BizzyCar DPA

SCHEDULE 4
DATA PROCESSING ADDENDUM

WHEREAS, this DPA is entered into to provide for adequate safeguards with respect to the protection and privacy of Personal Data (as defined below) passed from Dealer acting as a Controller (as defined below) to BizzyCar acting as a Processor (as defined below) for processing in connection with the provision of Services (as defined below) that are the subject of the Agreement (as defined below) in place between Dealer and BizzyCar and is binding upon the Parties.

NOW THEREFORE, in consideration of the mutual covenants contained herein and for other good and valuable consideration set forth in the Agreement, the respective receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. General

   1. This DPA amends and supplements the Dealer Services Agreement between the Parties and any relevant schedule or addendum thereto (“Agreement”) and is hereby incorporated by reference into such Agreement.
   2. Any capitalized term used in this DPA and not otherwise defined in this DPA has the same meaning such term is given in the Agreement. If the capitalized term is not defined in the Agreement, it has the same meaning such term is given in applicable Data Protection Laws.
   3. This DPA will be construed in conjunction with the terms of the Agreement, and any orders, statements or work, or other agreements between the Parties. In the event of any inconsistency or conflict between this DPA and any of these such documents, this DPA will govern.
   4. The obligations detailed in this DPA will continue for the time period that BizzyCar Processes Dealer Personal Data, and will survive the termination of the Agreement to the extent BizzyCar continues to Process Dealer Personal Data following termination of the Agreement.

2. Subject Matter of this DPA

   1. This DPA applies exclusively to the processing of Personal Data by BizzyCar on behalf of Dealer in connection with the provision of Services by BizzyCar to Dealer as identified and reflected in the Agreement.

3. Definitions

   1. “CCPA” means the California Consumer Privacy Act, including as amended by the California Privacy Rights Act, codified at Cal. Civ. Code § 1798.100, et seq., and its implementing regulations, now in effect and as may be amended from time to time.
   2. “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.
   3. “Data Protection Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the processing of Personal Data to which Dealer is subject, including but not limited to: (i) US state privacy and data security laws including state data breach notification statutes and any state consumer privacy statutes that apply to Dealer’s processing of personal data, including the CCPA, CPA, VCDPA, UCPA, and similar laws and their implementing regulations, now, and from time to time, in effect; (ii) the Telephone Consumer Protection Act of 1991, 47 USC § 227 (the “TCPA”) (iii) Canada’s Personal Information Processing and Electronic Documents Act (“PIPEDA”).
   4. “Personal Data” means any information BizzyCar processes on behalf of Dealer in connection with the Services it provides to Dealer under the Agreement that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person or household, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The term “Personal Data” shall include “Personal Information” where such term is used under applicable Data Protection Law.
   5. “PIPEDA” means the Personal Information Protection and Electronic Documents Act of Canada, as originally commenced and in force as of 13 April 2000.
   6. “Processing” means any operation or set of operations that are performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
   7. “Processor,” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of a Controller. For the purposes of this DPA, the term “Processor” shall include the term “service provider” where that term is used under applicable Data Protection Law.
   8. “Services” means the services and other activities to be supplied to or carried out by or on behalf of BizzyCar for Dealer pursuant to the Agreement and as further defined in the Agreement, including the BizzyCar Services.
   9. “Standard Contractual Clauses,” or “SCCs” means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.
   10. “Sub-processor” means any processor engaged by BizzyCar to receive from Dealer (directly and indirectly) Personal Data intended for Processing activities to be carried out on behalf of BizzyCar.
   11. “UCPA” means the Utah Consumer Privacy Act, Utah Code § 13-61-101 et seq., and its implementing regulations, now in effect and as may be amended from time to time.
   12. “UK” means the United Kingdom
   13. The terms “Consent”, “Pseudonymization”, “Personal Data Breach,” and “Transfer” have the meanings ascribed to them in Article 4 of the GDPR.
   14. The terms “Consumer,” Sale,” Share,” and “Business Purpose,” as used in their past, present, singular, and plural form, have the meanings ascribed to them in the CCPA.

4. Dealer Obligations

   1. Dealer will determine the scope, purposes, and manner by which Personal Data may be accessed or processed by BizzyCar.
   2. Dealer will, to the best of its ability, ensure that all instructions provided to BizzyCar with respect to the processing of Personal Data will apply with applicable Data Protection Law.
   3. Dealer is solely responsible for providing requisite notice to Consumers regarding the processing of Personal Data, including notice of BizzyCar’s involvement in the processing of their Personal Data, in accordance with Data Protection Law.
   4. Dealer is solely responsible for obtaining consent from Consumers, as applicable under Data Protection Law, for BizzyCar to process Consumer Personal Data on behalf of Dealer. This includes any consent required to send electronic messages, text messages, or other SMS or MMS messages contemplated by the Services to Consumers by BizzyCar on behalf of Dealer.
   5. Dealer will be responsible for instructing BizzyCar regarding any request Dealer receives or that BizzyCar receives and passes onto Dealer, to exercise any rights the Consumer may have under Data Protection Law. Dealer acknowledges that BizzyCar will not process a Consumer rights request without receiving instruction from Dealer regarding the request.
   6. Dealer agrees that nothing in this DPA will be construed to relieve Dealer from the liabilities imposed on it by virtue of its role as a Controller under Data Protection Laws with respect to the Services.

