Data Processing Addendum
Last Updated: December 20, 2024
This Data Processing Addendum (“DPA”) governs the processing, by Quick Power, Inc. (“HOAi”), of personal data or confidential information provided by Customer that HOAi processes on behalf of Customer (“Customer Data”) through HOAi’s enterprise services (“Services”) under the terms of certain agreement(s) between Customer and HOAi governing the Customer’s use of the Services (the “Agreement”), and is hereby incorporated into the Agreement. To the extent there is a conflict between the Agreement and this DPA, this DPA takes precedence unless the Agreement expressly overrides particular terms of this DPA.
Customer is the entity that determines the purposes and means for which Customer Data is processed (“Data Controller”), and HOAi processes Customer Data on the Data Controller’s behalf and in accordance with the Data Controller’s written instructions (“Data Processor”). The terms “Data Controller” and “Data Processor” shall have the same meaning as those similar concepts used in any applicable privacy, data security, and data protection laws and regulations (“Data Protection Laws”). HOAi and Customer each agree to comply with their respective obligations under Data Protection Laws.
1. Customer Data Processing Requirements. HOAi agrees to use Customer Data solely for the nature, purpose, and duration of the processing identified in the Agreement and in this DPA. For clarity, as Data Processor, HOAi will not sell or share Customer Data, nor will HOAi use, disclose, retain, or otherwise process Customer Data (i) for a purpose other than the specific purpose of providing the Services; (ii) outside of the direct business relationship between HOAi and Customer and the written instructions received from Customer; and (iii) in a manner inconsistent with applicable Data Protection Laws. The parties agree that any Customer Data exchanged between them in connection with the Agreement is not consideration from either party to the other with respect to the Agreement or otherwise. Where the Customer Data is subject to the California Privacy Rights Act of 2020 (“CCPA”), HOAi will not combine any Customer Data with any personal data or personal information as defined under applicable Data Protection Laws (“Personal Data”) that HOAi receives from or on behalf of another party, or collects from its own interactions with individuals, except as otherwise permitted under the CCPA. The foregoing sentence does not apply to Customer Data that has been anonymized, aggregated, or de-identified to the extent the Agreement permits or instructs HOAi to process or use Customer Data that is anonymized, aggregated, or de-identified. In such cases, HOAi will (i) adopt reasonable measures to prevent such de-identified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) not make attempts to re-identify the information, except solely for the purpose of determining whether its de-identification process function as designed; and (iii) before sharing de-identified data with any other party, contractually obligate such recipients to comply with the requirements of this provision.
2. Subprocessors. HOAi may disclose Customer Data to HOAi’s sub-processors as necessary to deliver the Services or to help satisfy its obligations in accordance with this DPA (“Subprocessor”), and Customer hereby consents to the use of such Subprocessors. HOAi will enter into contractual arrangements with each Subprocessor binding them to provide a comparable level of data protection to that provided for in the Agreement and this DPA. HOAi agrees to be liable for the acts and omissions of its Subprocessors to the same extent HOAi would be liable under the terms of the DPA if it performed such acts or omissions itself, subject to the limitations of liabilities set forth in the Agreement. Upon Customer’s request, HOAi will provide Customer with a list of HOAi’s Subprocessors. HOAi will provide notification of a change regarding Subprocessors with at least fifteen (15) days prior notice before authorizing any new Subprocessors to process Customer Data. Customer may notify HOAi that Customer does not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by emailing privacy@myhoai.com. In such case, HOAi will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing by the objected-to, new Subprocessor without unreasonable burden to Customer. If HOAi is unable to make such a change within a reasonable amount of time, which shall not exceed sixty (60) days, Customer may terminate any applicable Agreements, order forms, or usage with respect only to those Services which cannot be provided by HOAi without the use of the objected-to, new Subprocessor, by providing written notice to HOAi. HOAi will refund to Customer any prepaid fees covering the remainder of the term of such Agreements, order forms or usage following the effective date of termination of the applicable Services. Such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
3. Notifications to Customer. HOAi will inform Customer if HOAi determines that an instruction from Customer violates any applicable Data Protection Laws and/or if HOAi can no longer meet its obligations under this DPA. If HOAi is required by Data Protection Laws to process any Customer Data for reasons outside of the Agreement, HOAi will inform Customer in advance of any such processing, unless prohibited by law. HOAi will provide Customer prompt notice if HOAi becomes aware of a legally required request for disclosure of Customer Data to law enforcement authorities, unless prohibited by law.
