C60 Data Protecction  Addendum

Last updated June 14, 2023

This DATA PROTECTION ADDENDUM (the “DPA”) is made between Volt RMC Solutions, Inc. and its affiliates (“Volt”) incorporated in Delaware with a principal office located at 251 Little Falls Drive, Wilmington, DE, 19808 and the individual or single entity who has contracted with Volt to process various types of data for improvement of business operations and to gain information regarding consumers (the “Customer”) (each a “Party” and collectively the “Parties”).

INTRODUCTION:

1. Volt specializes in the development and distribution of digital business models and software for the building industry. Customer has entered into an End User License Agreement with Volt for the provision of certain services (the “Services”) by Volt to the Customer (the “Agreement”).
   
   
2. In the course of providing the Services, pursuant to the Agreement, Volt may process Protected Data (as defined below) on behalf of the Customer. Customer is the Data Controller in respect of any Customer Personal Data.
   
   
3. The Parties agree to comply with the provisions of this DPA with respect to the Processing of any and all Protected Data provided to or collected by Volt on behalf of Customer in relation to the provision or receipt of the Services by Customer, including Protected Data Processed under relevant US Data Protection Laws (as defined below).
   
   
4. Volt and Customer are entering into this DPA to facilitate compliance with the Data Protection Laws (as defined below).

IT IS AGREED:

1.DEFINITIONS AND INTERPRETATION


1.1.In this DPA, except where the context requires otherwise, the following words shall have the following meanings and him cognate terms shall be construed accordingly. All capitalized terms not defined herein shall have the meaning set forth in the Agreement:

“Business” as used in various Data Protection Laws, means a Data Controller.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., all enacted and effective amendments thereto, and applicable implementing regulations.

“Customer Sub-processor” means any Personal Data of any nature, in any form, collected, generated, Processed or used for or in relation to the Services in respect of which the Customer is (a) the Data Controller; and (b) subject to Data Protection Laws with respect to the Processing of such Personal Data. For the avoidance of doubt, Customer Personal Data excludes Aggregate Data.

“Customer Personal Data” means any Personal Data of any nature, in any form, collected, generated, Processed or used for or in relation to the Services in respect of which the Customer is (a) the Data Controller; and (b) subject to Data Protection Laws with respect to the Processing of such Personal Data. For the avoidance of doubt, Customer Personal Data excludes Aggregate Data.

“Contracted Business Purposes” means the Services.

“CPRA” means the California Privacy Rights Act, Cal. Civ. Code § 1798.121 et al, all enacted and effective amendments thereto, and applicable implementing regulations.

“Data Controller” (or “Controller”), “Data Processor” (or “Processor”), “Data Subject”, “Personal Data” all have the meaning given to those terms in the Data Protection Laws (and related terms such as “Process”, “Processing” have corresponding meanings). Unless stated otherwise, where terms differ under each Data Protection Law but are conceptually similar, each term shall be given equivalent meaning. For example, a “Data Controller” is similar to a “Business,” or an organization/person carrying or an enterprise that has Personal Data under its control and Processes Personal Data on its own behalf, and a “Processor” is similar to a “Service Provider,” and a “Data Subject” is similar to a “Consumer” or “Individual” as those terms and concepts are found throughout Data Protection Laws and, therefore, the terms shall be given the same meaning.

As applicable to the CCPA, CPRA or California residents, the definitions in this DPA of: “Data Controller” includes “Business”; "Data Processor" includes “Service Provider” and “Contractor”; “Data Subject” includes “Consumer”; and “Personal Data” includes “Personal Information”.

As applicable to the VCDPA or Virginia residents, the definitions in this DPA of: “Data Controller” includes “Controller”; “Data Processor” includes “Processor”; “Data Subject” includes “Consumer”; and “Personal Data” includes “Personal Data”.

“Data Protection Laws” means: (US state and federal data protection or privacy laws including, but not limited to, the California Consumer Privacy Act, as amended by California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act; and (f) the Personal Information Protection and Electronic Documents Act (Canada) and substantially similar laws in the Canadian provinces of Alberta, British Columbia and Quebec, and (g) any other related rules or regulations.

“Volt Personal Data” means any Personal Data of any nature and in any form subject to Data Protection Laws with respect to the processing of such Personal Data and processed by the Customer acting as a Data Processor on behalf of a Volt under the terms of this Agreement.

