Service Provider Privacy Terms

Instructions to Service Providers and Our Commitments as a Service Provider

The following constitute (i) Prodege’s instructions to its Service Providers/Processors/Contractors (as defined by US Privacy Laws, and hereafter collectively “Service Provider”) where we are the controller (“Controller”) of personal information or personal data as defined by US Privacy Laws (“Personal Data”) and (ii) our commitments to our clients where we act as their Service Provider processing Personal Data for which they are the Controller (collectively, the “Service Provider Privacy Terms”).

These Service Provider Privacy Terms shall apply as required under U.S. Privacy Laws (and regulations thereunder), including without limitation the following: (i) the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), (ii) the Colorado Privacy Act, (iii) the Virginia Consumer Data Protection Act, (iv) the Utah Consumer Privacy Act, and (v) Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, and hereby supplement any current or future agreements between or among us and/or our affiliates (collectively, “Agreement”):

1. Service Provider agrees that it will not:

1. sell or share Controller’s Personal Data;
2. retain, use, disclose, or otherwise process Controller’s Personal Data outside of the direct business relationship between the parties or for any commercial or other purpose other than the limited and specified business purposes specified in the Agreement or as otherwise permitted by the CPRA;
3. combine Controller’s Personal Data with other Personal Data that it receives from another entity or collects from its own interaction with a consumer unless permitted by the Agreement and U.S. Privacy Laws; or
4. subcontract any services or obligations under the Agreement unless the subcontractor agrees to comply with Service Provider’s obligations under the Agreement and U.S. Privacy Laws with respect to the Controller’s Personal Data in performing its services or obligations.

2. Service Provider agrees that it will:

1. comply with applicable obligations under U.S. Privacy Laws and ensure the security of Controller’s Personal Data by (i) providing the same level of privacy protection required of businesses by U.S. Privacy Laws, (ii) implementing reasonable security procedures and practices appropriate to the nature of the Personal Data, and (iii) delete the Personal Data at the end of the provision of the services unless retention is required by applicable laws;
2. allow Controller to take reasonable steps (i) to ensure that Service Provider uses Controller’s Personal Data in a manner consistent with Controller’s obligations under U.S. Privacy Laws, and (ii) to stop and remediate any unauthorized processing of Controller’s Personal Data;
3. upon Controller’s request, cooperate and make available to Controller all information in its possession reasonably necessary to demonstrate its compliance with its obligations under U.S. Privacy Laws and to enable Controller to conduct and document data protection assessments;
4. provide reasonable assistance to enable Controller to fulfill consumer rights requests, including deleting and notifying subcontractors to delete Controller’s Personal Data in response to a consumer rights request;
5. promptly notify Controller of a breach of security of its systems affecting Consumer Personal Data and provide reasonable assistance and information regarding such breach; and
6. promptly notify Controller if it makes a determination that it can no longer meet its obligations under the Agreement or U.S. Privacy Laws.

It is understood that these instructions and commitments only apply in the Service Provider context and that the parties may agree to engage in data disclosures outside of such context, in which case that different relationship shall be documented, and different terms and conditions will apply.