<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html id="iubenda_policy" class="iubenda_fixed_policy iubenda_vip_policy iubenda_terms_policy" lang="en"> <head> <title>Terms and Conditions of US Data Processing Addendum (iubenda Processor)</title> <meta http-equiv="Content-Language" content="en" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="date" content="2023-07-11"> <meta http-equiv="last-modified" content="2023-08-03"> <meta itemprop="name" content="Terms and Conditions of US Data Processing Addendum (iubenda Processor)"> <meta itemprop="description" content="Users of the Services offered by this Application acknowledge and accept these terms and conditions." /> <meta itemprop="image" content="https://www.iubenda.com/seo/assets/default.png" /> <meta name="locale" content="en" /> <meta name="title" content="Users of the Services offered by this Application acknowledge and accept these terms and conditions." /> <meta name="description" content="Users of the Services offered by this Application acknowledge and accept these terms and conditions." /> <meta name="image" content="https://www.iubenda.com/seo/assets/default.png" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:title" content="Terms and Conditions of US Data Processing Addendum (iubenda Processor)" /> <meta name="twitter:description" content="Users of the Services offered by this Application acknowledge and accept these terms and conditions." /> <meta name="twitter:site" content="@iubenda" /> <meta name="twitter:image:src" content="https://www.iubenda.com/seo/assets/default.png" /> <meta property="og:title" content="Terms and Conditions of US Data Processing Addendum (iubenda Processor)"> <meta property="og:description" content="Users of the Services offered by this Application acknowledge and accept these terms and conditions." /> <meta property="og:image" content="https://www.iubenda.com/seo/assets/default.png" /> <meta property="og:url" content="https://www.iubenda.com/terms-and-conditions/14591862" /> <meta property="og:site_name" content="iubenda" /> <meta property="og:locale" content="en" /> <meta property="og:type" content="website" /> <meta property="fb:app_id" content="190131204371223" /> <link rel="canonical" href="https://www.iubenda.com/terms-and-conditions/14591862" /> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, follow"> <link rel="stylesheet" href="/assets/privacy_policy-637a0c5875120390258ba7ad6b6b99e7f9e79c6fab53bcf26d529ff0da1054f4.css" /> <script src="/assets/privacy_policy-20c4c145e840109997b9c4d4ae844084522846014870a1efad2ddd0277441762.js" nonce="27b042933803f659bf63cccb4d742dc286d49162b2e9e20c68d71bb8627a87fb"></script> </head> <body> <div id="wbars_all"> <div class="iub_container iub_base_container"> <div id="wbars"> <div class="iub_content legal_pp"> <h1>US Data Processing Addendum</h1> <p>by and between</p> <p>you, as a user of iubenda’s Services,</p> <ul> <li><strong><em>the Controller –</em></strong></li> </ul> <p>and</p> <p><strong>iubenda s.r.l.</strong><br> Via San Raffaele, 1<br> 20121 Milan<br> Italy<br> in the person of its legal representative, Andrea Giannangelo,</p> <ul> <li><strong><em>the Processor -</em></strong></li> </ul> <p>(each a “<strong>Party</strong>” and, collectively, the “<strong>Parties</strong>”),</p> <h3>WHEREAS,</h3> <ul> <li>the Controller, or one of its subsidiaries or affiliates, has entered into one or more agreements (the “<strong>Agreement</strong>”) with the Processor, under which the Processor has agreed to provide the Service to the Controller;</li> <li>the Controller and the Processor agree to enter into this US Data Processing Addendum (the “<strong>Addendum</strong>”), the terms of which are outlined below, to regulate the processing of Personal Data that the Processor performs on behalf of the Controller;</li> <li>the Addendum forms an integral and substantial part of the Agreement and is effective on the date of execution thereof and until, save for what is provided for in Art. 4 below, its expiration.</li> </ul> <h3>THEREFORE,</h3> <p>the Parties hereby agree as follows:</p> <p><strong>1. Definitions.</strong> For the purposes of this Addendum, capitalized terms shall only have the meaning set forth below. Capitalized terms used but not otherwise defined in this Addendum shall have the meaning set forth in the Agreement.</p> <p><strong>1.1</strong> “<strong>Consumer</strong>” shall have the meaning set forth under the US Privacy Laws, as applicable.</p> <p><strong>1.2</strong> “<strong>Controller</strong>” shall have the meaning defined under the US Privacy Laws and also include, whenever applicable, the term “business”, as defined in the CCPA.</p> <p><strong>1.3</strong> “<strong>Personal Data</strong>” shall have the meaning set forth under the US Privacy Laws and also include, whenever applicable, the term “personal information”, as defined in the CCPA. For the purpose of this Addendum, reference is exclusively made to the categories of Personal Data, as accurately described in the Agreement, contained within the data or set of data that the Processor processes on behalf of the Controller, in connection with the provision of the Services subject matter of the Agreement.