5. BizzyCar Obligations

   1. BizzyCar will comply with all applicable Data Protection Laws in the processing of Personal Data on behalf of Dealer. BizzyCar will process the Personal Data only for the purpose of fulfilling its obligations to Dealer under the Agreement and in accordance with Dealer’s written instructions, which are documented in this DPA, the Agreement, and any other writing provided by Dealer, unless BizzyCar is obligated by Data Protection Laws to process data beyond Dealer’s instructions, and BizzyCar informs Dealer of such obligation, where such notification is permitted.
   2. BizzyCar will immediately inform Dealer if, in its opinion, an instruction from Dealer violates applicable Data Protection Laws.
   3. BizzyCar will ensure that all persons authorized to process Personal Data who are employees, contractors, vendors, or Subprocessors of BizzyCar have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to Personal Data.
   4. BizzyCar will keep and will provide, upon request of the other Party, accurate and up-to-date records relating to the processing of Personal Data.

6. Appropriate Technical, Administrative, Organizational, and Physical Measures

   1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, BizzyCar shall implement reasonably appropriate technical and organizational measures to ensure a level of security of processing of Personal Data appropriate to the risk. Where appropriate, these measures include: (i) ensuring Personal Data can be accessed only by authorized personnel for the purposes of providing the Services; (ii) in assessing the appropriate level of security, accounting for the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed; (iii) Pseudonymization and encryption of Personal Data; (iv) ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services; (v) restoring the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (vi) implementing a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data; and (vii) identifying vulnerabilities with regard to the processing of Personal Data in systems used to provide Services to Dealer.
   2. BizzyCar will allow and cooperate with reasonable assessments by Dealer or Dealer’s designated assessor. Any such assessment conducted by Dealer will be done within normal business hours, with no less than thirty (30) days’ notice to BizzyCar, and done during an agreed-upon time period. Dealer agrees that in lieu of an assessment by Dealer or Dealer’s designated assessor, BizzyCar may arrange for a qualified and independent expert to conduct an assessment of BizzyCar’s policies and technical and organizational measures in support of the obligations under this DPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments (i.e., SOC, NIST, etc.). BizzyCar will provide such assessment to Dealer upon Dealer’s request to fulfill the obligations set forth in this subparagraph.

7. Personal Data Breach Management

   1. BizzyCar shall notify Dealer without undue delay of becoming aware of a Personal Data Breach involving Personal Data BizzyCar processes on behalf of Dealer. In this notification, BizzyCar shall provide Dealer with information relevant to reasonably assist Dealer with its own notification obligations as applicable to Dealer under applicable Data Protection Laws which may include but are not limited to the following: (i) a description of the nature of the Personal Data Breach, including a summary of the event(s) that caused the Personal Data Breach; (ii) the categories and approximate numbers of data subjects, jurisdiction(s) where data subjects are located and Personal Data records impacted; (iii) point of contact at BizzyCar where more information can be obtained; (iv) the likely consequences of the Personal Data Breach; and (v) a description of the measures taken or proposed to be taken by BizzyCar to address the Personal Data Breach. To the extent the above information is not available to BizzyCar upon initial notification, or to the extent any of the information provided by BizzyCar to Dealer changes following the initial notification, BizzyCar will update and supplement its notification, and will continue to so supplement, to ensure that Dealer has accurate and complete information as contemplated under this paragraph.
   2. BizzyCar shall reasonably cooperate with Dealer in any investigation of the Personal Data Breach. If Dealer requires cooperation beyond what is contemplated under paragraph 7.a., such cooperation by BizzyCar may be at Dealer’s own expense.
   3. In the event Dealer is notified of a Personal Data Breach under paragraph 7.a., Dealer shall document any Personal Data Breaches, including the facts relating to the Personal Data Breach, its effects, and the remedial action taken.