“Request” means a request from a Data Subject to exercise his/her rights under the Data Protection Laws in respect of Personal Data.

“Services” (or “Contracted Business Purposes”) means the contracted business purposes for which services are to be provided by the Customer pursuant to the Agreement.

“Service Provider” as used in various Data Protection Laws, means Processor.

“VCDPA” means the Virginia Consumer Data Protection Act, Va. Code § 59.1 - 575 et seq., all enacted and effective amendments thereto, and applicable implementing regulations.

1.2 Except where the context requires otherwise, the clause headings are included for convenience only and shall not affect the interpretation of this DPA; and any phrase introduced by the terms "including", "include", "in particular" or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.

1.3 References to any Directive, Regulation statute or statutory provision will include any subordinate legislation made under it and will be construed as references to such Directive, statute, statutory provision and/or subordinate legislation as modified, amended, extended, consolidated, re-enacted and/or replaced and in force from time to time.

2. RELATIONSHIP BETWEEN THE AGREEMENT AND THIS DPA

2.1 This DPA is incorporated into and hereby forms part of the Agreement between Customer and Volt and reflects the Parties’ agreement in relation to facilitating compliance with Data Protection Laws. The terms of this DPA shall survive and apply while Volt has access to Customer’s Personal Data. If there is any conflict between the Clauses of this DPA and the Agreement, this DPA takes precedence with respect to the subject matter of this DPA.

3. APPOINTMENT AND ROLE OF DATA PROCESSOR AND SUB-PROCESSOR

3.1 Under applicable Data Protection Laws using the terms “Controller” and “Processor” the Parties agree that, with respect to Customer Personal Data, Volt is the Data Processor, and the Customer is the Data Controller.

3.2 Under applicable Data Protection Laws using the terms “Business” and “Service Provider” the Parties agree that, with respect to Customer Personal Data, Customer is the Business, and Volt is the Service Provider. In no case is the Customer a Third Party, as that term is defined by applicable Data Protection Law, under the Agreement.

3.3 Volt represents and warrants the purpose(s) of processing, duration of processing, and categories of Customer Personal Data, as set out in Schedule 1 of this DPA, are complete and accurate.

3.4 Volt shall comply with and Process Customer Personal Data in accordance with Data Protection Laws and its relevant obligations under this DPA.

3.5 Volt shall only collect, use, retain, disclose, or otherwise Process Personal Data for the Services in accordance with Data Protection Laws, obligations set forth in this DPA when carrying out the Contracted Business Purposes for which Volt accesses Customer Personal Data.

3.6 Volt shall not collect, use, retain, disclose, sell, or otherwise make Personal Data available for the Customer’s own commercial purposes or in a way that does not comply with Data Protection Laws. If a law requires the Customer to disclose Personal Data for a purpose unrelated to the Contracted Business Purposes, the Customer must first inform Volt of the legal requirement and give Volt an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.7 Where the Contracted Business Purposes require the collection of Personal Data from Data Subjects on the Customer’s behalf, Volt will always provide a legally compliant notice at collection. Customer will not modify or alter the notice in any way.

3.8 Volt shall take reasonable steps to ensure the reliability of Volt’s personnel Processing such Personal Data, and that personnel Processing such Personal Data receive adequate training on compliance with the data protection provisions of this DPA and Data Protection Law applicable to the Processing.

3.9 Where permitted by Data Protection Laws, Volt may aggregate, de-identify, or anonymize Personal Data, so it no longer meets the Personal Data definition under the relevant Data Protection Law, and may Process such aggregated, de-identified, or anonymized data for its own purposes. Volt will not attempt to or actually re-identify any previously aggregated, de-identified, or anonymized Personal Data and will contractually prohibit downstream recipients of such data from attempting to or actually re-identifying such data. Notwithstanding any other definition that may be given to “de-identify” under Data Protection Laws, for the purposes of this section 3.9, “de-identifed” information shall mean information that no longer meets the Personal Data definition under the relevant Data Protection Laws.

3.10 Volt shall not combine the Personal Data it receives from or on behalf of Customer with Personal Data that the Customer (i) receives from or on behalf of another person; or (ii) collects from its own Data Subject interaction, unless the Personal Data is used for a purpose that does not involve cross-site, behavioural advertising and is permitted under the Data Protection Laws.