4. Data Subject Rights. If Customer’s data subjects submit a complaint or request with respect to access to or the rectification, erasure, restriction, portability, objection, blocking, or deletion of Customer Data directly to HOAi, HOAi will inform the Customer and will not respond to such a request without Customer’s prior written authorization. HOAi will provide reasonable assistance to Customer to provide information necessary to respond to such requests.
5. Security and Breach Prevention. HOAi will maintain reasonable and appropriate organizational and technical security measures to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data, and protect the rights of the Customer Data subjects. Appropriate safeguards will be taken to confirm that HOAi personnel are protecting the security, privacy, and confidentiality of Customer Data consistent with the requirements of this DPA, and require that persons employed by HOAi and other persons engaged to perform on its behalf to be subject to a duty of confidentiality with respect to the Customer Data and to comply with the data protection obligations applicable to HOAi under the Agreement and this DPA. HOAi will inform Customer without undue delay if HOAi becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data processed by HOAi for Customer (“Data Breach Incident”) by HOAi, its Subprocessors, or any other third parties acting on HOAi’s behalf. HOAi will provide reasonable assistance to Customer for investigation of any Data Breach Incident.
6. Customer Assistance, Audits, and Assessments. HOAi will cooperate with assessments or audits performed by or on behalf of Customer to confirm that HOAi is processing Customer Data in a manner consistent with this DPA and Data Privacy Laws (“Audits”) on the condition that: (i) the Audit is required by law; (ii) where permitted by law, HOAi may first provide a summary of the results of a third-party audit or certification report (“Third-Party Certification”) to demonstrate compliance; (iii) the Audit occurs if such Third-Party Certification is not sufficient to demonstrate HOAi’s compliance with the obligations set out in this DPA and Data Privacy Laws; (iv) HOAi is given at least thirty (30) days advance written notice of the Audit; (v) the parties mutually agree upon the scope, time, and duration of the Audit; (vi) the Audit is at the Customer’s sole expense; and (vii) the Audit is conducted in a manner that is minimally disruptive to HOAi’s business. The results of such Audits and any Third-Party Certifications provided to Customer shall be the Confidential Information of HOAi. Where required by law, HOAi grants Customer the right to stop and remediate unauthorized use of Customer Data. HOAi will provide commercially reasonable assistance to Customer for the preparation of data protection impact assessments with respect to the processing of Customer Data by HOAi, and where necessary, provide consultations with any supervisory authority with jurisdiction over such processing.
7. Customer Obligations. Customer represents and warrants that it has and will maintain throughout the term all necessary rights, consents, and authorizations to provide Customer Data to HOAi, and that it shall only transfer Customer Data to HOAi using secure, reasonable and appropriate mechanisms to the extent these mechanisms are within Customer’s control. Customer authorizes HOAi to use, disclose, retain, and otherwise process Customer Data as contemplated by the Agreement, this DPA, and/or other processing instructions provided by Customer to HOAi. Customer acknowledges and agrees that Customer, not HOAi, is responsible for certain design and configuration decisions related to the Services, and the secure implementation of these decisions that complies with applicable Data Protection Laws.
9. Term and Termination. This DPA will remain in effect for as long as HOAi is processing Customer Data on Customer’s behalf, or until the termination of the Agreement, and all Customer Data has been returned or deleted in accordance with this DPA. Upon termination of this DPA, HOAi will direct each Subprocessor to delete Customer Data within thirty (30) days of the termination, unless prohibited by law.