2.1. Application of this DPA. This DPA shall only apply to Snappy’s Processing of Customer Personal Data, and shall not apply to Snappy’s Processing of other Personal Data, including Recipient Provided Data. Moreover, this DPA shall only apply to the extent that Customer Personal Data is subject to Data Protection Laws. In the event of a conflict between the Main Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.
2.2. Roles of the Parties. With regard to the Processing of Customer Personal Data, Customer is the Controller or Business (as applicable), Snappy is the Processor or Service Provider (as applicable), and Snappy shall engage Subprocessors pursuant to the requirements set forth in Section 5 below. The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Data Protection Laws.
2.3. Snappy’s Processing of Personal Data.
2.3.1. Snappy shall treat Customer Personal Data as confidential and shall only Process Customer Personal Data as necessary to perform its obligations on behalf of and in accordance with Customer’s documented instructions for the following permitted purposes: (i) in accordance with the Main Agreement and Order Forms (where applicable); (ii) if initiated by Customer in its use of the Services; and/or (iii) to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Main Agreement and Data Protection Laws.
2.3.2 In no event shall Snappy Process Customer Personal Data for its own purposes or those of any third party, provided however, that Snappy may process such data for the legitimate business purposes of billing, record-keeping, account management, customer support, protection against fraudulent or illegal activity, or the prevention of misuse of the Services, and for the establishment, exercise, and defense of legal claims. Notwithstanding the foregoing, Snappy may process Customer Personal Data for the purposes of analytics, market research, and product improvement and development, provided that such data has been anonymized to the extent that the underlying Data Subjects are no longer capable of being identified. Snappy may process Aggregate Data and/or Deidentified Data in connection with Snappy’s ordinary business practices, provided that Snappy complies with the requirements set forth in Section 10 below.
2.4. Customer’s Obligations in Processing of Personal Data. Customer shall not provide Personal Data to Snappy except as is necessary for Snappy’s performance of Services and unless Customer shall have given the necessary notices and obtained the necessary consents, in each case, from the applicable Data Subjects whose Personal Data is Processed by Snappy pursuant to the Main Agreement. Customer shall, in its use of the Services, Process Personal Data in accordance with this DPA and the requirements of Data Protection Laws and shall immediately notify Snappy if Customer is in violation of any Data Protection Law. Customer’s instructions to Snappy related to the Processing of Customer Personal Data shall comply with Data Protection Laws. As between the Parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.
2.5. California Personal Data Processing. To the extent that the Main Agreement or Customer’s instructions to Snappy involve the processing of Customer Personal Data concerning California Data Subjects, and to the extent that the CCPA governs the processing of the Customer Personal Data, the Parties acknowledge and agree that with respect to such information, the following provisions shall apply in addition to the general provisions set forth in this DPA:
2.5.1 Customer shall only instruct Snappy to process Customer Personal Data for those Business Purposes permitted under the CCPA, and shall disclose Customer Personal Data to Snappy only for the limited and specified purposes specified in the Main Agreement. Customer reserves the right, upon reasonable notice, to conduct audits and assessments as set forth in Section 7.2 to ensure that Snappy uses Customer Personal Data transferred in a manner consistent with Customer’s obligations under the CCPA, and to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
2.5.2 Snappy shall not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than for the Business Purposes specified in the Main Agreement except as otherwise permitted by the CCPA; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Snappy and Customer except as otherwise permitted by the CCPA; or (d) combine Customer Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with Data Subjects except as otherwise permitted by the CCPA. Snappy shall comply with applicable obligations and provide the same level of privacy protection as required by the CCPA, and shall assist Customer through appropriate technical and organizational measures to comply with CCPA requirements, taking into account the nature of the processing. Snappy shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.
2.5.3 The specific Business Purpose for which Snappy is processing Customer Personal Data pursuant to the Agreement, and for which Customer is disclosing such information to Snappy, is the provision of Snappy’s gift giving services, which constitutes “performing services on behalf of the business” as set forth under Cal. Civ. Code § 1798.140(e)(5).
2.6. Details of the Processing. The subject matter of Processing of Customer Personal Data by Snappy is the performance of the Services pursuant to the Main Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Annex I attached hereto.
2.7. Instructions for Processing. Customer instructs Snappy and each Snappy Affiliate (and authorizes Snappy and each Snappy Affiliate to instruct each Subprocessor) to Process Customer Personal Data, and in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Main Agreement; and warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in this section. Snappy shall immediately inform Customer if, in its opinion, an instruction violates Data Protection Laws.