Data Processing Policy

CONTINUOUS TECHNOLOGIES
DATA PROCESSING ADDENDUM


This Data Processing Addendum (this “Addendum”) forms part of the Master Services Agreement (“MSA”) by and betweenContinuous Technologies, Inc., (“Continuous”) and the company (“Customer”). contracting with Continuous under the Master Services Agreement (“Agreement”). This Addendum sets forth the obligations of each party with respect to any Personal Data disclosed or made accessible to Continuous by Customer pursuant to the MSA. In the event of a conflict between the terms of the MSA and the terms of this Addendum, the terms of the Addendum will control with respect to the subject matter of this Addendum. Capitalized terms not defined in this Addendum will have the meanings ascribed to them in the MSA. Continuous may update this Data Processing Addendum from time to time, including as required by Applicable Privacy Laws, by posting a current version of the Addendum at this https://continuoustech.com/data-processing-policy/.

  1. Definitions.
    1. Affiliate” means any legal entity directly or indirectly controlling, controlled by, or under common control with a party, for so long as such control lasts, where “control” means the direct or indirect ownership of more than 50% of the outstanding voting securities of an entity.
    2. Applicable Privacy Laws” means all laws and regulations applicable to Continuous’ processing of Personal Data, which may include the California Privacy Rights Act (“CPRA”), those of the European Union, the European Economic Area and each of their member states, the United Kingdom, and the United States (in each case, as applicable, amended, adopted, or superseded from time to time), taking into account the type of data, practices, industries and territories relevant to Continuous’ performance under the MSA. 
    3. Personal Data” has the meaning ascribed in the MSA.
    4. Sub-Processor” means a company that processes Personal Data on behalf of Continuous, such as a hosting services provider.
  2. Obligations.
    For purposes of this Addendum, Customer is the owner and controller of the Personal Data provided to Continuous under the MSA, and Continuous is only the processor of such Personal Data. If Continuous provides services to Customer’s Affiliates under the MSA, then, in such circumstances, the Customer Affiliate shall also be a controller of the Personal Data for the purposes of this Addendum. Customer and Continuous acknowledge and agree that Continuous’ processing of Personal Data is necessary to fulfill its obligations under the MSA.  Further, the Personal Data is not provided to Continuous in exchange for monetary or other consideration. Customer and Continuous will comply with all applicable laws, including Applicable Privacy Laws, with respect to their performance under the MSA and this Addendum. Specifically, Customer acknowledges and agrees that Customer is solely responsible for obtaining all consents required by Applicable Privacy Laws to permit Continuous’ transfer of Personal Data between Third Party Products, as the term Third Party Products is defined in the MSA. 