</p> <p><strong>1.4</strong> “<strong>Processor</strong>” shall have the meaning given under the US Privacy Laws and also include, whenever applicable, the term “service provider”, as defined in the CCPA.</p> <p><strong>1.5</strong> “<strong>Sell</strong>” or “<strong>Selling</strong>” shall have the meaning set forth in the US Privacy Laws, as applicable.</p> <p><strong>1.6</strong> “<strong>Share</strong>” or “<strong>Sharing</strong>” shall have the meaning defined under the CCPA.</p> <p><strong>1.7</strong> The expression “<strong>US Privacy Laws</strong>” refers to applicable US state privacy laws, including, but not limited to, the: California Consumer Privacy Act, as amended by the California Privacy Rights Act and relevant regulations issued by the California Privacy Protection Agency (the “<strong>CCPA</strong>”), Virginia Consumer Data Protection Act (the “<strong>VCDPA</strong>”), Colorado Privacy Act and relevant rules issued by the Colorado Attorney General (the “<strong>CPA</strong>”), Connecticut Data Privacy Act (the “<strong>CTDPA</strong>”) and Utah Consumer Privacy Act (the “<strong>UCPA</strong>”), as applicable.</p> <p>Any other terms, including, among others, “business”, “business purpose”, “commercial purpose”, “process” or “processing”, used but not otherwise defined in the Addendum or Agreement, shall have the meaning set forth under the US Privacy Laws, as applicable.</p> <p><strong>2. Obligations.</strong></p> <p><strong>2.1</strong> The Processor acknowledges that the Controller is disclosing Personal Data only in relation to the limited and specified business purposes identified within the Agreement.</p> <p><strong>2.2</strong> The Processor shall not retain, use, disclose, or otherwise process Personal Data for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing Personal Data for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by the US Privacy Laws, as applicable.</p> <p>The Processor shall return or delete all Personal Data once the provision of the Services has been completed, or sooner if so directed by the Controller unless the retention of Personal Data is required by law.</p> <p>Unless otherwise directed by the Controller, the Processor will retain Personal Data for a period of six months after the termination of the Agreement and the completed provision of the Services solely for the purpose of allowing the Controller to export it. After the expiration of the six-month retention period, the Processor shall delete all Personal Data.</p> <p>Notwithstanding the foregoing, the Processor shall be entitled to retain, even after the provision of the Services has been completed and the termination of the Agreement, all information necessary to demonstrate orderly and compliant processing, in accordance with statutory retention periods.</p> <p><strong>2.3</strong> The Processor undertakes to comply with all requirements set forth in the US Privacy Laws, as applicable, and to provide the same level of privacy protection that they impose on the Controller, in relation to the processing of Consumers’ Personal Data.</p> <p><strong>2.4</strong> The Processor shall not Sell nor Share any Consumers’ Personal Data.</p> <p><strong>2.5</strong> The Processor shall not retain, use, or disclose Personal Data outside of the direct relationship with the Controller.</p> <p><strong>2.6</strong> The Processor shall not combine the Personal Data it receives from the Controller with personal data it receives from or on behalf of another person(s) or entity(ies) or that it collects from its own interaction with the Consumer, provided that the Processor may combine Personal Data to perform any business purpose identified by the US Privacy Laws, as applicable.</p> <p><strong>2.7</strong> The Processor represents and guarantees that each person processing Personal Data within its organization is subject to a strict duty of confidentiality.</p> <p><strong>2.8</strong> The Processor undertakes to strictly follow and adhere to the instructions of the Controller, including, among others, those regarding the return or destruction of Personal Data, and to assist the Controller in meeting its obligations under the US Privacy Laws, specific reference being made, inter alia, to those concerning the security of the processing and the notification of a breach of security.</p> <p><strong>2.9</strong> The Processor shall assist the Controller in responding to Consumers’ requests for the exercise of the rights granted under the US Privacy Laws, including by, among others, providing access to, correcting, or deleting Personal Data in its availability or honoring opt-out requests. The Processor shall also notify its own sub-processors, service providers, and/or contractors and ensure that such requests are complied with.