Data Protection Addendum
Sobriety Hub Data Protection Addendum
Last Updated: 6/12/2023
This Data Protection Addendum (“DPA”) forms part of the underlying agreement or agreements between Customer and Sobriety Hub for the purchase and use of the Sobriety Hub Web App (“Underlying Agreement(s)”). Sobriety Hub is a Service Provider that provides certain services ("Services") to Customer pursuant to the Agreement and Processes, on Customer’s behalf, Personal Information that is necessary to perform the Services under the Underlying Agreement(s); and
1. Definitions
Any capitalized term used but not defined herein shall have the meaning ascribed to it in the Underlying Agreement(s) or the applicable Data Protection Laws.
The definitions enumerated below (including all conjugations, forms, and tenses thereof) apply to this DPA:
a. "Data Breach " means Sobriety Hub's negligence or a breach of Sobriety Hub's security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information.
b. "Data Protection Laws" means, as applicable: as applicable: (a) the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 ("CPRA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CDPA"), the Virginia Consumer Data Protection Act ("VCDPA"), and the Utah Consumer Privacy Act ("UCPA"); and (b) any other laws, rules, regulations, self-regulatory guidelines, implementing legislation, or third party terms relating to privacy, security, breach notification, data protection, or confidentiality and applicable to processing of Personal Information.
c. "Data Subject" means any person, household, or device that becomes subject in any manner to the services performed for Customer by Sobriety Hub.
d. "Personal Information" (i) means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject that may be (a) disclosed or otherwise made accessible to Sobriety Hub by Customer in anticipation of, in connection with, or incidental to the performance of Services for or on behalf of Customer; (b) Processed at any time by Sobriety Hub in connection with or incidental to the performance of this DPA or the Underlying Agreement(s); or (c) derived by Sobriety Hub from the information described in a) or b) above; and (ii) supplements the foregoing definition enumerated in (i) by also incorporating the definition of "Personal Information," "Personal Data," and "Non-Public Personal Information under Data Protection Laws. Personal Information includes without limitation behavioral characteristics and profiles.
e. "Processing" means performing any operation (whether automated or manual, or through some combination) relative to Personal Information, including, without limitation, accessing, collecting, organizing, retaining, using, disclosing, storing, manipulating, adapting, analyzing, aggregating, categorizing, and deriving or creating information from, Personal Information.
2. Processing Restrictions and Obligations
Sobriety Hub may Process Personal Information only as strictly necessary to deliver the Services pursuant to the Underlying Agreement(s). Without limiting the foregoing and to avoid any doubt, Sobriety Hub represents, warrants, and covenants as follows:
a. Sobriety Hub is acting solely as a Service Provider with respect to Personal Information, and Customer has the exclusive authority to determine the purposes for and means of Processing the Personal Information.
b. Sobriety Hub will Process Personal Information only (i) for a Business Purpose and (ii) on behalf of Customer, for the sole purpose of performing the Services specified in the Underlying Agreement(s), and Sobriety Hub will not collect, retain, use, disclose or otherwise Process Personal Information for any other purpose.
c. Sobriety Hub will not Sell Personal Information, or use or otherwise Process Personal Information for monetary or other valuable consideration.
d. Sobriety Hub will not retain, use, disclose or otherwise Process Personal Information outside of the direct business relationship between Sobriety Hub and Customer.
e. Sobriety Hub may not derive information from Personal Information for any purpose other than to perform Services under the Underlying Agreement(s).
f. Sobriety Hub may not engage or communicate with a Data Subject in any way, whether directly or indirectly (including, without limitation, via interest-based advertising, mobile messaging, contextual online experiences, online ad-serving, email, telephone, social media, and location-aware technologies) except under written agreement between Sobriety Hub and Customer that specifies the means and methodology of, and limitations on, the media or communication channel in question
g. Sobriety Hub will immediately inform Customer in writing of any requests with respect to Personal Information received from Customer's customers, consumers, employees or others. Sobriety Hub will cooperate with Customer as needed by Customer regarding Data Subject rights, including enabling (i) access to a Data Subject's Personal Information, (ii) delivering information about the categories of sources from which the Personal Information is collected, (iii) delivering information about the category of Service Provider that Sobriety Hub is, or (iii) providing information about the categories or specific pieces of a Data Subject's Personal Information that Sobriety Hub Processes on Customer's behalf, including by providing the requested information in a portable and, to the extent technically feasible, readily useable format that allows a Data Subject to transmit the information to another entity without hindrance.
h. Upon Customer's request, Sobriety Hub will immediately delete a particular Data Subject's Personal Information from Sobriety Hub's records and direct any relevant contractors or agents to delete such Personal Information from their records. Sobriety Hub will delete such Personal Information in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitization standards. If Sobriety Hub is unable to delete the Personal Information for reasons permitted under applicable Data Protection Laws, Sobriety Hub will (i) promptly inform Customer of the reason(s) for Sobriety Hub's refusal of the deletion request, (ii) ensure the privacy, confidentiality, and security of such Personal Information, and (iii) delete the Personal Information promptly after the reason for Sobriety Hub's refusal has expired.
