THIS DATA PROCESSING ADDENDUM (“ADDENDUM”) APPLIES TO THE EXTENT KUSTOMER, INC. (“KUSTOMER”) IS A “PROCESSOR” (DEFINED BELOW) OF PERSONAL DATA (DEFINED BELOW) THAT IS SUBJECT TO APPLICABLE DATA PROTECTION LAWS (DEFINED BELOW) IN CONNECTION WITH ITS PROVISION OF SERVICES TO THE ENTITY YOU REPRESENT (“CLIENT”). YOU AGREE THAT YOU HAVE READ AND ACCEPT THE TERMS IN THIS ADDENDUM, WHICH SUPPLEMENT KUSTOMER’S TERMS OF SERVICE AVAILABLE AT HTTPS://WWW.KUSTOMER.COM/TERMS/ OR, IF APPLICABLE, THE MASTER SUBSCRIPTION AGREEMENT EXECUTED BY CLIENT AND KUSTOMER FOR THE PROVISION OF SERVICES (“AGREEMENT”) TO WHICH THIS ADDENDUM IS ATTACHED OR INCORPORATED BY REFERENCE. IF YOU ARE ACCESSING THE SERVICES ON BEHALF OF YOUR EMPLOYER, YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO AGREE TO THESE TERMS ON ITS BEHALF AND THE RIGHT TO BIND YOUR EMPLOYER THERETO. FOR THE AVOIDANCE OF DOUBT, THIS ADDENDUM IS NOT VALID OR LEGALLY BINDING IF THERE IS NO AGREEMENT IN PLACE BETWEEN CLIENT AND KUSTOMER.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Anonymous Data” means (i) Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person; or (ii) “Aggregate consumer information” or “Deidentified personal information” as those terms are defined in § 1798.140 of the Cal. Civ. Code.
“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement. With respect to Personal Data from Europe, “Applicable Data Protections Laws” shall include, but not be limited to, the EU & UK Data Protection Law. With respect to Personal Data from California residents, “Applicable Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §§ 1798.100-1798.199).
“Authorized Employee” means an employee of Kustomer who has a need to know or otherwise access Personal Data to enable Kustomer to perform their obligations under this Addendum or the Agreement.
“Authorized Individual” means an Authorized Employee or Authorized Subprocessor.
“Authorized Subprocessor” means Kustomer’s Affiliates and a third-party subcontractor, agent, reseller, or auditor who has a need to know or otherwise access Personal Data to enable Kustomer to perform its obligations under this Addendum or the Agreement.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data. With respect to Personal Data from California residents, Controller shall include the term “Business” according to the meaning given to that term in § 1798.140 of the Cal. Civ. Code.
“Data Subject” means (i) an identified or identifiable natural person to whom Personal Data relates. and who is in the EEA, UK or Switzerland or whose rights are protected by the EU & UK Data Protection Law; or (ii) a “Consumer” as the term is defined in the § 1798.140 of the Cal. Civ. Code.
“EEA” means the European Economic Area.
“EU & UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and (ii) the United Kingdom’s Data Protection Act 2018 and the UK GDPR.
“Instruction” means a direction, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Client to Kustomer and directing Kustomer to Process Personal Data.
“Personal Data” or “Personal Information” means any information made available to Kustomer in connection with the Services that constitutes “personal information”, “personally identifiable information”, “personal data” or similar information governed by Applicable Data Protection Laws and shall have the meaning assigned to such terms, as applicable, under the Applicable Data Protection Laws, including such information relating to Data Subject which Kustomer Processes on behalf of Client other than Anonymous Data.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Kustomer’s possession, custody or control.
“Privacy Shield Framework” means the EU-US and/or Swiss-US Privacy Shield self-certification program operated by the US Department of Commerce any equivalent legal framework that may apply between the United Kingdom and the United States.
“Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller. With respect to Personal Data from California residents, Processor shall include the term “Service provider” according to the meaning given to that term in Section 1798.140 of the Cal. Civ. Code.
“Security and Privacy Documentation” means the Security and Privacy Documentation applicable to the specific Services purchased by Client, as updated from time to time, and accessible via https://www.kustomer.com/security/.
“Services” shall have the meaning set forth in the Agreement.
