Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into by and between you and/or the entity you represent (“Customer”) and ParkingPass.com LLC d/b/a “ParkingPass” (“Provider”), a Florida limited liability company having its principal place of business at 4446 Inverrary Blvd, Lauderhill, FL 33319 USA, is effective as of the date of the last signature below.

Customer and Provider are separately referred to as a “Party” and jointly as the “Parties.” This DPA is an exhibit to the Master Services Agreement entered into by the Parties (the “Agreement”). Defined terms used herein and not otherwise defined have the meanings set forth in the Agreement.

Pursuant to the Agreement, Provider shall provide the Services and Provider may have access to Customer Data and Personal Information through the provision of such Services. This DPA enables the Parties to comply with their respective obligations with respect to Customer Data and Personal Information, Personal Information being a subset of Customer Data. This Addendum is effective as of the date of Customer’s first use of the Services or, if applicable, the date of the Agreement (the “Addendum Effective Date”).

1. Definitions

Affiliate” has the meaning as set forth in the Agreement.

Applicable Law” means all laws, rules, and regulations, as amended, that are applicable to the Agreement and/or any of the Parties.

Customer Data” has the meaning as set forth in the Agreement.

Data Controller” means the Party who determines the purpose and means of the Processing of Personal Data.

Data Processor” means the Party who Processes Personal Information on behalf of the Data Controller.

Data Protection Laws” means all data protection and privacy laws and regulations applicable to the respective party in its role in the Processing of Personal Information under the Agreement.

Data Residency Laws” means the Applicable Law of a country, territory, province, or jurisdiction that requires Personal Information to be Processed or stored within such country, territory, province, or jurisdiction.

Data Subject” means the identified or identifiable natural person to whom Personal Information relates.

Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Personal Information Categories” means the categories of Personal Information collected or Processed under the instructions of the Data Controller,

Processing” means any operation or set of operations that are performed on Customer Data or on sets of Customer Data, whether or not by automated means. This term includes “Process,” “Processes,” and “Processed.”

Security Incident” means the unauthorized access or disclosure, destruction, loss, or alteration to Customer Data.

Sub-processor” means any other processors engaged by Provider to Process Customer Data.

2. Data

Provider acknowledges and agrees that it may receive, collect, and Process Customer Data on behalf of Customer relating to the subject matter and duration of the Processing as described on Schedule 1 hereto. Personal Information may be included in the Customer Data. The Personal Information Categories are disclosed on Schedule 1.

3. Data Ownership

All Customer Data provided to or collected on Customer’s behalf under the Agreement are the property of Customer. Licensing of the Customer Data is handled in the Agreement.

4. Data Controller

The Parties acknowledge that Customer is the Data Controller and Provider is the Data Processor regarding the Services.

5. Processing.

To the extent that Provider Processes Personal Information pursuant to the Agreement, Provider shall:

1. Adhere to the instructions of the Data Controller for the Processing of Customer Data, such instructions to be set forth on Schedule 1.
2. Only Process such Personal Information as necessary to fulfil its obligations under the Agreement.
3. Not retain, use, or disclose any Personal information provided by or collected on behalf of Customer except as necessary for the purpose of performing Provider’s obligations under the Agreement, as permitted by the Agreement, or as permitted under the Applicable Law.
4. Process Personal Information in accordance with Applicable Law.
5. Inform Customer, without undue delay if, in Provider’s reasonable opinion, an instruction violates Applicable Law. Provider and Customer shall seek to reasonably resolve the questionable instruction in good faith.

6. Confidentiality Obligation.

Provider shall require all Provider employees and contractors who have access to Customer Data to comply with the obligations of this DPA. Provider agrees to require and maintain a confidentiality agreement regarding the processing of Customer Data for each employee and contractor with access to Customer Data.

7. Sale or Sharing of Data.

Provider acknowledges and agrees that it shall not make any re-disclosure of Customer Data other than as permitted by this DPA or Agreement. Provider shall not sell or share Customer Data with a third party. Provider may share data with its Sub-processors to provide the Services, and with third-parties if legally required.

8. De-Identified Data.

Provider agrees to not attempt to re-identify de-identified Customer Data, except for testing that the de-identification algorithm was successful. Provider will require the same of any Sub-processors.

9. Data Residency Requirements.

Controller shall advise Provider of any relevant Data Residency Laws.

10. Customer Data Disposition.

Upon written request from Customer, Provider shall return and/or dispose of all Customer Data, with the exception of any Customer Data that has been licensed to Provider for improvement and development of its product offering. The format for returning Customer Data will be as agreed to or if the Agreement is silent as to the format, in an industry standard format. Disposal shall include the disposal of Customer Data from all backups, metadata, and artifacts within a commercially reasonable timeframe. If Provider’s disposal method is deletion, Provider shall protect the remaining data with industry standard encryption and proper security controls. If the media is end of life, Provider shall sanitize media per NIST SP 800-88 Rev. 1, or as amended. Upon written request, Provider will provide Customer with the Customer Data Disposition status.