4. SECURITY MEASURES

4.1 Volt shall:

4.1.1 implement and maintain commercially reasonable and appropriate technical, physical, and organizational safeguards to protect the confidentiality, availability, and integrity of Customer Personal Data maintained or accessed by Volt;

4.1.2 take reasonable steps to ensure the reliability of any staff or contractors who may have access to Customer Personal Data; and

4.1.3 on termination or expiration of the Agreement, at the Customer’s written request, Volt will securely wipe or return all Volt Personal Data to Customer and shall not retain or further Process any Customer Personal Data or Client Personal Data.

Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Protected Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Protected Data uploaded to the Service. Notwithstanding the foregoing, Volt is not responsible for the security of any Customer Data while in transit over the Internet or other third-party network.

5. BREACH NOTIFICATION

5.1 Volt shall, to the extent permitted by applicable law, notify Customer as soon as reasonably possible if it becomes aware of any unauthorized or unlawful access to, Processing of, loss of, damage to, destruction, or corruption of Customer Personal Data or other information classified as confidential under the terms of the Agreement or of any violation or attempted violation by any person of any obligation concerning the confidentiality of Volt Personal Data (“Security Breach”),

5.2 Volt shall provide details to the best of Volt’s knowledge at the time of notification of such Security Breach to Customer including:

5.2.1 Suspected root cause of incident leading to the Security Breach;

5.2.2 Timeline of the incident leading to the Security Breach;

5.2.3 Categories of Personal Data or confidential data, as applicable, which could reasonably be impacted by the Security Breach;

5.2.4 Any corrective plan of action that has been or will be taken by Volt, including whether Volt plans to send notification of the Security Breach to data privacy protection agencies, enforcement authorities, or law enforcement, if such details are permitted by law.

5.3 To the extent such Security Breach is caused by or attributable to Volt, Volt make reasonable efforts to promptly identify and remedy the cause of such Security Breach.

6. SUB-PROCESSORS

6.1 Customer acknowledges and agrees that: (a) Volt may engage Sub-processors; (b) Affiliates of Volt are retained as Sub-processors; and (c) Volt engages third party Sub-processors to Process Customer Personal Data in connection with the provision of the Services.

6.2 Volt shall be liable for the acts or omissions of its Sub-processors to the extent that Volt would be liable if performing the services of each Sub-processor directly under this DPA.

6.3 Any Sub-processor used must qualify as a “Service Provider” under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and Volt cannot make any disclosures to the Sub-processor that any Data Protection Law would treat as a sale.

6.4 Volt shall appoint all Sub-processors under a binding written contract (“Processor Contract”) which imposes the same data protection obligations as are contained in this DPA. The Parties agree that the copies of the Processor Contracts will be sent by Volt to Customer may have all commercial information removed by Volt beforehand; and, that such copies will be provided by Volt only upon reasonable request by Customer.

6.5 When Sub-Processors Process Personal Data, Volt shall take steps to ensure that such Sub-Processors are Service Providers under the CCPA and Processors under the VCDPA with whom Customer has entered into a written contract that includes terms substantially similar to this DPA or are otherwise exempt from the CCPA’s definition of “sale” and the VCDPA’s definition of “sale of personal data.” Customer shall conduct appropriate due diligence on its Sub-Processors.

7. DATA SUBJECT REQUEST

7.1 Volt shall provide Customer with reasonable co-operation and assistance in complying with any Request received by the Customer or Volt relating to Customer Personal Data and in particular shall:

7.1.1 promptly assess Customer requests or instructions requiring Volt to provide, amend, transfer, or delete the Personal Data, or stop, mitigate, or remedy any unauthorized Processing;

7.1.2 notify Customer promptly, and in any event not greater than five days if it receives a Request from a Data Subject of any Customer Personal Data;

7.1.3 where Customer is not able to access such Personal Data without Volt’s support, on request, Volt shall supply Customer with the Personal Data or Client Personal Data which is sought under the request within 5 days of the Data Subject making the Request if applicable; and

7.1.4 not disclose or release any Customer Personal Data in response to a Data Subject access Request served on Volt by any Data Subject or third party, but will only direct the Data Subject or third party to direct the Request to Customer as Customer is the Data Controller.