“Standard Contractual Clauses” means the Standard Contractual clauses for data controller to data processor transfers approved by the European Commission in decision (C(2010)593), provided that Appendices 1 and 2 of the Standard Contractual Clauses are set forth in Schedule 2 to this Addendum.
“Supervisory Authority” means an independent public authority which is established by a member state of the EEA, Switzerland, United Kingdom, or any other governmental authority or body which has jurisdiction over the compliance and enforcement of Applicable Data Protection Laws.
“Third-Party Services” means connections and/or links to third party websites and/or services that Kustomer enables Client to integrate with and access through the Services, including, without limitation, via application programming interfaces, workflows or webhooks, and for which Client has entered into an agreement(s) directly with such third party websites and/or services with respect to the Processing of Personal Data.
- Processing of Data
2.1 The parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Controller, Kustomer is the Processor and that Kustomer will engage Authorized Subprocessors pursuant to the requirements set forth in Section 4 below. Client understands that to the extent Third-Party Services are accessed, Client serves as the Controller and the Third-Party Services are Processors, and the Third-Party Services are not Authorized Subprocessors of Kustomer.
2.2 The rights and obligations of the Client with respect to this Processing are described herein. Client shall, in its use of the Services, at all times Process Personal Data, and provide Instructions for the Processing of Personal Data, in compliance with Applicable Data Protection Laws. Client shall ensure that its Instructions comply with all Applicable Data Protection Laws in relation to the Personal Data, and that the Processing of Personal Data in accordance with Client’s Instructions will not cause Kustomer to be in breach of Applicable Data Protection Laws. Client is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Kustomer by or on behalf of Client, (ii) the means by which Client acquired any such Personal Data, and (iii) the Instructions it provides to Kustomer regarding the Processing of such Personal Data. Client shall not provide or make available to Kustomer any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Kustomer from all claims and losses in connection therewith.
2.3 Kustomer shall Process Personal Data only (i) for the purposes set forth in the Agreement and applicable Order (as defined in the Agreement), (ii) in accordance with the terms and conditions set forth in this Addendum and any other Instructions provided by Client, and (iii) in compliance with Applicable Data Protection Laws. Client hereby instructs Kustomer to Process Personal Data in accordance with the foregoing purposes and as part of any Processing initiated by Client in its use of the Services and documented reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement. Client also instructs Kustomer to use its artificial intelligence (AI) and machine learning (ML) powered features to provide the Services, including to better understand the nature of communications received by the Client in order to more accurately and efficiently allow Client to respond to its customers, and which may involve deidentifying or anonymizing Personal Data to train the AI and ML features of the Services as part of the Processing.
2.4 The subject matter, nature, purpose, and duration of Kustomer’s Processing of Personal Data under the Agreement and this Addendum, including the types of Personal Data collected and categories of Data Subjects, are described in Schedule 1 to this Addendum.
2.5 Following completion of the Services, at Client’s choice, Kustomer shall return or delete the Personal Data as soon as reasonably practicable, except as required to be retained by Applicable Data Protection Laws.
- Authorized Employees
3.1 Kustomer shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee.
3.2 Kustomer shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Kustomer, any Personal Data except in accordance with their obligations in connection with the Services.
3.3 Kustomer shall take commercially reasonable steps to limit access to Personal Data to only Authorized Individuals.
- Authorized Subprocessors
4.1 Client acknowledges and agrees that Kustomer may (1) engage the Authorized Subprocessors listed on Kustomer’s website at https://www.kustomer.com/compliance/subprocessors/ to access and Process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.
4.2 Kustomer shall notify Client before engaging any third party other than Authorized Subprocessors to access or participate in the Processing of Personal Data by updating the current list of Authorized Subprocessors available on Kustomer’s website at https://www.kustomer.com/compliance/subprocessors/ as well as providing a mechanism to subscribe by email to notifications of new Authorized Subprocessors, and if Client subscribes, Kustomer shall provide email notification to Client of a new Authorized Subprocessor before authorizing any new Authorized Subprocessor to Process Personal Data in connection with the provision of the Services.