    Customer represents and warrants, for itself and for its Affiliates, that it has obtained all necessary consents for Continuous to process all Personal Data that it provides to Continuous under the MSA and this Addendum. 
  3. Internal Controls.
    1. Security Controls. Continuous will maintain appropriate technical and organizational measures for protection of the security of Personal Data (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, or unauthorized disclosure of, or access to, Personal Data), which are commercially reasonable, given the nature and type of Personal Data it is processing. 
    2. Access Controls. Continuous shall implement appropriate access controls restricting access to Personal Data to only those employees, agents, and sub-contractors which reasonably need such access in order to perform Continuous’ obligations under the MSA and this Addendum.
    3. Encryption. Continuous shall take commercially reasonable steps to ensure that Customer’s Personal Data, when in Continuous’ control, is protected against unauthorized access and use, including by appropriate encryption, tokenization, or other substantially similar safeguards.
    4. Data Requests. Continuous shall promptly inform Customer in writing of any requests, complaints, or inquiries under Applicable Privacy Laws with respect to Personal Data and will provide Customer with such assistance as is reasonably necessary to enable Customer to respond to such requests within the timeframe required by Applicable Privacy Laws. Where Continuous is not permitted to inform Customer of the existence of such request due to the nature of the request, (e.g. from regulators or similar bodies), then Continuous will object to the disclosure of Personal Data pursuant to such request by notifying the requestor that the Personal Data is owned and controlled by the Customer and not by Continuous. For the avoidance of doubt, the foregoing is intended to address a request that Continuous reasonably believes is an assertion of rights under Applicable Privacy Laws and not intended to apply to ordinary-course interactions between Continuous and a data subject (e.g., where a such data subject contacts Continuous to make an update to his/her Personal Data on file).
    5. Sub-Processors. In connection with Continuous’ performance of services under the MSA, Continuous may use Sub-Processors. Should Continuous’ performance under the MSA require it to provide a Sub-Processor with access to Personal Data, Continuous will: (I) enter into an agreement with the Sub-Processor pursuant to which the Sub-Processor is required to provide at least the same level of privacy protection as is required by this Addendum; (ii) transfer the Personal Data to the Sub-Processor only for the Permitted Purpose; (iii) take reasonable steps to ensure that the Sub-Processor effectively processes the Personal Data transferred in a manner consistent with Applicable Privacy Laws; (iv) require the Sub-Processor to notify Continuous if the Sub-Processor determines it can no longer meet its obligation to provide the same level of protection consistent with the Applicable Privacy Laws; and (v) take reasonable and appropriate steps to stop and remediate unauthorized Processing hereunder of which it becomes aware.
      Continuous’ current Sub-Processor list is available at the following URL: https://continuoustech.com/sub-processors/, or such successor link that Continuous provides from time to time.  Customer hereby authorizes Continuous  to use such Sub-Processors. Customer will be notified of any proposed use of new Sub-Processors through Continuous’ automatic email subscription process for such notifications. If Customer objects in writing to Continuous ’s proposed use of a new Sub-Processor, Continuous will use reasonable efforts to refrain from permitting such proposed Sub-Processor to process the Personal Data. If Continuous determines that it is unable to refrain from using such new Sub-Processor to perform its obligations pursuant to the MSA, Continuous will notify Customer of such determination. Upon receipt of such notice, Customer may (in its sole determination) elect to terminate all or part of the MSA without penalty or liability, upon thirty (30) days’ written notice of such termination to Customer. Continuous  shall be liable for the acts and omissions of its Sub-Processors to the same extent Continuous would be liable if performing the services of each Sub-Processor directly under the terms of this Addendum, unless otherwise set forth in the MSA.
    6. Information Security Incident. Continuous will inform Customer, without undue delay, of Continuous’ knowledge of any confirmed loss or unauthorized processing, use, disclosure, or acquisition of or access to any Personal Data in Continuous’ possession, custody, or control. Continuous  will provide such notice via email to its ordinary contact at Customer (or such other email address as Customer may designate to Continuous). Continuous will promptly take all reasonable and advisable corrective actions, and will cooperate with Customer in reasonable and lawful efforts to investigate, mitigate, and prevent recurrence of an any unauthorized processing, use, disclosure, or acquisition of or access to any Personal Data. 
    7. Retention.  Continuous  shall retain Personal Data only for as long as necessary to fulfill its obligations pursuant to the MSA or as required by applicable laws or its data retention policies. Upon Customer’s written request and following expiration or termination of the MSA, Continuous will return, or at Customer’s request, securely destroy, any Personal Data in Continuous’ possession, custody, or control, and certify in writing that such return or secure destruction has occurred.
    8. Re-identification. Continuous  will not re-identify any Customer Personal Data that has been anonymized or de-identified.
  4. Specific CPRA Requirements.
    To the extent that Continuous’ processing of Personal Data is subject to the CPRA, this Section will apply. For purposes of the CPRA, Customer is the “business,” and Continuous is the “service provider.” If Customer discloses or otherwise makes available Personal Data to Continuous for the purposes of Continuous’ performance under the MSA, then, Continuous will: (i) comply with its applicable obligations under the CPRA; (ii) provide the same level of protection as required under the CPRA; (iii) notify Customer if it can no longer meet its obligations under the CPRA; (iv) not “sell” or “share” (as such terms are defined by the CCPA and/or the CPRA) Personal Data; (v) not retain, use, or disclose Personal Data for any purpose other than to provide services to Customer under the MSA or as otherwise permitted under the CPRA; (vi) not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Continuous; and (vii) unless otherwise permitted by the CPRA, not combine Personal Data with data that Continuous (a) receives from, or on behalf of, another person or (b) collects from its own, independent consumer interaction. Customer may: (i) take reasonable and appropriate steps agreed upon by the parties to help ensure that Continuous processes Customer Personal Data in a manner consistent with the Customer’s CPRA obligations; and (ii) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized processing of Customer Personal Data by Continuous. 
  5. Europe Specific Provisions. The transfer of Personal Data from the European Economic Area (“EEA”), the United Kingdom or Switzerland to a country located outside of the EEA, will be subject to the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as annexed to Commission Implementing Decision 2021/914, which are incorporated into this Addendum by this reference. Customer will strictly comply with the transfer of Personal Data in accordance with the applicable standard contractual clauses. Module Two (Data Controller to Data Processor) will apply to a Data Transfer when Customer is a Data Controller.  Module Three (Data Processor to Data Processor) will apply to a Data Transfer when Customer is a Data Processor.
  6. Limitation of Liability.  Continuous’ liability under this Addendum is subject to the limitations of liability in the MSA. 
  7. Indemnity. In addition to any indemnification obligations stated in the MSA, Customer shall indemnify, defend, and hold harmless Continuous and its officers, directors, and employees, against any and all claims, including, but not limited, to, all costs, expenses, damages, settlements, and fines, caused by Customer’s breach of its obligations in this Addendum or Applicable Privacy Laws.