The foregoing Data Protection Addendum (“Addendum”) shall be incorporated into the [_] (the “Agreement”) entered into on or about [] between [__________] (“Customer”) and GetEmails, LLC (d.b.a Retention.com)  (“Vendor”) (each a “Party” and together the “Parties”), upon the signature of each Party.  

‍

1 .Definitions. For purposes of this DPA:

1. ““Data Protection Law(s)” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, each as amended from time to time, including without limitation, to the extent applicable: the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (as amended by the California Privacy Rights Act of 2020, together the “CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act and related regulations (“CPA”), the Utah Consumer Privacy Act (“UCPA”), and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CPDPA”), collectively, “U.S. Privacy Laws”; and any applicable privacy law that draws a distinction between a data “controller” and a data “processor.” For the avoidance of doubt, if a Party’s activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
2. “Cookie Data” has the meaning ascribed to it in the Agreement.
3. “Customer Data” means “Customer Data” or “Input Data” described in the Agreement.
4. "Consumer” has the meaning ascribed to it in Applicable Privacy Laws.
5. “Output Data” has the meaning ascribed to it in the Agreement.
6. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data.
7. “Personal Data” means (i) any information relating to an identified or identifiable individual, within the meaning of applicable Data Protection Law; (ii) any other information constituting “personal information” as such term is defined in the CCPA (regardless of whether the CCPA applies); and (iii) any other information constituting nonpublic personal information within the meaning of the GLBA (regardless of whether the GLBA applies);
8. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9. “Services” means the Vendor Services described in the Agreement.
10. “Subprocessor” means any Vendor affiliate or subcontractor engaged by Vendor for the Processing of Personal Data.
11. The terms “Business,” “Consumer,” “Controller,” “Data Subject,” “Processor,” “Share,” “Sell,” “Service Provider,” and “Third Party” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.” “Data Subject” is deemed to include “Consumer.”
12. Capitalized terms not otherwise defined herein will also have the meaning set forth in the Agreement.

‍

2 .Scope and Roles of Parties.

1. This DPA applies both to the Personal Data that Vendor receives from Customer and the Personal Data that Vendor provides to Customer.
2. In light of the various categories of Personal Data processed in order to provide the Services, Data Protection Laws ascribes different roles to each Party based on the categories and functions of such Personal Data. For purposes of this DPA and the Agreement:
   ‍
   i.   When processing or handling the Customer Data (for instance, email addresses received from Customer, for use in email marketing), Vendor acts as a Service Provider. For avoidance of doubt, the Customer Data is employed for the purpose of selecting and suppressing the scope of the set of email recipients;
   ‍
   ii.   When processing or handling Cookie Data, Vendor acts as a Third Party and an independent Controller, such Cookie Data being employed in order to generate cross-contextual or cross-channel behavioral advertising, as between digital and email environments.
   
   iii.  When processing, handling or licensing Output Data, each Party acts as an independent Controller when and to the extent that such Output Data is in its possession or control. The provisions set forth in Section 5 apply to the Output Data.

‍

3 .Customer’s Instructions to Vendor With Respect to the Customer Data.

Process the Customer Data only to provide the Services, unless obligated to do otherwise by applicable law. In such case, Vendor will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Without limiting the foregoing, the Parties agree as follows:

1. Vendor will not retain, use, disclose, or otherwise Process the Customer Data in a manner inconsistent with Vendor’s role in performing services for Customer, and shall only use the Customer Data to provide requested services to Customer;
2. Vendor will not use, or disclose the Customer Data outside of the direct business relationship between Customer and Vendor;
3. Vendor will not “sell” the Personal Data, as such term is defined in the applicable Data Protection Laws (regardless of whether any of those laws applies);
4. Vendor will not “share” the Customer Data as such term is defined in the CCPA, provided however that Customer understands that the Services it requests may constitute a “sharing” of information (such as Cookie Data) on behalf of Customer in order to facilitate cross contextual advertising;
5. Vendor will comply with any applicable restrictions under Data Protection Law as to combining the Customer Data that Vendor receives from, or on behalf of, Customer with Customer Data that Vendor receives from, or on behalf of, another person or persons, or that Vendor collects from any other interaction between Vendor and a data subject;
6. Vendor will provide the same level of protection for the Customer Data subject to the CCPA as is required under the CCPA;
7. Vendor will notify Customer as soon as legally permissible if Vendor determines that Vendor can no longer meet its obligations under applicable Data Protection Laws;
8. Customer has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Data.;
9. Customer will not instruct Vendor to Process Customer Data in violation of applicable Data Protection Laws;
10. The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Services (should Vendor provide such configuration options) constitute Customer’s complete and final instructions to Vendor regarding the Processing of Customer Data.

