the meaning given to them in the Master Service Agreement and/or the exhibits or addendums thereto.
- “Applicable Privacy Laws” means the relevant federal, state, and local data protection and privacy laws, rules, and regulations applicable to Tenstreet and to Client relating to the privacy, confidentiality, security, or protection of Personal Information. Applicable Privacy laws include the CCPA, CPRA, US federal, and US state breach notification laws.
- “California Personal Privacy Act of 2018” or “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. as amended, and its implementing regulations.
- “California Privacy Rights Act” or “CPRA” means the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100-199 and its implementing regulations.
- “Client-owned data” means data and information obtained, collected, or generated within the Tenstreet Services on behalf of Client in connection with the Master Service Agreement, which is owned exclusively by Client. For the avoidance of doubt, Client-owned data does not include data and information owned or Processed by Tenstreet separate and apart from the business relationship with Client, data and information that Tenstreet Processes in its role as a consumer reporting agency as defined under the Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.) or data Processed by Tenstreet on behalf of, and under the direction of, the Data Subject.
- “Client Personal Information” means Client-owned data that is Personal Information.
- “Data Privacy Incident” means a Data Breach, as defined under Applicable Privacy Laws, or, if not defined by Applicable Privacy Laws, the unauthorized or unlawful acquisition, access, disclosure, use or loss of, Client Personal Information while in the possession or control of Tenstreet or its Sub-processors.
- “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual.
- “Process” means any operation or set of operations that are performed by Tenstreet on Client Personal Information or sets of Client Personal Information, whether or not by automated means.
- “Tenstreet Services” means the services performed by Tenstreet for, and on behalf of, Client, including, but not limited to, all services performed in the business relationship between Client and Tenstreet or set out in the Master Service Agreement between the Parties.
- The terms “Controller” “Processor” “Consumer” and “Data Subject” have the meanings given to them in Applicable Privacy Laws, where applicable.
- Processing Personal Information.
- Tenstreet shall Process Client Personal Information only in performance of the Tenstreet Services on behalf of Client in the role of Processor and, with respect to Client Personal Information subject to the CPRA, only in the role of “service provider,” as “service provider” is defined in the CPRA.
- Tenstreet will at all times Process Client Personal Information for the purposes of providing the Tenstreet Services to Client as specified amongst the business relationship between the Parties, in the Master Service Agreement and in accordance with Client’s documented instructions, unless Tenstreet is required to Process the Client Personal Information for other purposes by Applicable Privacy Laws.
- Tenstreet and Client will comply with their respective obligations under Applicable Privacy Laws with respect to Personal Information. Client warrants that it has provided any notice to, and obtained any consent from, Data Subjects required by law prior to providing Client Personal Information to Tenstreet.
- Tenstreet will Process Client Personal Information subject to the CPRA only (i) in accordance with the CPRA and all other applicable laws and regulations, and (ii) in a manner that provides the same level of protection for Client Personal Information as the CPRA requires Client to provide. Tenstreet will promptly notify Client if it makes a determination that it cannot comply with its obligations under the CPRA with respect to such Client Personal Information, and in such event, Tenstreet will work with Client and take all reasonable and appropriate steps to remediate (if remediable) any Processing of such Client Personal information until such time as the Processing complies with the CPRA.
- With respect to Client Personal Information subject to the CPRA, Tenstreet is prohibited from:
- selling or sharing Client Personal Information without Client’s documented instructions;
- retaining, using, or disclosing Client Personal Information other than for the purposes specified in the Master Service Agreement or other service agreement or as otherwise permitted by the CPRA;
- retaining, using, or disclosing Client Personal Information outside of the Parties’ direct business relationship including as set forth in the Master Services Agreement; and
- combining the received Client Personal Information with any other Personal Information unless permitted by the CPRA.
- Tenstreet engages subcontractors to Process Client Personal Information on Tenstreet’s behalf (“Sub-processors”). Tenstreet will not disclose any Client Personal Information to any Sub-processor, or permit any Sub-processor to Process Client Personal Information on Tenstreet’s behalf, unless and until the Sub-processor agrees, by contract, to substantially the same restrictions and prohibitions on the Processing of Client Personal Information that this DPA imposes on Tenstreet.
- Data Security Measures.
- Tenstreet will implement and maintain sufficient administrative, technical, and organizational security measures for Client Personal Information proportionate to reasonably foreseeable risks to Tenstreet’s Processing of Client Personal Information, consistent with industry standards, and in compliance with Applicable Privacy Laws.
- Tenstreet will implement and maintain a process for regularly testing, assessing, and evaluating the effectiveness of its administrative, technical, and organizational security measures to ensure it meets the obligations set forth herein.
- Data Privacy Incident and Breach Notification
- In the event of a Data Privacy Incident, Tenstreet will inform Client without undue delay and provide Client with written notification. Such notification will include, if available at the time of notification (i) a description of the Data Privacy Incident; (ii) the type of Client Personal Information that was the subject of the Data Privacy Incident; (iii) the identity of each affected Data Subject (if possible); and (iv) a description of the measures taken or proposed to be taken by Tenstreet to address the Data Privacy Incident, including where applicable measures to mitigate possible adverse effects. If any such information is unavailable at the time of the initial notification, Tenstreet will provide prompt updates as such information becomes available.
- Further, in the event of a Data Privacy Incident, Tenstreet will provide reasonable cooperation as Client may require in order that Client may fulfill Client’s data breach reporting or notification obligations under Applicable Privacy Laws, including but not limited to taking such reasonable measures and actions as required under Applicable Privacy Laws to remedy or mitigate the effects of the Data Privacy Incident.
- Assistance, Right to Review, Deletion, and Return
- Tenstreet will provide Client with information and assistance as Client reasonably requires in connection with the Tenstreet Services performed by Tenstreet to assist Client with its compliance obligations under Applicable Privacy Laws.
- Upon receiving a request directly from a Data Subject to exercise any of a Data Subject’s rights under Applicable Privacy Laws with respect to Client Personal Information, Tenstreet will direct the Data Subject to Client. Tenstreet will reasonably assist Client with Client’s compliance obligations relating to the Data Subjects’ exercise of their rights with respect to Client Personal Information. However, Tenstreet will not act on behalf of Client or act as Client’s representative or agent in any way in responding to any Data Subject requests or Data Subjects seeking to exercise their rights with respect to Client Personal Information.
- Client may take the following reasonable and appropriate step to help ensure that Tenstreet uses Client Personal Information subject to the CPRA consistent with the CPRA: Client may submit a request in writing for the information necessary to demonstrate Tenstreet’s compliance with the CPRA and this DPA. Within thirty (30) days after receipt of such request, and after entering into reasonable non-disclosure obligations, Tenstreet shall make available to Client such information, provided always that any such request does not involve review of any third-party data. Tenstreet reserves the right at its sole discretion to have such request or review carried out by a mutually agreed upon independent third-party examiner under confidentiality obligations. Client shall bear all costs associated with such requests. Client shall not make any such requests more than once in any 12-month period, unless associated with a Data Privacy Incident or as otherwise required by Applicable Privacy Laws.
- General
- This DPA shall be governed by and construed in accordance with Applicable Privacy Laws.
- In the event of a conflict between a provision in the Master Service Agreement and a provision in this DPA, the provision contained in this DPA shall prevail.
- The obligations set forth in this DPA are coterminous with the Master Service Agreement and shall survive so long as Tenstreet Processes Client Personal Information.
- If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
- No third party shall be considered a third-party beneficiary under this DPA, nor shall any third party have any rights as a result of this DPA.