4.3 Kustomer shall, by way of contract or other legal act under applicable law (including without limitation approved codes of conduct and standard contractual clauses), ensure that every Authorized Subprocessor is subject to data protection obligations regarding the Processing of Personal Data that are no less protective than those in this Addendum to the extent applicable to the nature of the services provided by such Authorized Subprocessor. Kustomer conducts appropriate due diligence on its Authorized Subprocessors.
4.4 Client may object to Kustomer’s use of a new subprocessor by emailing email@example.com within fifteen (15) days after receipt of Kustomer’s notice in accordance with the mechanism set out in Section 4.2, provided such objection is based on reasonable grounds that the new subprocessor does not or cannot comply with the requirements set forth in this Addendum (each, an “Objection”). In such event, the parties agree to discuss commercial reasonable alternative solutions in good faith to address the Objection, which may include finding a reasonable work around or the parties mutually agreeing to terminate the Agreement and affected Orders without further liability to either party.
4.5 Kustomer shall be liable to Client for the acts and omissions of Authorized Subprocessors to the same extent that Kustomer would itself be liable under this Addendum had it conducted such acts or omissions.
- Security of Personal Data
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Kustomer shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), as set forth in the Security and Privacy Documentation. Kustomer regularly monitors compliance with these measures.
- Transfers of Personal Data
6.1 Any transfer of Personal Data made subject to this Addendum from member states of the EEA, Switzerland or the United Kingdom to the United States or any other country which does not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws of the foregoing countries (collectively, “Transferred Personal Data”) shall, to the extent such Transferred Personal Data is subject to such Applicable Data Protection Laws, be undertaken by Kustomer in accordance with (a) the Standard Contractual Clauses, or (b) an alternative recognised compliance standard, including any new version of, or successor to, the Standard Contractual Clauses or Privacy Shield Framework adopted pursuant to Applicable Data Protection Laws (where Kustomer has adopted such alternative recognised compliance standard) (“Alternative Transfer Solution”).
6.2 This Addendum hereby incorporates by reference the Standard Contractual Clauses. For the avoidance of doubt, Client’s signature to this Addendum or the Agreement shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their appendices set forth on Schedule 2 hereto. The parties agree that (i) purely for the purposes of the descriptions in the Standard Contractual Clauses, Kustomer is the “data importer” and Client is the “data exporter” (notwithstanding that Client may be located outside Europe and/or Client may be acting as a processor on behalf of third party controllers); (ii) with respect to subprocessing, Kustomer may commission Authorized Subprocessors, in accordance with Section 4 of this Addendum, and (iii) it is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this Addendum), the Standard Contractual Clauses shall prevail to the extent of such conflict. The parties may also agree to separately execute a copy of the Standard Contractual Clauses, in which case, such signed Standard Contractual Clauses shall govern.
6.3 In the event that the Services are covered by more than one recognised compliance standard as an adequate and lawful transfer mechanism with respect to Transferred Personal Data, then such Transferred Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (a) an Alternative Transfer Solution (where Kustomer has adopted such alternative recognised compliance standard and only to the extent such Alternative Transfer Solution complies with Applicable Data Protection Laws with respect to such Transferred Personal Data); and (c) the Standard Contractual Clauses. If requested by Kustomer, Client agrees that it shall promptly take any action (including, without limitation, electronic acknowledgement or execution of documents) reasonably required to give full effect to an Alternative Transfer Solution.
6.4 If and to the extent the Standard Contractual Clauses are no longer recognized by the European Commission, Switzerland, the UK or other applicable local privacy authorities as an adequate and lawful transfer mechanism with respect to Transferred Personal Data, then Kustomer will adopt and abide by an Alternative Transfer Solution; provided, however, that if, after commercially reasonable efforts, Kustomer is unable to comply with an Alternative Transfer Solution, Client or Kustomer may, upon thirty (30) days advance written notice to the other party terminate the Agreement and affected Orders and Client shall be entitled a refund from Kustomer or the reseller, as applicable, of the pro-rata amount of any subscription fees actually pre-paid to Kustomer covering the remainder of the Subscription Term after the effective date of termination.