‍

4 .Vendor’s Use of Subprocessors

1. Vendor may subcontract the collection or other Processing of Customer Data in compliance with applicable Data Protection Law to provide the Services. Prior to a Subprocessor’s Processing of Customer Data, Vendor will impose contractual obligations on the Subprocessor that comply with applicable Data Protection Laws and are substantially the same as those imposed on Vendor under this DPA. Subprocessor security obligations will be deemed substantially the same if they provide a commercially reasonable level of security.
2. Vendor’s current Subprocessors are listed at https://www.rb2b.com/compliance/subproccesors-list (the “Subprocessor List”). When any new Subprocessor is engaged, Vendor will make an updated Subprocessor List available at least 15 days before the new Subprocessor Processes any Customer Data by posting an update there and on the same day sending an email to the email address listed for notices in the Agreement, if any (the “Update”).
3. If Customer has a reasonable basis for objecting to appointment of a Subprocessor, it may send Vendor a written notice of such basis within 10 days of the Update, including a termination date (which may be no earlier than 15 days after the date of the Update. If Vendor cannot accommodate Customer’s objection to Customer’s reasonable satisfaction by such termination date, then the Agreement will terminate on such date.
4. Vendor remains liable for its Subprocessors’ performance to the same extent Vendor is liable for its own performance, consistent with the limitations of liability set forth herein.

‍

5 .CCPA “Third Party” Provisions.

This Section 5 applies to the extent Vendor provides Output Data to Customer:

1. Without limitation of other restrictions in the Agreement, Customer shall only use the Output Data in order to market to its customers and evaluate the effectiveness of its marketing campaigns. Vendor shall only use the Cookie Data in order to perform data-matching and data-synching in order to provide requested marketing services to Customer.
2. Each Party shall ensure that it has provided legally sufficient consumer notice and choice mechanisms, including (as to California residents) providing “opt out” and “notice at collection” disclosures and mechanisms in compliance with the California Consumer Privacy Act and the California Privacy Rights Act (together the “CCPA”) and other applicable state privacy laws. Each Party will sufficiently disclose the manner in which its Personal Data is used (including as contemplated in the Agreement). Each Party will, as required by applicable Data Protection Law, privacy a link on its website to a “Your Privacy Choices” “Do Not Share or Sell” or similar “opt out” functionality.
3. To the extent that either Party makes available to the other a list of residents who have requested “opt out” or “deletion” of their personal information the receiving Party shall comply with such requests, to the extent required under applicable law (such as, without limitation, the CCPA).
4. Each Party may take reasonable and appropriate steps to ensure that the other Party uses the personal Data provided to it solely as set forth in the Agreement and solely in compliance with the CCPA, and upon reasonable notice either Party may take reasonable and appropriate steps to remediate the other Party’s unauthorized use of the Personal Data provided to it by the other Party.
5. Each Party shall notify the other within five (5) business days should it determine that it can no longer meet its legal obligations under the CCPA, with respect to the Personal Data provided to it by the other Party.

‍

6 .Data Security Requirements

1. Vendor will assist Customer in Customer’s compliance with the security obligations under applicable Data Protection Laws, as relevant to Vendor’s role in Processing the Customer Data, taking into account the nature of Processing and the information available to Vendor, by implementing appropriate technical and organizational measures.
2. Vendor will ensure that the Vendor personnel it authorizes to Process the Customer Data are subject to an appropriate written confidentiality agreement covering such data.
3. Vendor will comply with the Personal Data Breach-related obligations applicable to it under applicable Data Protection Laws. Taking into account the nature of Processing and the information available to Vendor, Vendor will assist Customer in complying with those applicable to Customer by informing Customer of a confirmed Data Breach of Customer Information without undue delay, and in no case more than 48 hours after becoming aware of it. To the extent available, this notification will include Vendor’s then-current assessment of the following, which may be based on incomplete information:
   i.   The nature of the Personal Data Breach, including, where possible, the categories and approximate number of Consumers concerned, and the categories and approximate number of Personal Data records concerned;
   ii.  The likely consequences of the Personal Data Breach; and
   iii. Measures taken or proposed to be taken by Vendor to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.
4. Nothing shall be construed to require Vendor to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.

‍

7 .Assistance Responding to Consumers.

Taking into account the nature of the Processing, Vendor will provide reasonable assistance to Customer for the fulfilment of Customer’s obligation to honor requests by individuals to exercise their rights under applicable Data Protection Law with respect to the Customer Data (such as rights to access their Personal Data) and will promptly notify Customer of any such requests or Personal Data-related complaints from an individual that Vendor receives, where Vendor determines such request relates to information provided by Customer. Vendor will in any event provide this notification within 3 business days when Vendor receives the request or complaint through the contact information listed in Vendor’s then-posted online privacy policy.

‍

8 .Assistance with Data Protection Assessments.

Taking into account the nature of the Processing and the information available to Vendor, Vendor will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any data protection assessment of the Processing of the Customer Data involving Vendor.

‍

9 .Audits.

Vendor will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA with respect to its Processing of the Customer Data, and allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor at its own expense.

‍

10 .Return or Destruction.

Vendor will, at Customer’s choice, return to Customer and/or destroy all Customer Data in its possession after the termination or expiration of Customer’s subscription to the relevant Services, except to the extent applicable Data Protection Law requires storage of the Customer Data, within 30 days, except as otherwise agreed by the parties.

‍

11 .U.S. Data Only.

The Agreement (and this DPA) contemplates the provision or transfer of Customer Data solely from persons or browsers/devices located in the United States. The Parties understand that should Customer Data be provided from other locations, including without limitation European Union nations or the United Kingdom, additional data processing addendums may be required.