i. Sobriety Hub may only Process Personal Information for as long as the applicable Agreement, relationship, or arrangement between Sobriety Hub and Customer authorizes it, and only to benefit Customer (and not Sobriety Hub or any of Sobriety Hub's other clients or customers).
j. Where Sobriety Hub provides to a third party access to Personal Information, or contract any of Sobriety Hub's rights or obligations concerning Personal Information to a third party, Sobriety Hub will enter into a written agreement with each such third party that imposes obligations on the third party that are at least equivalent to those imposed on Sobriety Hub under this DPA. By written agreement and through technical, organizational, and physical measures, Sobriety Hub must (i) limit such third party's access to and Processing of Personal Information to that which is solely necessary to deliver the Services under the Underlying Agreement(s) and (ii) prohibit such third party from Selling Personal Information.
k. Sobriety Hub will maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), pursuant to applicable Data Protection Laws, and keep Customer Data confidential. Sobriety Hub will ensure that such persons with access to Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
l. Sobriety Hub will make its applicable employees familiar with the relevant provisions of the Data Protection Laws and shall provide adequate training. Sobriety Hub will supervise compliance of such employees with applicable Data Protection Laws.
m. Customer has the right to audit Sobriety Hub's compliance with the Data Protection Laws, the Underlying Agreement(s) and this DPA (including the technical and organizational measures), by requesting information about and reasonably inspecting storage of the Customer Data, and implemented policies and security incident reports, subject to reasonable prior notice of at least ten (10) business days in advance and, to the extent reasonably possible, without interfering with Sobriety Hub's regular business operations. Customer and Sobriety Hub shall mutually agree upon the scope, timing and duration of the audit.
n. In accordance with the Data Protection Laws and other industry standards, Sobriety Hub has appropriate policies and procedures in place to manage a Data Breach.
o. In accordance with the Data Protection Laws, Sobriety Hub shall notify Customer without undue delay, but in no event later than 36 hours after discovery, in the event of a Data Breach relating to Customer Data, of which Sobriety Hub reasonably suspects or knows to have occurred. Sobriety Hub shall provide commercially reasonable cooperation and assistance in identifying the cause of the Data Breach and take all commercially reasonable steps to remediate the Data Breach to the extent within Sobriety Hub’s control.
p. Sobriety Hub will not store Personal Information outside of the United States without the prior written consent of Customer.
q. Sobriety Hub will maintain a list of subcontractors and update such list prior to any engagement of any subcontractor and give Customer an opportunity to object to that subcontractor. If Customer objects to the subcontractor, Sobriety Hub will work with Customer in good faith to arrange for the performance of the Services without the use of such subcontractor and Customer may terminate this Agreement without penalty. Such engagement must be pursuant to a written contract that requires the subcontractor to also meet the obligations set forth in this Section for the Sobriety Hub
r. With respect to any Data Breach due to Sobriety Hub or any subcontractor's action or inaction, Sobriety Hubs liability will be limited as set forth in the Underlying Agreement(s).
3. Compliance with Data Protection Laws
a. Any Personal Information of Customer’s customers or residents collected through the Web App is governed by Customer’s privacy policy. Customer represents and warrants that its privacy policy complies with all applicable Data Protection Laws.
b. Sobriety Hub and Customer acknowledge and agree that Customer does not Sell Personal Information to Sobriety Hub in connection with any Agreement between Sobriety Hub and Customer. Sobriety Hub acknowledges and confirms that Sobriety Hub does not Process Personal Information from Customer in exchange for monetary or other valuable consideration, and that Sobriety Hub may not have, derive, or exercise any rights or benefits regarding Personal Information, except to Process the Personal Information as necessary to deliver Services to Customer pursuant to the Underlying Agreements.
c. Upon the reasonable request of Client, make available all information in its possession necessary to demonstrate compliance with any applicable Data Protection Law.
d. Sobriety Hub will promptly notify Client if Sobriety Hub determines that Sobriety Hub can no longer meet its obligations under this Section or any applicable Data Protection Law.
e. The Parties acknowledge and agree that Customer has no knowledge or reason to believe that Sobriety Hub is unable to comply with the provisions of this DPA or any applicable provisions of the Data Protection Laws.
f. Sobriety Hub certifies that Sobriety Hub understands and will comply with the requirements and restrictions set forth in this DPA, and with all applicable provisions of the Data Protection Laws.
4. Integration
This DPA applies in addition to, not in lieu of, any other terms and conditions agreed to between Sobriety Hub and Customer, including the Underlying Agreement(s), except as specifically and expressly agreed in writing with explicit reference to these Standards. This DPA governs in the case of any direct conflict with existing terms and conditions in the Underlying Agreement. Any limitations of liability or damages in the Underlying Agreement(s) will not apply to a breach by Sobriety Hub of this DPA.