</p> <p><strong>2.10</strong> If the Processor receives a Consumer request to delete Personal Data that the Processor processes on behalf of the Controller, the Processor shall inform the Consumer that it should submit the request directly to the Controller and, when feasible, provide the Consumer with relevant contact information.</p> <p><strong>2.11</strong> The Processor shall enter into written agreements with each of its own sub-processors, service providers, and/or contractors that process Personal Data on its behalf. Such agreements shall set forth terms that are at least as restrictive as those imposed on the Processor under this Addendum and guarantee the same level of privacy protection, including the prohibition to Sell and Share Consumers’ Personal Data.</p> <p><strong>2.12</strong> The Processor undertakes to notify the Controller whenever it becomes aware that it can no longer meet its obligations under the US Privacy Laws, as applicable.</p> <p><strong>2.13</strong> The Controller shall have the right to take reasonable and appropriate steps to ensure that the Processor processes Personal Data in a manner consistent with the Controller's obligations under the US Privacy Laws, as applicable, and to stop and remediate the Processor unauthorized and/or unlawful processing of Personal Data.</p> <p><strong>2.14</strong> Upon reasonable request of the Controller, the Processor shall make available all information in its possession, which may be necessary to demonstrate its compliance with the requirements of the US Privacy Laws, as applicable.</p> <p><strong>2.15</strong> The Processor shall allow, and cooperate with, reasonable assessments by the Controller or the Controller's designated assessor. This includes, by way of example, providing the Controller with all necessary information to conduct and document data protection assessments; alternatively, the Processor may resort to a qualified and independent assessor to conduct regular assessments of its policies and technical and organizational measures. The independent assessor shall rely on appropriate and accepted control standards, frameworks, and procedures for such assessments. Upon request of the Controller, the Processor shall provide a report of such assessments.</p> <p><strong>2.16</strong> The Parties undertake to implement and adopt all necessary technical and organizational measures to ensure a level of security of Personal Data that is appropriate taking into account the context of the processing and in relation to the risks associated with the processing of the Personal Data in their availability.</p> <p><strong>3. No Consideration.</strong></p> <p>Notwithstanding any contrary provision contained in the Agreement, the Processor’s access to Personal Data is not part of the consideration exchanged by the Parties under the Agreement.</p> <p><strong>4. Duration of this Addendum.</strong></p> <p>Notwithstanding the expiration of the Agreement, this Addendum will remain in effect until, and automatically expire upon, the Processor’s deletion or return of all Personal Data to the Controller.</p> <p><strong>5. Conflicts.</strong></p> <p>In the event of any conflict or inconsistency between this Addendum and the terms of the Agreement, this Addendum shall prevail, notwithstanding any statement to the contrary in the Agreement.</p> <p><strong>6. Exercise of Controller’s rights.</strong></p> <p>The rights granted to the Controller under this Addendum, including but not limited to the right to rectification, restriction, and erasure or return of data, can be exercised through the ticketing system or by contacting the Processor at the email address info@iubenda.com.</p> <div class="iub_footer"> <p> Latest update: August 03, 2023 </p> <p> <a target="_top" href="https://www.iubenda.com/en/terms-and-conditions-generator" title="iubenda - Terms and Conditions generator">iubenda</a> hosts this content and only collects <a target="_top" href="//www.iubenda.com/privacy-policy/65675001">the Personal Data strictly necessary</a> for it to be provided. </p> </div> <!-- /footer --> </div> <!-- /content --> </div> <!-- /wbars --> </div> <!-- /container base_container --> </div> <!-- /wbars_wrapper --> <script nonce="27b042933803f659bf63cccb4d742dc286d49162b2e9e20c68d71bb8627a87fb"> //<![CDATA[ var privacyPolicy = new PrivacyPolicy({ id:246685, noBrand:true }) $(document).ready(function() { privacyPolicy.start(); $(".expand-content").hide(); $(".expand").addClass("collapsed"); $(".expand .expand-click").click(function () { $(this).parents(".expand").toggleClass("collapsed"); $(this).parents(".expand").toggleClass("expanded"); $(this).parents(".expand-item").toggleClass("hover"); $(this).children('.icon-17').toggleClass("icon-expand"); $(this).children('.icon-17').toggleClass("icon-collapse"); $(this).parents('.expand').children('.expand-content').slideToggle("fast"); }); }); //]]> </script> </body> </html>