8. Subprocessors

   1. Dealer authorizes BizzyCar to utilize Subprocessors to process Personal Data of Dealer.
   2. Prior to giving any Subprocessor access to Personal Data, BizzyCar shall ensure that such Subprocessor has entered into a written agreement with BizzyCar requiring that the Subprocessor abide by terms no less protective than those provided in this DPA, including terms sufficient to meet the requirements of applicable Data Protection Laws. BizzyCar shall also ensure that the Subprocessor is bound by the same confidentiality obligations set forth in this DPA and the Agreement.
   3. If BizzyCar wishes to utilize a Subprocessor not listed in the link provided above, BizzyCar will provide at least fifteen (15) days advance written notice to Dealer of the proposed use of such Subprocessor, in order to allow Dealer time to object to the use of such Subprocessor. If Dealer has a reasonable basis to object to the use of any Subprocessor, Dealer shall notify BizzyCar. In the event Dealer objects to a Subprocessor, BizzyCar will endeavor to make available a change in the Services or use of the affected Services to avoid Processing of Personal Data by the objected to Subprocessor. Any such change will be subject to prior agreement by Dealer, such agreement not to be unreasonably denied or delayed. If BizzyCar is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, either Party may terminate those Services which cannot be provided by BizzyCar without the use of the objected to Subprocessor, by providing written notice. Such termination shall be without penalty to either Party, and where Dealer has prepaid for such Services, Dealer shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.
   4. Any subprocessors utilized by BizzyCar shall comply with Data Protection Laws, as such laws are applicable to BizzyCar.
   5. BizzyCar shall remain fully liable to Dealer for any Subprocessor’s Processing of Personal Data under the Agreement or this DPA, including any and all acts or omissions of any Subprocessor appointed by BizzyCar pursuant to this DPA. No processing by a subprocessor appointed by BizzyCar will release BizzyCar from its responsibility for its obligations under this DPA.

9. CCPA Certification

   1. In accordance with Section 1798.140(j) and 1798.140(ag) of the CCPA, BizzyCar specifically acknowledges that it understands, and further represents and warrants that it has and shall:
      1. not Sell or Share the Personal Data received from Dealer
      2. not retain, use, or disclose Personal Data Collected pursuant to BizzyCar’s provision of Services to Dealer and this DPA for any other purpose other than for the specific purpose of performing the Services specified in the Agreement or any applicable instructions from Dealer
      3. not retain, use, or disclose Personal Data Collected pursuant to BizzyCar’s provision of Services to Dealer and this DPA outside of the direct business relationship between BizzyCar and Dealer
      4. not further Collect, Sell, Share or use Personal Data Collected pursuant to BizzyCar’s provision of Services to Dealer and this DPA without Dealer’s prior express written consent, and only as necessary to perform the stated Business Purpose
      5. not combine the Personal Data that BizzyCar receives from, or on behalf of, Dealer with Personal Data that it receives from, or on behalf of, another person or persons, or collects from BizzyCar’s own interaction with the Data Subject, except as otherwise permitted by the CCPA
   2. BizzyCar acknowledges and agrees that Dealer may take reasonable and appropriate steps to ensure that BizzyCar uses the Personal Data collected pursuant to BizzyCar’s provision of Services to Dealer and this DPA in a manner consistent with the CCPA.

10. Return or Destruction of Personal Data

    1. Upon (i) termination of the Agreement, (ii) Dealer’s written request, or (iii) the fulfillment of all purposes agreed to in the context of the Services provided by BizzyCar to Dealer pursuant to the Agreement whereby no further processing is required, and provided there is no legal hold or any applicable governmental retention requirement in place to the contrary under applicable Data Protection Laws, BizzyCar shall, at the discretion of Dealer, either delete, destroy, or return all Personal Data of Dealer.

11. Assistance

    1. BizzyCar shall, taking into account the nature of the processing, assist Dealer by reasonably appropriate technical, administrative, organizational, and physical measures, insofar as this is possible, for the fulfillment of Dealer’s obligation to respond to requests for exercising data subjects’ rights under Data Protection Laws (i.e., rights to access, delete, opt-out of processing, revoke consent, etc.).
    2. At Dealer’s expense, BizzyCar shall assist Dealer in ensuring compliance with obligations pursuant to Section 6 of this DPA taking into account the nature of processing and the information available to BizzyCar.
    3. BizzyCar shall make available to Dealer on request all information necessary to demonstrate compliance with this DPA and Data Protection Law, consistent with BizzyCar’s obligations under section 6.

12. Term and Termination

    1. This DPA takes effect on the DPA Effective Date and continue in full force and effect until earlier terminated by: (i) the cessation of BizzyCar processing Dealer’s Personal Data and the return or destruction by BizzyCar of all such Personal Data in accordance with Section 9 of this DPA; (ii) compliance by either Party that would put that Party in breach of its legal obligations; (iii) a change in Data Protection Law that makes performance of this DPA a legal impossibility; or (iv) either Party making an assignment for the benefit of creditors, becoming subject to a bankruptcy proceeding, becoming subject to the appointment of a receiver, or admitting in writing its inability to pay its debts as they become due.