- Rights of Data Subjects
7.1 Kustomer shall, to the extent permitted by law, promptly, and in no event later than ten (10) business days of Kustomer’s receipt thereof, notify Client upon receipt of a request by a Data Subject to exercise the Data Subject’s individual’s rights under Applicable Data Protection Laws, including where applicable rights of: access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, objection to being subject to Processing that constitutes automated decision-making and/or any other individual’s rights under Applicable Data Protection Laws (such requests individually and collectively “Data Subject Request(s)”).
7.2 Kustomer shall, at the request of the Client, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Client in complying with Client’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Client is itself unable to respond without Kustomer’s assistance and (ii) Kustomer is able to do so in accordance with all Applicable Data Protection Laws. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.
- Actions and Access Requests; Security Incident Management
8.1 Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance where necessary for Client to comply with its obligations under Applicable Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance, if any such obligations exist, provided that Client does not otherwise have access to the relevant information. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.
8.2 Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance with respect to Client’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by Applicable Data Protection Laws. Client shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Kustomer.
8.3 Kustomer shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum and prevailing data security standards applicable to the Processing of Client’s Personal Data in the form of the third-party certifications, reports and audits set forth in the Security and Privacy Documentation to the extent Kustomer makes them generally available to its business customers. Kustomer shall retain such records for a period of three (3) years after the termination of the Agreement. Client (or Client’s independent, third-party auditor) shall, with reasonable notice to Kustomer and no more than once per year, have the right to review, audit and copy such records at Kustomer’s offices during regular business hours, subject to the Confidentiality obligations set forth in the Agreement.
8.4 In the event of a Personal Data Breach, Kustomer shall, without undue delay, but no later than seventy-two (72) hours from Kustomer’s actual knowledge of such Personal Data breach, inform Client of the Personal Data Breach and the categories of Personal Data implicated.
8.5 Promptly following such Personal Data Breach, Kustomer shall take such steps as Kustomer in its sole discretion deems necessary and reasonable to identify the cause of such Personal Data Breach and remediate such violation (to the extent that remediation is within Kustomer’s reasonable control) and to the extent possible, include such information in the notification of the Personal Data Breach to Client.
8.6 In the event of a Personal Data Breach, Kustomer shall, taking into account the nature of the Processing and the information available to Kustomer, provide Client with reasonable cooperation and assistance necessary for Client to comply with its obligations under Applicable Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.
8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Client.
- Limitation of Liability
9.1 The total liability of each of Client and Kustomer (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Addendum, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.
- Jurisdiction Specific Terms.
10.1 To the extent Kustomer Processes Personal Data of Data Subjects residing in and protected by Applicable Data Protection Laws in one of the jurisdictions listed in Schedule 3, then the terms specified in Schedule 3 with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this Addendum. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence.
Details of Processing
Nature and Purpose of Processing:
Kustomer will process personal data as necessary to provide the services as described in Agreement and Documentation and as further instructed by Client in its use of the Services.
Duration of Processing:
Term of the Services as described in Agreement.
Categories of Data Subjects:
- Client’s employees, consultants and contractors who are authorized to access the Services as described in the Agreements (who are natural persons)
- Client’s customers (who are natural persons)
Type of Personal Data:
Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Contact details (customer first and last name, customer email address, phone number, physical address, gender, etc.)
- Technical data (IP address, browser information, device ID, etc.)
- User data (order history, support conversations history, etc.)
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is the Client set forth on the signature page to the Data Processing Addendum and the user of the Services pursuant to the Agreements.
Kustomer, Inc. is a provider of enterprise cloud computing solutions which processes personal data upon the instruction of the data exporter in accordance with the terms of the Master Subscription Agreement and Data Processing Agreement (the “Agreements”) entered into by the data exporter and data importer.
The personal data transferred concern the following categories of data subjects (please specify):
- Data exporter’s employees, consultants and contractors who are authorized to access the Services as described in the Agreements (who are natural persons)
- Data exporter’s customers (who are natural persons)
Categories of data
The personal data transferred concern the following categories of data (please specify):
Data exporter may submit personal data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion but subject to data importer’s acceptable use policy, and which may include, but is not limited to the following categories of personal data:
- Contact details (customer first and last name, customer email address, phone number, physical address, gender, etc.)
- Technical data (IP address, browser information, device ID, etc.)
- User data (order history, support conversations history, etc.)
