This Data Processing Addendum ("DPA") is incorporated into and forms part of the Customer Subscription Agreement (“Agreement”) between Golden Analytics, Inc. (“Golden”) and Customer (as defined in the Agreement). In the event of conflict, this DPA controls with respect to Golden’s processing of personal data on behalf of Customer in providing the Service. Capitalized terms not defined in this DPA have the meanings given in the Agreement.
1. Definitions. As used in this DPA, the following terms have the meanings set out below.
"Controller," "Processor," "Data Subject," and "Processing" have the meanings given under applicable Data Protection Law.
"Data Protection Law" means any law, rule, regulation, decree, or other enactment, order, mandate, or resolution that applies to Client or Mastercard, related to data security, data protection, or privacy, including all U.S. state privacy laws (e.g. Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”)), and any implementing, derivative, or related legislation, rule, regulation, and guidance, as amended, extended, repealed and replaced, or re-enacted.
“Personal Data” means any Customer Data relating to an identified or identifiable natural person and any other data or information that constitutes personal data or personal information under any applicable Data Protection Law.
"SCCs" means the EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum and Swiss-equivalent transfer mechanism.
2. Processing Instructions. Golden will Process Personal Data only as a Processor acting on behalf of Customer in connection with the Agreement and this DPA. Golden will Process Personal Data only on behalf of Customer and only (a) in accordance with Customer’s documented instructions, including as set forth in the Agreement and this DPA; and (b) as required by Data Protection Laws. Golden will promptly notify Customer if it cannot comply with a Processing instruction. Customer may terminate the affected portion of the Service without penalty upon such notice.
3. Security. Golden will implement and maintain technical and organizational security measures appropriate to the risk, designed to protect Personal Data, including properly configuring its network, systems, and applications, and have taken appropriate, and no less than industry standard technical and organizational measures to protect Personal Data. Golden will notify Customer without undue delay upon becoming aware of a Personal Data breach affecting Personal Data. This notice will include the information required by applicable Data Protection Law to the extent then known.
4. Subprocessors. Customer authorizes Golden to engage third-party Subprocessors to assist in providing the Service. Golden will: (a) impose data protection obligations on Subprocessors no less protective than those in this DPA; and (b) provide a list of engaged third party Subprocessors upon request.
5. Data Subject Rights. Golden will promptly forward to Customer any Data Subject request received concerning Personal Data. Customer is responsible for responding to such requests. Golden will provide reasonable assistance, at Customer's cost, to help Customer fulfill its obligations to respond to Data Subject requests under applicable Data Protection Law, including requests for access, correction, deletion, portability, and restriction of Processing.
6. State Law Compliance. Golden will Process Personal Data subject to U.S. state privacy laws (including CCPA/CPRA) in accordance with the requirements applicable to a service provider or processer under those laws. Golden will not: sell Personal Data; retain, use, or disclose Personal Data for any purpose other than providing the Service; or combine Personal Data with personal information obtained from other sources except as permitted by law.
7. U.S. Personal Data Only. Customer will submit to the Service only Personal Data originating from the United States, unless Golden otherwise agrees in writing. Customer will indemnify and hold Golden harmless from any claims, penalties, or liabilities arising from Customer’s breach of this restriction.
8. Confidentiality. Golden will ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.
9. Audits and Assessments. Golden will make available, upon Customer's written request (not more than once per year), information reasonably necessary to demonstrate compliance with this DPA, including relevant certifications (e.g., SOC 2 Type II).
10. Retention and Deletion. Upon termination of this DPA, Golden will return or delete all Personal Data in accordance with the relevant provisions of the Agreement.
11. Term. This DPA is effective as of the Effective Date and continues until the Agreement terminates or expires. Obligations relating to data security, confidentiality, and deletion survive termination.
12. General. Each party will comply with Data Protection Law. This DPA constitutes the entire agreement between the parties regarding its subject matter and supersedes all prior agreements on data processing. If any provision is found unenforceable, the remaining provisions continue in effect. Golden may update this DPA to reflect changes in Data Protection Law. This DPA is governed by the governing law of the Agreement, except where Data Protection Law requires otherwise.