CPRA Data Processing Addendum

At LR Services LLC, we take the privacy of personal information seriously. This data processing addendum covers parameters around use of personal information of Californian citizens, in accordance with the requirements of the California Privacy Rights Act, that LR Services LLC may receive from our clients and vendors.

​

I. Definitions

“Applicable Privacy Laws” means the California Privacy Rights Act (“CPRA”), as amended or replaced from time to time, along with any implementing regulations.

​

“Business Purpose” shall have the meaning ascribed in Section 1798.140 the Applicable Privacy Laws.

​

“Consumer” means any natural persons, households, or devices located in or residing in the U.S.

​

“Contractor” means a person to whom the Clients makes available a Customer’s Personal Information to LR Services LLC for a Business Purpose.

​

“Customer Personal Information” is personal information and personal data, as defined under the Applicable Privacy Laws, of any Consumer, which is made available to LR Services LLC on behalf of Client under the Agreement.

​

“Process”, “Processed” or “Processing” means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means.

​

“Regulator” means any entity which has jurisdiction to enforce Clients’ and the LR Services LLC’s compliance with the Applicable Privacy Laws, including but not limited to the California Attorney General’s office.

​

“Security Incident” has occurred when LR Services LLC has knowledge of or reasonably believes there has been: a loss of; actual or attempted unauthorized or unlawful access to, or acquisition, use, or disclosure of Customer Personal Information within the possession of the LR Services LLC.

​

Terms such as “Sell”, “Share” “Deidentify”, and “Aggregate” shall have the meaning ascribed to them in Section 1798.140 of the Applicable Privacy Laws.

​

“Service Provider” shall have the meaning ascribed in Section 1798.140 of the Applicable Privacy Laws.

All capitalized terms not defined herein shall have the same meaning set forth in the Master Services Agreement signed between the parties.

​

II. Application

The parties agree that to the extent the CPRA applies, LR Services LLC acts as a Contractor for Client and Microsoft acts as Client’s Service Provider. LR Services LLC shall have no liability to Client to the extent the basis of the liability arises from a Client’s violation of Applicable Privacy Laws.

​

III. Client’s Obligations

Consumer Requests. Subject to the extent required under Applicable Privacy Laws, Client shall be responsible for all communications with Consumers that relate to Customer Personal Information. Contractor will advise and confer with Client about any proposed response to a Consumer inquiry regarding Customer Personal Information.

​

Communications with Regulators. Subject to the extent required under the Applicable Privacy Laws, Client shall be responsible for all communications with Regulators that relate to Customer Personal Information. Otherwise the LR Services LLC will advise and confer with Client about any proposed response to a Regulator inquiry regarding Customer Personal Information.

​

IV. LR Services LLC’s Obligations

LR Services LLC as a Contractor. LR Services LLC agrees that as a Contractor, and to the extent LR Services LLC may be a Service Provider under Applicable Privacy Laws, LR Services LLC shall not (i) sell or share Customer Personal Information; (ii) retain, use, or disclose Customer Personal Information for any purpose other than for the specific purpose of performing functions under the MSA, any applicable SOW or Supplemental Agreement, and under this DPA; or (iii) with respect to Customer Personal Information subject to the CPRA, combine Customer Personal Information made available by Client in connection with performing Services with Customer Personal Information LR Services LLC receives from another source except to perform the Business Purpose. In connection with providing Services, LR Services LLC shall also (i) comply with the CPRA and provide the same level of privacy protection as is required by the CPRA for Customer Personal Information; (ii) allow Client to take reasonable and appropriate steps to help ensure that LR Services LLC access to Customer Personal Information is in a manner consistent with Client’s obligations under the CPRA; (iii) notify Client in writing if LR Services LLC makes a determination that it can no longer meet its obligations under the CPRA; and (iv) permit Client to, upon notice, take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Information. LR Services LLC understands the restrictions set forth in this Section and will comply with them.

​

Confidentiality. LR Services LLC shall treat all Customer Personal Information as confidential in accordance with MSA Section titled “Confidentiality.”

