Data Protection Agreement US
This Data Protection Agreement ("DPA") forms part of the agreement between Customer and FiscalNote covering Customer’s use of the Services ("Agreement").
This DPA is applicable where FiscalNote and/or its subsidiaries are providing services which involve the processing of U.S. Residents Data only.
WHEREAS this DPA stipulates the agreed obligations of the parties with respect to all information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household , provided by, or Processed at the request of either party ("Personal Data"), and shall apply to the purposes for which the parties shall Process Personal Data in connection with the services covered by the Agreement.
NOW THEREFORE, the parties hereby agree to the following terms regarding the data privacy, data protection, and data security obligations applicable to the Processing of Personal Data. Defined terms not otherwise defined herein shall have the same meaning provided to them in the Agreement.
1. Processing Operations and Purpose
1.1 The parties agree that each party may, with respect to Personal Data disclosed to the other party or which is Processed by the other in connection with the services covered by the Agreement, act as a "business" or "controller" (collectively, "Controller") as defined by applicable data privacy laws, rules, and regulations in the United States, including but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act (collectively, "Privacy Laws"). The parties also agree that each party may, with respect to Personal Data received from or Processed on behalf of the other, act as a "processor" or "service provider" (collectively, "Processor") as defined by Privacy Laws. When each party acts as a Processor or Controller, they shall have all related rights and obligations with respect to such Personal Data. Unless otherwise required by Privacy Laws or other applicable law, each party may only Process Personal Data provided by, or Processed at the request of the Controller of that Personal Data, only as necessary to carry out the purposes of the Agreement and/or to meet their own obligations under Privacy Laws.
1.2 Each party represents that it will at all times comply with applicable Privacy Laws, and otherwise ensures that the requirements of applicable Privacy Laws are met in performing its obligations under the Agreement and this DPA, regarding its collection, recording, storage, use, disclosure, analysis, modification, transmission, or other processing (collectively, "Process," "Processing") of Personal Data as required by applicable Privacy Laws.
1.3 Each party shall promptly notify the other if it receives a request from an individual regarding the individual’s Personal Data as provided for under the Privacy Laws (a “Privacy Rights Request”) for which the other party is the Controller. The Processor shall, in a manner consistent with their role and the Controller's access to Personal Data in question, provide reasonable support and cooperation to the Controller to comply with each Privacy Rights Request. The Processor shall not respond to a Privacy Rights Request without instruction from the Controller, except as necessary to confirm receipt of the request.
1.4 The parties agree that they will not "sell" (as defined by the Privacy Laws) or "share" (as defined by the California Consumer Privacy Act) Personal Data, unless such activity is consistent with the provisions of the Privacy Laws or other applicable legal grounds.
1.5 If, and to the extent that doing so would be necessary in order to comply with the Privacy Laws, each party shall make all commercially reasonable efforts to enter into one or more additional agreements covering the Processing of Personal Data. The parties will agree on the necessary changes in good faith, taking into account the obligation to carry out this contractual relationship in compliance with applicable Privacy Laws.
2. Data Security & Security Incident
2.1 Each party will at all times use reasonable and appropriate technical, organization, and security measures to prevent loss, misuse, corruption, or disclosure of and/or unauthorized access, alteration or destruction to Personal Data held in its custody under this DPA. Such measures will include, among other things and where appropriate, data encryption, channel encryption, and storage of Personal Data in a secure environment.
2.2 Notwithstanding any provisions in this DPA or the Agreement to the contrary, the party acting as the Processor shall notify the party acting as the Controller in writing, without unreasonable delay after discovery, (unless a shorter time period is required by applicable law) in the event:
(i) any Personal Data is Processed (including by the Processor's affiliates or subsidiaries, business partners, agents, or authorized subcontractors), in violation of this DPA or Privacy Laws;
(ii) the party acting as the Processor (including its affiliates or subsidiaries, business partners, agents, or authorized subcontractors) discovers, is notified of, or reasonably suspects a security incident involving Personal Data, leading to, or that may potentially lead to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, in digital or physical format; or
(iii) there have been any formal complaints about the party acting as the Processor's (including its affiliates' or subsidiaries', business partners', agents', or authorized subcontractors') data privacy, data protection, or data security practices (collectively, "Security Incident"). The party acting as the Processor shall cooperate fully in the investigation and remediation of the Security Incident, and take reasonable measures to limit further unauthorized disclosure or Processing of Personal Data in connection with the Security Incident.
2.3 To the extent that a Security Incident gives rise to a need, in the respective Controller's judgment: (i) to provide notification to government authorities, individuals, or other persons; or (ii) to undertake other remedial measures (including, without limitation, notice, credit monitoring, or call center services (collectively, "Remedial Action"), at the Controller's request, the Processor shall, at the Processor's cost, undertake such Remedial Action. The timing, content, and manner of effectuating any notices shall be determined by the Controller in consultation with the Processor.
3. Other Provisions
3.1 The parties agree that their respective liability for (a) any fines, claims, actions, damages, liabilities, costs, expenses, or penalties, including reasonable attorneys’ fees and expenses arising from the Processing of Personal Data resulting in a Security Incident or (b) any breach of this DPA or Privacy Laws shall be subject to the limitations set forth the Agreement.
3.2 Except as amended herein, all other terms of the Agreement shall remain unchanged and in full force and effect.
3.3 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, should this not be possible; (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein. The foregoing shall also apply if this DPA contains any omission.
3.4 In the event of a conflict between the terms of this DPA and the Agreement, then the terms of this DPA shall control.
last updated: 5/2/2024