DATA PROCESSING ADDENDUM (DPA)
This Quality Outcomes, LLC (“QO”) Data Processing Addendum (“DPA”) applies to the extent Quality Outcomes processes any Covered Data as Client’s Processor or Service Provider in connection with QO’s provision of the Services to Client pursuant to the QO Terms of Service (as applicable, the “Agreement” or “Underlying Agreement”).
1. DEFINITIONS.
1.1 “Applicable Data Privacy Law” means, as applicable to the Covered Data at issue, the Florida Information Protection Act (FIPA), or Safeguards Rule, in each case together with its implementing regulations and as amended, superseded, or replaced from time to time.
1.2 “FIPA” means Florida Information Protection Act (FIPA) (Florida Statutes Chapter 501.171).
1.3 “Covered Data” means any Personal Data, Personal Information, or Customer Information provided to Media Nerds, LLC by Client or otherwise Processed by Media Nerds in connection with Media Nerds’ provision of the Services to Client pursuant to the Underlying Agreement.
1.4 “Customer Information” has the meaning set forth in the Safeguards Rule (16 C.F.R. § 314.2(d)).
1.5 “Financial Institution” has the meaning set forth in the Safeguards Rule (16 C.F.R. § 314.2(h)).
1.6 “Safeguards Rule” means the Federal Trade Commission’s Standards for Safeguarding Customer Information implemented under the Gramm-Leach-Bliley Act, codified at 16 C.F.R. § 314 et seq.
In addition, “Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Information”, “Process”, “Processor”, “Sale”, “Share”, and “Service Provider” and their respective derivative terms as used in this DPA shall be interpreted in accordance with Applicable Data Privacy Laws. All other capitalized terms used in this DPA have the meanings ascribed to them in the Underlying Agreement.
2. GENERAL TERMS.
2.1 Processing Details. The parties acknowledge and agree that with respect to the Covered Data, Client is the Controller and QO acts as a Processor or Service Provider for, and on behalf of, Client and conducts its Processing operations in accordance with Client’s instructions. Client hereby instructs QO to Process Covered Data on Client’s behalf pursuant to this DPA and the Underlying Agreement. Notwithstanding anything to the contrary in this DPA, QO, LLC may deidentify, aggregate, or anonymize all or portions of Covered Data so that it no longer constitutes Personal Data or Personal Information under Applicable Data Privacy Laws, at which point such data will no longer constitute Covered Data under this DPA.
2.2 Client's Obligations. Client determines the purposes for and means by which Covered Data is being or will be Processed, and the manner in which Covered Data is or will be Processed. Client represents and warrants that: (a) with respect to Covered Data, Client complies with data security and other obligations prescribed by Applicable Data Privacy Laws for Controllers/Businesses and Financial Institutions (if applicable), and the provision of Covered Data to QO complies with all Applicable Data Privacy Laws; and (b) Client will provide notice to individuals and obtain all consents, rights, authorizations, or other lawful basis regarding Client’s Processing and sharing of Covered Data with QO as required by applicable Law, including without limitation Applicable Data Privacy Laws. Client will promptly notify QO of any Consumer or Data Subject request made pursuant to any Applicable Data Privacy Law with which Client must comply that requires QO to take any action with respect to Covered Data being Processed, and will provide the information necessary for QO to comply with such request.
2.3 Quality Outcomes’ Obligations.
2.3.1 Unless otherwise permitted or required by applicable Law, QO will Process Covered Data as a Processor or Service Provider in compliance with Client’s instructions in this DPA and the Underlying Agreement.
2.3.2 QO will ensure that any person authorized to Process Covered Data under this DPA is bound by appropriate obligations of confidentiality.
2.3.3 QO has developed and implemented, and will maintain, a comprehensive written information security program that contains administrative, technical, and physical safeguards that are appropriate to QO’s size and complexity, the nature and scope of Media Nerds’ activities, and the sensitivity of any Covered Data at issue, designed to protect the security and confidentiality of Covered Data, protect against any anticipated threats or hazards to the security or integrity of Covered Data, and protect against unauthorized access to or use of Covered Data that could result in substantial harm or inconvenience to any Consumer, Data Subject, or Customer (as such term is defined in the Safeguards Rule, 16 C.F.R. § 314.2(c)).
2.3.4 Taking into account the nature of the Processing and the information available to us, we will provide Client with reasonable cooperation and assistance to enable Client as a Business or Controller to fulfill Client’s binding obligations with respect to the Covered Data, if any, under Applicable Data Privacy Laws to: (a) respond to requests from Data Subjects or Consumers for the exercise of their rights; and (b) provide notification of a Covered Data breach (or analogous concept) as required under Applicable Data Privacy Law.
2.3.6 Upon termination of the Underlying Agreement and receipt of Client’s written request, QO will delete Covered Data in QO's possession, subject to any limitations described in the Underlying Agreement and unless applicable Law requires further storage.
3. SERVICE PARTNERS.
Client specifically authorizes QO to engage sub-Processors/Service Providers. Client acknowledges that QO's sub-Processors/Service Providers are essential to provide the Services and if Client objects to QO's use of a sub-Processor/Service Provider, then notwithstanding anything to the contrary in the Underlying Agreement (including this DPA), QO will not be obligated to provide to Client the Services for which it uses that sub-Processor/Service Provider.
4. CONFLICTS.
To the extent there is a conflict or inconsistency between this DPA and the Underlying Agreement, this DPA will control.