Data Protection Addendum
Sobriety Hub Data Protection Addendum (DPA)
Last Updated: 4.23.2025
This Data Protection Addendum (“DPA”) forms part of the Master Services Agreement between Sobriety Hub, LLC (“Sobriety Hub”) and Customer. It applies when Sobriety Hub processes Personal Information on behalf of Customer and outlines both parties’ obligations under applicable privacy laws including the CCPA, CPRA, and others.
1. Definitions
- Personal Information: Any data that identifies or can be linked to an individual.
- Processing: Any operation performed on Personal Information (e.g., storing, analyzing, sharing).
- Data Protection Laws: CCPA, CPRA, and other U.S. state laws that govern the use and protection of Personal Information.
2. Roles and Purpose
Sobriety Hub is a Service Provider and processes Personal Information solely to provide services under the Agreement. Customer determines the means and purposes of that Processing.
3. Sobriety Hub’s Commitments
- Process data only as necessary to perform services for Customer.
- Not Sell or use data for any purpose beyond service delivery.
- Implement appropriate security measures to protect Personal Information.
- Respond to Customer's data subject requests (access, deletion, correction).
- Delete Personal Information upon Customer request unless prohibited by law.
- Ensure subcontractors are bound by equivalent data protection obligations.
- Maintain logs, auditability, and data security documentation.
4. Subcontractors
Sobriety Hub will maintain a list of subprocessors and notify Customer of any changes. If Customer objects, Sobriety Hub will work in good faith to resolve or allow termination of the Agreement without penalty.
5. Security Measures
- Access controls, encryption, network safeguards, and employee training.
- Industry-standard data deletion practices per NIST SP 800-88.
- Ongoing privacy compliance reviews and monitoring.
6. Breach Notification
Sobriety Hub will notify Customer of a Data Breach within 36 hours of discovery and cooperate with mitigation and remediation efforts. Breach liability will follow the Agreement’s limitations unless otherwise required by law.
7. Retention and Deletion
Personal Information is retained only as long as necessary to fulfill the Agreement or comply with legal obligations. Upon contract termination, Sobriety Hub will delete or return all Personal Information unless retention is required.
8. International Data Transfers
Sobriety Hub does not transfer Personal Information outside the United States without prior written consent from Customer.
9. Customer Responsibilities
- Ensure it has legal rights to disclose Personal Information to Sobriety Hub.
- Inform data subjects of Sobriety Hub’s role and usage where required by law.
10. Audits
Customer may audit Sobriety Hub’s compliance with this DPA once annually with 10 business days’ notice. Both parties must mutually agree on timing and scope of any such audit.
11. Compliance Statements
- Sobriety Hub certifies compliance with applicable Data Protection Laws.
- Customer affirms its privacy policy complies with state law requirements.
12. Conflicts and Precedence
If there is a conflict between this DPA and the Master Services Agreement, the terms of this DPA shall govern with respect to data protection and privacy. Limitation of liability provisions in the MSA do not apply to violations of this DPA.
13. Contact Information
To raise privacy concerns or submit requests related to this DPA, email us at customers@sobrietyhub.com.