7.2 To the extent that the Customer is unable to correct, amend, block or delete Customer Personal Data in response to a Request from a Data Subject in accordance with Data Protection Laws without Volt’s assistance, Volt shall reasonably cooperate and assist with meeting the Customer’s obligations. When determining whether such cooperation is reasonable, the Parties may take into account the nature of Volt’s Processing and the information available to Volt.

7.3 In all cases save where passing on the costs to Volt is prohibited by applicable law, Customer shall reimburse Volt for all costs incurred by Volt complying with its obligations in this Clause (including internal costs and any third party costs incurred including reasonable legal fees).

7.4 Customer’s and Volt’s obligations regarding Data Subject Requests shall apply to individual state privacy rights, including, but not limited to, Consumer’s rights under the CCPA, CPRA, and the VCDPA.

8. INDEMNITY

The Customer shall at its sole expense, defend, indemnify, and hold harmless Volt and its successors and assigns (collectively, the "Volt Indemnified Parties”) from and against any and all damages, losses, costs and expenses (including any reasonable attorney's fees and expenses), which the Volt Indemnified Parties pay to third parties in connection with any claim, suit, action, or proceeding brought against a Volt Indemnified Party, in each case to the extent arising out of any breach by the Customer of this DPA.

9. INTERNATIONAL DATA TRANSFERS

9.1 The Customer does not anticipate transferring Personal Data to countries outside of the United States.

9.2 Parties may not transfer any Personal Data to a country outside of the United States unless it receives express Consent from Customer, which may be refused at Customer’s own discretion. If the Customer approves an international transfer to a country outside of the United States, and additional agreement with appropriate safeguards must be executed.

9.3 Transfers of Volt Personal Data Outside of Quebec

9.4 Company shall not transfer Volt Personal Data relating to individuals located in the province of Quebec, outside the province of Quebec, without the prior written consent of Volt. Company shall cooperate with Volt in any privacy impact assessment that Volt deems to be necessary under Data Protection Laws.

10. CO-OPERATION, AUDIT AND RECORDS OF PROCESSING

10.1 Volt shall provide assistance, information and cooperation to Customer to ensure compliance with Customer’s obligations under Data Protection Law, including with respect to conducting any data protection and privacy impact assessments that Volt reasonably considers are necessary to comply with its obligations under Data Protection Law.

10.2 Volt shall permit audits conducted by either the Customer or another auditor mandated by Volt for the purpose of demonstrating the Customer’s compliance with its obligations under Data Protection Law and this DPA. This shall be subject to Customer giving Volt reasonable prior notice of such audit and/or inspection, and ensuring that any auditor is subject to binding obligations of confidentiality and that such audit or inspection is undertaken so as to cause minimal disruption to Volt’s business.

10.3 Volt shall make available to the Customer on request in a timely manner such information as is reasonably required by Customer to demonstrate Volt’s compliance with its obligations under Data Protection Laws and this DPA.

10.4 Volt will notify the Customer without undue delay if it becomes aware circumstances which actually render its compliance with any Data Protection Law impossible.

11. RESPONSIBILITY FOR COMPLIANCE

11.1 The Customer acknowledges that as Data Controller of the Customer Personal Data, the Customer is responsible for ensuring compliance with all applicable Data Protection Laws including to ensure that all Customer Personal Data is Processed fairly and lawfully and in full compliance with applicable Data Protection Laws and that data subjects are fully informed of the Processing of Personal Data necessary for the performance of the Services and as described in the Agreement (including the right for Volt to process Customer Personal Data in order to create and use Aggregate Data for its own business purposes).

11.2 The Customer authorizes Volt (as Data Processor of the Customer Personal Data) to display Customer’s privacy policy on the applicable Services on behalf of Customer (as Data Controller of the Customer Personal Data). Customer acknowledges that Customer is responsible for ensuring that all privacy policies made available through the Services comply fully with Data Protection Laws and accurately describe the Processing of Personal Data contemplated by the Agreement.

11.3 Volt does not make any representation that entering into this DPA will enable the Customer to comply with its obligations under Data Protection Laws. The Customer understands and accepts that Volt does not provide legal advice and that they are not authorized to do so.

SCHEDULE 1
Data Processing Details