Request a demo
Open mobile menu

Veza DPA (US) – 260130

US Data Protection Law Supplement to the DPA

To address changes in applicable laws, including but not limited to changes pursuant to the California Consumer Privacy Act, the California Privacy Rights Act, and other emerging United States privacy laws (collectively, “Applicable US Privacy Laws”), this Supplement to the DPA between Veza Technologies, Inc. and the other signatory to the Data Processing Agreement (“DPA”) shall apply to exchanges that are subject to Applicable US Privacy Laws. In particular:

PART 1: DEFINITIONS (applicable to this exhibit only)

(a) “Consumer” means a natural person whose personal information is processed.

(b) “Personal Information” or “PII” means personal information or personal data (as such terms are defined under the US Data Protection Laws) concerning visitors that Veza, in its capacity as Customer’s Service Provider, processes on behalf of Customer through the Software Services, and excluding any personal information that Veza processes in its capacity as a Business. For the avoidance of doubt, the definition of “personal information” in this supplement includes (1) all “personal information” as under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”) and the Virginia Consumer Data Protection Act (“VCDPA”), namely information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household; and (2) all information that constitutes “personal data” under the Utah Consumer Privacy Act (“UCPA”) once effective and Connecticut Data Privacy Act (“CTDPA”) once effective and the Colorado Privacy Act (“CPA”) once effective and the Iowa Consumer Data Protection Act (“ICDPA”) once effective, namely information that is linked or reasonably linkable to an identified individual or an identifiable individual.

(c) “Instructions” means Customer’s instructions to Veza: (i) to provide the Software Service to Customer in accordance with the features and functionalities of the Software Service and related Documentation; (ii) through Authorized User-initiated actions on and through the Software Service or otherwise based o n Customer’s configuration and use of the Software Service; (iii) contained in the Agreement and/or any applicable Order Form; and (iv) mutually agreed by the Parties in writing.

(d) “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Information.

(e) “US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, co the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including, but not limited to, the CCPA, the CPA, the CTDPA, the UCPA, the VCDPA, the ICDPA, and any regulations promulgated pursuant to any such Act, as applicable.

(f) “Verifiable Consumer Request” means the rights asserted by any individual in relation to Personal Information under the US Data Protection Laws.

(g) “ Business”, “ Controller”, “ Service Provider”, “ Processor”, “ Process”, “ Sale”, and “Share” shall have the meanings set forth in the US Data Protection Laws.

PART 2: STANDARD UNDERSTANDINGS AND AGREEMENTS

(a) In the course of providing services under the Agreement, the parties will comply with Applicable US Privacy Laws.

(b) To the extent that the parties have access to PII about California residents in connection with the provision of services under existing agreement(s), Veza acts as a “service provider” to third parties within the meaning of Applicable US Privacy Laws. As such:

1. Subject to the retention provisions in this Agreement, Veza shall only use, disclose, or otherwise process PII on behalf of Controller and only as necessary to provide the services to Controller

2. Subject to the retention provisions in this Agreement, Veza is prohibited from retaining, using or disclosing PII for any purpose other than providing the services to Controller

3. Veza is prohibited from combining PII it receives from Controller with personal information it receives from or on behalf of other entities or that it collects from its own interactions with individuals.

4. Veza acknowledges and agrees that it does not receive any PII as consideration for any services or other items that it provides to Controller

5 .Subject to the retention provisions in this Agreement, Veza shall not have, derive or exercise any rights or benefits regarding PII.

6. Veza must not ” sell” or ” share” any PII as defined in Applicable US Privacy Laws, and agrees to refrain from taking any action that would cause any transfers of PII to or from Controller to qualify as “selling” or ” sharing” PII under Applicable US Privacy Laws.

7. Veza agrees that it is able to and shall assist Controller in utilizing Veza’s system to enable Controller to securely delete Controller PII, as well as provide Controller with a list of Controller PII categories or specific elements about a particular individual maintained by Veza on Controller’s behalf, in order for Controller to comply with Applicable US Privacy Laws.

8. Veza shall notify Controller should Veza determine that it can no longer meet its obligations under Applicable US Privacy Laws with respect to the PII it receives or has access to in providing services to Controller.

9. Controller may monitor Veza’s use of PII and compliance with the restrictions and obligations detailed herein. Should Veza’s use of PII constitute unauthorized use of PII under Applicable US Privacy Laws, Controller may take reasonable and appropriate steps to stop and remediate Veza s use of PII.

10. Veza shall ensure that any subcontractor to which Veza discloses or provides access to PII is subject to these same obligations in writing.

(c) For the avoidance of doubt, to the extent that Veza and Controller have entered into a Business Associate Agreement (“BAA”), the terms of the BAA shall continue to apply. For the avoidance of doubt, any Personally Identifiable Information received or accessed pursuant to a BAA is exempt from the requirements of this US Privacy Laws Addendum. 

In the event that there is any inconsistency or conflict between the terms of this US Privacy Laws Addendum and the other portions of the agreement(s) between Controller and Veza Technologies, Inc., the requirements of this US Privacy Laws Addendum shall govern.

PART 3: CLAUSES

(a) RELATIONSHIP AND OVERVIEW OF PROCESSING . With respect to the Veza services, the Parties agree that: (i) Customer is considered the Business or Controller and will comply with its obligations as a Business and Controller under the US Data Protection Laws; and (ii) Veza is considered a Service Provider or Processor and will comply with its obligations as a Service Provider and Processor under the US Data Protection Laws. Customer will provide Personal Information to Veza only to the extent permitted by, and in compliance with, the Agreement, and it will ensure that it has all necessary rights and permissions needed to permit Personal Information to be collected and processed in accordance with the Instructions.

2. INSTRUCTIONS FOR PROCESSING .

(a) Veza will process the Personal Information only on behalf of and under the Instructions of Customer and in accordance with US Data Protection Laws. The Agreement and this US Addendum will generally constitute Instructions for the Processing of Personal Information. Customer may issue further written Instructions in accordance with this US Addendum.

(b) Veza will limit access to Personal Information to personnel who have a business need to access such Personal Information and will ensure that personnel handling Personal Information are subject to adequate confidentiality obligations that persist beyond the contractual relationship with the personnel.

(c) Veza will provide Customer with information and support to enable Customer to conduct and document any data protection assessments as required under US Data Protection Law. In addition, Veza will notify Customer promptly if Veza determines that it can no longer meet its obligations under US Data Protection Laws.

(d) Customer will have the right to take reasonable and appropriate steps to ensure that Veza uses Personal Information in a manner consistent with Customer’s obligations under US Data Protection Law.

4. VERIFIABLE CONSUMER REQUESTS . Veza has implemented technical and organizational measures to assist Customer with its obligation to respond to Verifiable Consumer Requests for the access and erasure of Personal Information. Veza will make this functionality available to Customer. If Veza receives a Verifiable Consumer Request from a Consumer that identifies Customer, it will promptly forward that request to Customer. Customer agrees to follow Veza’s documented procedures, provide sufficient information to identify records containing relevant Personal Information, and otherwise cooperate with Veza’s reasonable requests. Customer must not send duplicative or unnecessary requests to Veza (for example, requests for Personal Information not processed by the Software Services).

5. DEIDENTIFIED DATA . If, under US Data Protection Laws, Veza receives deidentified data from or on behalf of Customer, then Veza will: (i) take reasonable measures to ensure the information cannot be associated with a Consumer; (ii) publicly commit to Process deidentified data solely in deidentified form and not attempt to reidentify the information; and (iii) contractually obligate any recipients of deidentified data to comply with the foregoing requirements and US Data Protection Law.