11. Sub-processor Obligations.

Provider shall enter into a written agreement with each Sub-processor that contains obligations no less protective of Customer Data than the obligations of this DPA. Upon written request, and subject to any confidentiality restrictions, Provider shall reasonably provide Customer with relevant Sub-processor information for Customer to comply with Applicable Law. Provider shall engage a new Sub-processor only after providing Customer with an opportunity to reasonably object.

12. Data Security.

Provider shall implement and maintain industry-standard administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of Customer Data. Provider shall adhere to the data security requirements of applicable Data Protection Laws. Provider acknowledges and agrees to have an industry standard written incident response plan. Upon request, Provider agrees to provide Company with a summary of Provider’s written incident response plan.

13. Security Incident.

Provider agrees to adhere to applicable Data Protection Laws with respect to a Security Incident including, the required responsibilities and procedures for notification, mitigation, and recovery of any such incident. If Provider becomes aware of a Security Incident, Provider shall notify Customer of the Security Incident without undue delay, and no later than seventy-two (72) hours after becoming aware, unless notification would disrupt investigation of the Security Incident by law enforcement. In such event, notification shall be made within a reasonable time after the incident. The initial Security Incident notification and follow up communications shall provide, as it becomes available, the following information:

1. A list of the types of Customer Data that were or are reasonably believed to have been the subject of the Security Incident.
2. If the information is possible to determine at the time of the notice, the (1) date and time of the Security Incident, (2) the estimated data and time of the Security Incident, or (3) the date and time range of the Security Incident.
3. Whether the notification was delayed due to a law enforcement investigation.
4. A description of the Security Incident; and
5. When available, the root cause analysis of the Security Incident and the planned remediation and recovery steps.

14. Audits.

Provider’s security compliance is assessed by independent third-party auditors. Upon Customer agreeing to an NDA, Provider shall provide access to information regarding Provider’s ISO 27001 and ISO 27701 certifications. In the event that Provider discontinues a third-party audit, Provider will adopt or maintain an equivalent industry-recognized security standard.

15. Data Subject Requests.

Provider shall promptly notify Customer if Provider receives a Data Subject request that pertains to Customer Data or otherwise identifies the Customer. Provider shall reasonably cooperate with Customer in response to the request if the requested Customer Data is not accessible by Customer.

16. Data Protection Impact Assessments.

Provider shall reasonably cooperate with Customer if Customer is required to create a Data Protection Impact Assessment as required by Data Protection Laws.

17. Third-Party Inquiries.

If law enforcement or other government authorities request disclosure of Customer Data from Provider, Provider shall promptly notify Customer prior to a compelled disclosure, unless lawfully prohibited. Provider shall reasonably cooperate with Customer in addressing the request.

18. No Third-Party Rights.

In no event shall this DPA benefit or create any right or cause of action on behalf of a third party, but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws.

19. Termination.

In the event that either party seeks to terminate this DPA, they may do so by mutual written consent if the Agreement has been terminated or is terminated in conjunction with this DPA. If the Agreement is terminated, this DPA will remain in effect until all Customer Data is disposed.

20. Priority of Agreements.

In the event there is a conflict between the terms of this DPA and the Agreement, Terms of Service, Privacy Policies, or other writing, the terms of this DPA shall apply and take precedence.

21. Entire Agreement.

This DPA and the Agreement constitute the entire agreement of the Parties relating to the subject matter hereof and supersedes all prior communications, representations, or agreements, oral or written, by the Parties relating hereto. This DPA may be amended and the observance of any provisions of this DPA may be waived only with the signed written consent of both Parties. Neither failure nor delay on the part of any Party in exercising any right, power, or privilege hereunder shall operate as a waiver of such right, nor shall any single or partial exercise of any such right, power, or privilege preclude any exercise thereof or the exercise of any other right, power, or privilege.

22. Severability.

Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this DPA, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. Notwithstanding the foregoing, if such provision could be more narrowly drawn to not be prohibited or unenforceable in such jurisdiction while, at the same time, maintaining the intent of the Parties, it shall, as to such jurisdiction, be so narrowly drawn without invalidating the remaining provisions of this DPA or affecting the validity or enforceability of such provision in any other Jurisdiction.

23. Governing Law.

This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

24. Waiver.

No delay or omission by either party to exercise any right hereunder shall be construed as a waiver of any such right and both parties reserve the right to exercise any such right from time to time, as often as may be deemed expedient.


EXHIBIT A

A. Personal Information Categories: Customer’s individual users

B. Subject Matter and Duration of Processing: Provision of the Services and continuous, as set forth in the Agreement

C. Processing Instructions: The objective of the transfer of Customer Personal Information and further processing is provision of the Services.

Watch How It All Works
Contact Us Today