Data Protection Rider – CCPA Provisions

Effective Date: December 19, 2024
Last Updated: December 19, 2024

This Rider is agreed, with effect from the date of last signature, between:

Flowtrace Ltd a company incorporated and registered in England and Wales with company number 12928994 and registered address at 86-90 Paul Street, London, England, United Kingdom, EC2A 4NE. (“Flowtrace”); and

The party whose details are included in the Purchase Order signature block (“Customer”),

(each a “party” and together the “parties”).

BACKGROUND:

(A) Customer procures or intends to procure certain Services from Flowtrace pursuant to the Terms (“Agreement”);

(B) In providing the Services, Flowtrace processes certain Personal Data for and on behalf of the Customer pursuant to the terms of Flowtrace’s Data Processing Agreement (“DPA”) which is incorporated into the Agreement by reference and forms a part of the Agreement;

(C) As the processing activity contemplated by the parties may be subject to the terms of the CCPA, and as the CCPA has been amended by the California Privacy Rights Act, Customer and Flowtrace have agreed certain changes to the terms of the DPA, as set out in this Rider, to ensure that appropriate protection is afforded to such processing activity as required by the CCPA, as amended.

In consideration of Customer procuring the Services and Flowtrace providing the Services, it is hereby agreed as follows:

1. Definitions

1.1 The definition of CCPA in the DPA shall be added and/or amended to read as follows:

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, as amended by the California Privacy Rights Act;

1.2 The definition of Personal Data in the DPA shall be amended to include the following:

“Personal Data” when referred to in relation the CCPA means (a) any data or information relating to (i) an identified or identifiable natural person; or (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations); or (b) any other personal data, personal information or other similar term as may be defined by law, where for each (a) and (b), such data or information is Customer Data (as defined in the Agreement);

2. Flowtrace’s Processing of Personal Data

2.1 Where the Processor is defined the following shall be included:

“To the extent that (i) Flowtrace acts as a “service provider” or “contractor” for purposes of the CCPA and (ii) Personal Data is “personal information” as it is defined in the CCPA, the provisions of Schedule A shall apply.”

2.2 A new Schedule A shall be added to the DPA, as set out in Annex 1 to this Rider, and the List of Schedules in the DPA shall be updated accordingly.

3 Validity, Entire Agreement

3.1 This Rider amends and supplements the terms of the DPA, and forms a part of it.

3.2 In the event of any conflict between the terms of the DPA and this Rider, the provisions of this Rider shall prevail, regardless of any changes made by operation of amendments or variations to the Agreement. Otherwise, all other provisions of the Agreement and DPA shall continue to apply, subject to any amendments or variations to the Agreement.

Appendix 1

SCHEDULE A – CCPA PROVISIONS

1.1 Flowtrace may not sell or share the Personal Data.

1.2 Flowtrace may process the Personal Data for the provision of Services and as reasonably necessary for the following business purposes:

1.2.1 Helping to ensure security and integrity of the Software and the Services, to the extent the use of the Personal Data is reasonably necessary and proportionate for these purposes;

1.2.2 Debugging to identify and repair errors that impair existing intended functionality of the Software and the Services;

1.2.3 Undertaking internal research for technological development and demonstration;

1.2.4 Undertaking activities to verify or maintain the quality or safety of the Software and the Services and to improve, upgrade, or enhance the Software and the Services.

1.3 Customer is disclosing the Personal Data to Flowtrace only for the performance of the Services and the limited and specified business purposes set forth above.

1.4 Flowtrace may not retain, use, or disclose the Personal Data for any purposes other than those specified in the Agreement (including the DPA and this Schedule A) or as otherwise permitted by the CCPA.

1.5 Flowtrace may not retain, use, or disclose Personal Data for any commercial purpose other than the business purposes specified in the Agreement, unless expressly permitted by the CCPA.

1.6 Flowtrace may not retain, use, or disclose Personal Data outside the direct business relationship between Flowtrace and the Customer, unless expressly permitted by the CCPA. Flowtrace shall be prohibited from combining or updating Personal Data with personal information that it received from another source or collected from its own interaction with the consumer, unless expressly permitted by the CCPA.

1.7 Flowtrace shall comply with all applicable sections of the CCPA, including providing the same level of privacy protection to Personal Data as required of businesses by the CCPA. For example, Flowtrace shall cooperate with Customer in responding to and complying with consumers’ requests made pursuant to the CCPA, and implement reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Civil Code section 1798.81.5.

1.8 Customer shall have the right to take reasonable and appropriate steps to
ensure that Flowtrace uses the Personal Data in a manner consistent with the
Customer’s obligations under the CCPA. Reasonable and appropriate steps
may include reviewing material and information provided by Flowtrace.

1.9 In the event that Flowtrace determines that it can no longer meet its obligations under the CCPA, Flowtrace shall notify Customer.

1.10 Customer shall have the right, upon written notice to Flowtrace, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Flowtrace. Customer may require Flowtrace to provide documentation verifying that Flowtrace no longer retains or uses the Personal Data.

1.11 Flowtrace shall allow Customer to comply with consumer requests made pursuant to the CCPA.

1.12 Flowtrace may subcontract with any other person for the provision of services under this Agreement provided that Flowtrace notifies Customer of the engagement and enters into a contract with such subcontractor(s) that complies with the CCPA including the requirements set forth in this Schedule A.