​

Security Incident. Upon the LR Services LLC’s discovery of a Security Incident, LR Services LLC shall promptly provide Client with written notice after discovery of such Security Incident. LR Services LLC shall promptly take all reasonable corrective action. LR Services LLC’s notification of the Security Incident will include, to the extent known at the time of notification (i) a description of the Security Incident, including, where possible, the categories and approximate number of Consumer’s concerned; (ii) the name and contact details of LR Services LLC’s data protection officer or other contact point where more information can be obtained; and (iii) a description of the measures taken or proposed to be taken by LR Services LLC to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects. If LR Services LLC us unable to provide all of the information above as part of the initial notification, LR Services LLC will provide this information to Client as soon as reasonably practical. Except as otherwise required by Applicable Privacy Laws, the obligations herein will not apply to incidents that are caused by Client. LR Services LLC’s notification of or response to a Security Incident will not be construed as an acknowledgement by LR Services LLC of any fault or liability with respect to the Security Incident.

​

V. General Compliance Obligations

Audits. Parties acknowledge that Client must be able to assess LR Services LLC’s compliance with its obligations under Applicable Privacy Laws and this DPA. Upon Client’s written request, to confirm the LR Services LLC’s compliance, LR Services LLC grants Client, at Client’s expense, permission to perform a reasonable assessment, audit, examination or review of all controls in relation to all Customer Personal Information made available to LR Services LLC. Within 30 days of Clients’ written request, LR Services LLC shall cooperate with such assessment by providing access to knowledgeable personnel, documentation, and application software that stores, uploads, accesses, transports, or otherwise makes available Customer Personal Information. Unless otherwise required under Applicable Privacy Laws, audits shall occur nor more than once annually.

​

Assistance with Customer Requests. If LR Services LLC receives a Consumer request relating to that Consumer’s Customer Personal Information (“Request”), LR Services LLC will provide a copy of the Request to Client within 7 days. LR Services LLC shall not further communicate with the Consumer without the written permission of Client. If Client receives the Request, the LR Services LLC will provide reasonable assistance at Client’s request to enable Client to respond to a Request, for example by providing Client with a copy of or access to all Consumer’s Customer Personal Information held by LR Services LLC, or deleting all Customer Personal Information related to a Consumer.

​

Disclosure to Law Enforcement or Government Authorities. If LR Services LLC is required by law to disclose any Customer Personal Information to law enforcement or government authorities, LR Services LLC shall notify Client in writing (unless legally prohibited) before complying with such disclosure request. If LR Services LLC receives communication from Regulators relating to Customer Personal Information, LR Services LLC shall (unless legally prohibited) promptly provide a copy to Client.

​

Service Provider. Notwithstanding the foregoing, Client agrees that to the extent LR Services LLC may be a Service Provider, LR Services LLC may if otherwise permitted by Applicable Privacy Laws and subject to LR Services LLC’s confidentiality obligations, Process Customer Personal Information to the extent permitted or required by applicable law.

​

Subprocessors. To the extent LR Services LLC is deemed a Service Provider by Applicable Privacy Laws, the parties agree that Microsoft and any Independent Software Vendors (collectively,Third-Party Subprocessors”) Client licenses to utilize additional software, acts as a Subprocessor. Client authorizes LR Services LLC to engage Third-Party Subprocessors in connection with the performance of the Services, provided that: (i) LR Services LLC and Third-Party Subprocessors have entered into a written agreement containing confidentiality obligations not less protective than those set forth in this DPA, and (ii) if LR Services LLC engages with additional subprocessors, LR Services LLC will provide written notice to Client prior to LR Services LLC’s appointment of a new subproccessor and Client may object to such appointment, provided such objection is submitted to LR Services LLC in writing within 10 days after receipt of notice. In the event of such objection, the parties will discuss commercially reasonable alternatives in good faith. If the parties cannot promptly reach a resolution, either party may terminate the MSA as its sole and exclusive remedy. Customer is responsible for all fees, charges, and taxes incurred by Client prior to termination.

​

VI. Termination

The terms of this DPA shall continue until termination of the MSA.

​

VII. Miscellaneous

This DPA supersedes and replaces any existing data processing addendum that parties may have previously entered into in connection with the Services and all prior and contemporaneous agreements, oral and written, regarding the subject matter of this DPA. The parties agree this DPA may need to be updated as a result of changes in data protection laws, and in such event LR Services LLC may amend the DPA without prior written notice or consent to comply with the Applicable Data Privacy Laws. If a court holds any provision of this DPA to be illegal, invalid, or unenforceable, the rest of the DPA will remain in effect. Except as provided in this DPA, the MSA remains unchanged and is in full force and effect. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions of the MSA.