Special categories of data (if appropriate)
Kustomer does not intentionally collect or process any special categories of data in the provision of the Services. However, special categories of data may from time to time be processed through the Services where the data exporter or its end users choose to include this type of data within the communications it transmits using the Services. As such, the data exporter is solely responsible for ensuring the legality of any special categories of data it or its end users choose to process using the Services.
The personal data transferred will be subject to the following basic processing activities (please specify):
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreements.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) of the Standard Contractual Clauses (or document/legislation attached).
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Security and Privacy Documentation applicable to the specific Services purchased by data exporter, as updated from time to time, and accessible via https://www.kustomer.com/security/. Data importer will not materially decrease the overall security of the Services during a subscription term.
Jurisdiction Specific Terms
1. Additional Terms for Clients for which the Standard Contractual Clauses apply
1.1 Appointment of new Sub-processors and List of current Sub-processors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, Client acknowledges and expressly agrees that (a) Kustomer’s Affiliates may be retained as subprocessors; and (b) Kustomer may engage third party subprocessors in connection with the Processing operations covered by the Standard Contractual Clauses. Kustomer shall make available to Client the current list of subprocessors in accordance with Section 4.1 of this Addendum. Pursuant to Clause 5(h) of the Standard Contractual Clauses, Client acknowledges and expressly agrees that Kustomer may engage new subprocessors as described in Sections 4.2 and 4.3 of the Addendum.
1.2 Copies of Sub-processor Agreements. For copies of the subprocessor agreements that must be provided by Kustomer to Client pursuant to Clause 5(j) of the Standard Contractual Clauses, Client agrees that Kustomer may redact commercial terms and other clauses unrelated to the processing activities performed by Kustomer pursuant to the Standard Contractual Clauses from all such subprocessor agreements prior to providing them to Client, and that such copies shall be provided by Kustomer only upon Client’s written request.
1.3 Audits and Certifications. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Section 8.3 of the Addendum; provided that, to the extent such certifications, reports and/or audits are reasonably deemed insufficient to demonstrate Kustomer’s compliance with its obligations under the Standard Contractual Clauses, Client may request an on-site audit of the procedures relevant to the protection of Personal Data, to be performed during regular business hours by Client or Client’s independent, third-party auditor. Client shall reimburse Kustomer for any time expended for any such on-site audit at Kustomer’s then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such on-site audit, Client and Kustomer shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Kustomer. Client shall promptly notify Kustomer with information regarding any noncompliance discovered during the course of an audit.
1.4 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by Kustomer to Client only upon Client’s written request.
2. Additional Terms for Clients for which the CCPA applies
2.1 Kustomer represents and warrants that (a) it is a “service provider,” for the purposes of the Services it provides to Client pursuant to the Agreement, according to the meaning given to that term in Section 1798.140 of the Cal. Civ. Code; (b) it is a corporation, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners; and (c) to the extent that Client discloses a Consumer’s Personal Information to Kustomer, Kustomer will Process that Personal Information only on behalf of Client and pursuant to this Addendum.
2.2 Kustomer shall not (a) “sell” (as defined in § 1798.140 of the Cal. Civ. Code) Personal Data; (b) disclose or transfer Personal Data to a “third party” (as defined in § 1798.140 of the Cal. Civ. Code) or other parties that would constitute selling; or (c) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the Personal Data for a commercial purpose (as defined in CCPA) other than providing the Services and for reasons permitted under the CCPA. The foregoing restrictions will not apply to “aggregate consumer information” or “deidentified personal information” as each terms are defined in § 1798.140 of the Cal. Civ. Code.
2.3 For the avoidance of doubt, the foregoing prohibits Kustomer from retaining, using or disclosing Personal Data outside of the direct business relationship between Kustomer and Client. Kustomer and Client acknowledge and agree that (a) Client does not “sell” Personal Data to Kustomer in connection with the Agreement; (b) that Kustomer’s access to Personal Data is not part of the consideration exchanged by the parties in respect of the Agreement; and (c) that to the extent Kustomer uses Authorized Subprocessors as set forth in this Addendum, that Kustomer is not “selling” Personal Data to those Authorized Subprocessors in connection with provision of the Services. Kustomer hereby represents that it understands its obligations under the CCPA as a “Service Provider” and shall comply with them.