Schedule A: Data Privacy Terms
Last Updated: September 29, 2022
This Schedule A (Data Privacy Terms) is incorporated into the Order (“Order”) between Pindrop Security, Inc. (“Pindrop”) and the customer identified in Section 2 (Company Information) (“Company”) of the Order. Capitalized terms not otherwise defined have the meanings given in the Order or the Pindrop Customer Agreement available at https://www.pindrop.com/schedule-d-pindrop-customer-agreement/ (“PCA”).
1. Definitions.
“Aggregate Data” means information that relates to a group or category of individuals, from which individual identities have been removed, that is not linked or reasonably linkable to any individual or household.
“Data Protection Laws” means all Laws that apply to Pindrop’s Processing of Personal Information under the Agreement.
“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or link, directly or indirectly, to a particular individual.
“Personal Information” has the meaning ascribed to it, or to a similar term (including, without limitation, “personal data”), under the relevant Data Protection Law.
“Process”, “Processing”, or “Processed” means, unless the same or similar terms are otherwise defined under the relevant Data Protection Law, any operation performed on Personal Information, whether or not done by automated means.
“Processing Purpose” means the purpose for which Pindrop is Processing Company Personal Information as described in Section 2(b) of this Schedule A.
“sale”, “sell”, or “selling” have the meanings as ascribed to them under the relevant Data Protection Law.
“Business”, “Controller”, “Processor”, and “Service Provider” have the meanings ascribed to them under the relevant Data Protection Law.
2. Processing Purpose.
For purposes of Pindrop’s provision of Products and Services to Company under the Agreement:
(a) Pindrop is a Service Provider (or Processor, if applicable) with respect to Personal Information that Pindrop Processes on Company’s behalf under the Agreement (“Company Personal Information”);
(b) Company has disclosed Company Personal Information to Pindrop and its affiliates for the Processing Purposes of (i) detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity (including populating the Pindrop Database), (ii) assisting in authentication of Company’s callers, and (iii) as reasonably necessary, supporting other valid Business Purposes that are part of the Products or Services as expressly agreed by the parties in the Agreement, subject to relevant restrictions on use (such as those that apply to Fraudulent Call Data);
(c) Pindrop and Company acknowledge and confirm that Pindrop does not receive Company Personal Information as consideration for any Products, Services, or other items provided under the Agreement; and
(d) Company hereby instructs and authorizes Pindrop to Process Company Personal Information in connection with Pindrop’s performance and exercise of its obligations and rights under the Agreement. Any additional or alternate instructions must be mutually agreed by the parties in writing.
3. Duration of Processing.
Pindrop will Process Company Personal Information only for the duration of the Agreement and as otherwise allowed under the Agreement or Law. Unless retention of Company Personal Information is otherwise permitted under the Agreement, at the termination or expiration of the Agreement, Company Personal Information will be returned and/or deleted in accordance with Section 11(d) (Obligations Upon Termination) of the PCA.
4. Permitted Use.
Pindrop will collect, use, retain, disclose, and otherwise process Company Personal Information only (a) for its performance of the Agreement and provision of Products and Services, including to support Pindrop’s internal operations as necessary for provision of Products and Services) or (b) as otherwise necessary for compliance with Laws. Pindrop will ensure that its personnel who Process Company Personal Information are informed of its confidential nature and are subject to a duty of confidentiality with respect to Company Personal Information.
5. Service Providers.
Pindrop may disclose Company Personal Information to, and permit Processing of Company Personal Information by, Pindrop’s Service Providers who perform services on Pindrop’s behalf in support of the provision of Products and Services to Company. Pindrop will ensure that those Service Providers are subject to contractual requirements with respect to Company Personal Information equivalent to those that apply to Pindrop under this Schedule A. Pindrop will provide at least 30 days’ notice to Company if Pindrop engages a new Service Provider to support Pindrop’s Processing of Company Personal Information. Company may, within 30 days of receiving the notice, object to the engagement in good faith. If Company makes a timely good faith objection, the parties will work in good faith to resolve it. If the parties are unable to reach a mutually agreeable solution, Company’s sole and exclusive remedy is to terminate the relevant Order under which the new Service Provider is Processing Company Personal Information. Pindrop is responsible for actions of its Service Providers that breach the terms of this Schedule A.
6. Restrictions.
Pindrop is prohibited from selling, retaining, using, disclosing, or otherwise Processing Company Personal Information for any purpose other than the Processing Purpose or as otherwise described in Section 7 (Deidentified Data and Aggregated Data) of this Schedule A, which, for clarity, also prohibits Pindrop from retaining, using, or disclosing Company Personal Information outside of its business relationship with Company or for any other Commercial Purpose. If permitted under the Agreement, Pindrop may retain, use, or otherwise Process certain Company Personal Information (and combine it with Personal Information from other clients) as reasonably necessary to detect data security incidents, or protect against fraudulent or illegal activity (e.g., as part of the Pindrop Database). Pindrop certifies that it understands and will comply with the foregoing restrictions.
7. De-identified Data and Aggregated Data.
Company acknowledges and agrees that (a) Pindrop and its affiliates may use Aggregate Data and Deidentified Data related to Company Personal Information or derived from Products and Services for the purpose of providing the Products and Services, improving its operations, and enhancing features, functions, and performance of Products and Services and (b) Deidentified Data and Aggregate Data cease to be Company Personal Information for purposes of the Agreement, and Pindrop and its affiliates may, during and after the Term of the Agreement, use, maintain, and disclose Deidentified Data and Aggregate Data for product improvement and general marketing purposes. Pindrop will not identify or otherwise disclose Company as the source of that Deidentified Data or Aggregate Data in any manner in connection with Pindrop’s product improvement or general marketing purposes. For clarity, Support Data may, if it meets the criteria in this Section 7, also be used for the purposes authorized in this Section 7.
8. Audit.
During the Term and for a period of 6 months thereafter, on reasonable prior written notice to Pindrop, Company may, at its expense, conduct (or have a third party conduct) an audit of relevant Pindrop documentation, materials, or systems for the sole purpose of assessing Pindrop’s Processing of Company Personal Information and Pindrop’s compliance with this Schedule A. Pindrop will reasonably cooperate with the audit request by providing reasonable access to knowledgeable personnel, systems, documentation, and other reasonably requested information. Company acknowledges and agrees there may be restrictions on Company’s ability to audit Pindrop’s subcontractors. Audits may not be conducted more than once per year unless a material non-compliance is detected, in which case an additional audit may be conducted to verify that mutually agreed corrective actions have been taken. Audits must be conducted during normal business hours and in a manner that does not unreasonably disrupt Pindrop’s day to day business. Any Pindrop site visit or audit of Pindrop’s procedures, systems, and equipment are subject to Pindrop’s reasonable information security and confidentiality policies and practices to protect confidential and proprietary information of Pindrop and its other customers or vendors. Pindrop is not required to provide access to or disclose any third party’s confidential information or any attorney-client privileged information. Any report, documents, information, or record provided to Company or created under this Section 8 is considered Pindrop Confidential Information.
9. Data Subject Requests.
If Pindrop receives a complaint, dispute, or request from a data subject to exercise the data subject’s rights under Data Protection Laws, and Pindrop is able to confirm that the request relates to Company, Pindrop will promptly notify Company. Taking into account the nature of Pindrop’s Processing of Company Personal Information, Pindrop will provide reasonable assistance to Company in responding to data subject requests as required by Data Protection Laws and only to the extent commercially feasible. Unless required by Law, Pindrop will not respond to or take any action to comply with a data subject request without Company’s approval.
10. Survival.
This Schedule A survives expiration or termination of the Agreement.