California Consumer Privacy Act Addendum
Pursuant to the terms that govern all related orders for fraud-related services between Subscriber and Signifyd, Inc. (the “Agreement”), and in furtherance of obligations under the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and the rules promulgated thereunder, as amended or superseded from time to time (the “CCPA”), Subscriber and Signifyd (each a “Party”; collectively, the “Parties”) hereby adopt this CCPA Addendum (“Addendum”) for so long as Signifyd maintains Personal Information provided by or on behalf of Subscriber. This CCPA Addendum is effective as of the later of January 1, 2020 and the date that the Agreement is fully executed. This CCPA Addendum will prevail over any conflicting terms in the Agreement.
- Capitalized Terms. The capitalized terms used in this CCPA Addendum and not otherwise defined in this Addendum shall have the definitions set forth in the CCPA. This Addendum applies to the collection, retention, use, disclosure, and sale of Personal Information provided by or on behalf of Subscriber (the “Personal Information”) to provide Services to Subscriber pursuant to the Agreement or to perform a Business Purpose.
- Roles of the Parties. With respect to processing of Personal Information, Signifyd acts as a Service Provider and Subscriber acts as a Business. For the avoidance of doubt, Signifyd is responsible for performing the Services to Subscriber as set forth in the Agreement, in particular fraud identification, prevention, dispute and monitoring, and to analyze data for the purpose of building, maintaining and improving Signifyd’s predictive models and for fraud-related services.
- Additional Representations and Warranties. In addition to any representations and warranties in the Agreement, Signifyd represents and warrants that it shall not retain, use, disclose or otherwise sell Personal Information for any purpose other than for performing the services specified in the Agreement, this Addendum, or as otherwise permitted by the CCPA. Signifyd understands the restrictions contained in Section 1798.140(w)(2)(A) and will comply with these restrictions, as supplemented by the final regulations (when published). Signifyd will not further collect, sell, or use the Personal Information except as necessary to perform the Business Purpose. For the avoidance of doubt, Signifyd shall not use the Personal Information for the purpose of providing services to another person or entity, except that Signifyd may combine Personal Information received from one or more entities to which it provides similar services to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity. Subscriber represents and warrants that it has provided notice that the Personal Information is being used or shared consistent with Cal. Civ. Code 1798.140(t)(2)(C)(i).
- Reasonable Assistance. Signifyd shall provide reasonable assistance to Subscriber in facilitating compliance with Consumer rights requests. Signifyd shall not be required to delete any of the Personal Information to comply with a Consumer’s request directed by Subscriber if it is necessary to maintain such information in accordance with Cal. Civ. Code 1798.105(d), in which case Signifyd will promptly inform Subscriber of the exceptions relied upon under 1798.105(d) and Signifyd shall not use the Personal Information retained for any other purpose than provided for by that exception.
- De-identified Information. In the event that either Party shares De-identified Information with the other Party, the receiving Party warrants that it: (i) has implemented technical safeguards that prohibit re-identification of the Consumer to whom the information may pertain; (ii) has implemented business processes that specifically prohibit re-identification of the information; (iii) has implemented business processes to prevent inadvertent release of De-identified Information; and (iv) will make no attempt to re-identify the information.
- Corporate Transaction. In the event that either Party transfers to a Third Party the Personal Information of a Consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the Third Party assumes control of all or part of such Party to the Agreement, that Personal Information shall be used or shared consistently with applicable law. If a Third Party materially alters how it uses or shares the Personal Information of a Consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the Consumer in accordance with applicable law.
- Law Enforcement Agencies. Notwithstanding any provision to the contrary of the Agreement or this Addendum, Signifyd may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate federal, state, or local law.
- Change of Law. If a change in applicable law, rule or regulation (“Law”) materially affects either Party’s ability to comply, or remain compliant, with such Law while providing or receiving Services, then the Parties will negotiate in good faith to modify the Agreement in a manner that enables such Party to comply with the Law. If the Parties are unable to agree to an amendment to the Agreement to equitably address the new or amended Laws within 60 days, then either Party shall have the right to terminate the Agreement without penalty upon written notice to the other Party.