Data Processing Addendum for ServiceTitan Vendors
This Data Processing Addendum (this “Addendum”) is entered into by and between ServiceTitan, Inc., on behalf of itself and its affiliates (“Customer”), and the vendor identified in any agreement, order form, and/or statement of work (individually and collectively, “Agreement”) into which this Addendum is incorporated by reference, on behalf of itself and its affiliates (“Vendor”) (each a “Party”; collectively the “Parties”) and shall be applicable to any and all Agreements between the Parties, in furtherance of obligations under applicable privacy laws, including without limitation, the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199), the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 to 6-1-1313), and the Virginia Consumer Data Protection Act (SB 1392), and their implementing regulations, each as amended or superseded from time to time (collectively, the “Privacy Laws”). This Addendum prevails over any conflicting terms of any Agreement. Any data protection addendum that may already exist between the Parties as of the date this Addendum is first agreed to between the Parties is superseded and replaced by this Addendum in its entirety. Furthermore, to the extent there are any conflicting terms between any hyperlinked terms in any Agreement and this Addendum, this Addendum shall control.
1. Definitions. For the purposes of this Addendum--
1.1. The capitalized terms used in this Addendum and not otherwise defined in this Addendum shall have the definitions set forth in the Privacy Laws.
2.1. This Addendum shall remain in effect for so long as (a) an Agreement is in effect between Customer and Vendor, and (b) Vendor continues to be in possession of Personal Information on behalf of Customer.
3. Roles and Scope.
3.1. This Addendum applies only to the Collection, retention, use, disclosure, and Sale of Personal Information provided by Customer to, or which is Collected on behalf of Customer by, Vendor to provide services to Customer pursuant to each Agreement or to perform a Business Purpose.
3.2. The Parties acknowledge and agree that Customer is a Business and appoints Vendor as a Service Provider to process Customer’s Personal Information on behalf of Customer.
3.3. The nature and purpose of processing data shall be to provide Customer the services pursuant to each Agreement, this Addendum, and as further instructed by Customer in its use of the services.
3.4. The type of Personal Information to be processed shall be set forth in each Agreement.
4. Restrictions on Processing.
4.1. During the term of each Agreement, Vendor shall only process Personal Information for the purpose of providing the services to Customer, or otherwise in accordance with Customer’s written instructions, and for no other purposes, except that Vendor may use the Personal Information to develop and improve the services provided to Customer, provide customer support to Customer, and as necessary for compliance with applicable laws.
4.2. Vendor will comply with all applicable obligations of the Privacy Laws and provide the same level of privacy protection as required by the Privacy Laws.
4.3. Vendor shall notify Customer if it engages a subcontractor, or if its subcontractors engage a subcontractor, and enter into a contract with such subcontractors containing the requirements set forth in this Addendum; provided, however, that Customer shall have the right in its sole discretion to object to the engagement of such subcontractors. In any case, Vendor shall remain liable for the compliance of this Addendum by subcontractors of any level.
4.4. Vendor will ensure that all individuals processing Personal Information are subject to a duty of confidentiality.
4.5. Vendor shall not:
4.5.1. Sell or Share Personal Information.
4.5.2. Retain, use, or disclose Personal Information: (i) for any purpose (including, but not limited to, any Commercial Purpose) other than the business purposes specified under each Agreement, or (ii) outside of the direct business relationship between Customer and Vendor.
4.5.3. Combine Personal Information that Vendor receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another person, or collects from its own interaction with an individual, provided that Vendor may combine Personal Information to perform any business purpose as defined in any relevant regulations adopted pursuant to the Privacy Laws.
4.6. Vendor certifies that it understands and will comply with the restrictions set forth in this Addendum.
5.1. Vendor warrants that it will not use Customer’s Personal Information it receives from or collects on behalf of Customer in violation of the restrictions set forth in the Privacy Laws.
5.2. Vendor grants Customer the right to take reasonable and appropriate steps to (i) ensure Vendor utilizes the Personal Information it receives from Customer in a manner consistent with Customer’s obligations under the Privacy Laws and (ii) remediate unauthorized use of Personal Information.
6.1. Vendor hereby represents and warrants that it shall implement and maintain no less than reasonable security procedures and practices, appropriate to the nature of the information, to protect Customer’s Personal Information from unauthorized access, destruction, use, modification, or disclosure (“Security Incident”) and to preserve the security and confidentiality of Consumer Personal Information in accordance with the Privacy Laws, this Addendum, and each Agreement.
6.2. Vendor shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that are necessary to confirm Vendor’s compliance with the Privacy Laws and this Addendum.
6.3. Upon becoming aware of an actual or reasonably suspected Security Incident, Vendor shall notify Customer without undue delay and shall provide timely updates and information relating to the Security Incident as it becomes known or as is reasonably requested by Customer. Such information shall include the nature of the Security Incident, the categories and number of individuals affected, the categories and amount of Customer’s Personal Information affected, the likely consequences of the Security Incident, and the measures taken or proposed to be taken to address the Security Incident and mitigate possible adverse effects.
6.4. Vendor shall notify Customer without undue delay if it can no longer meet its obligations under the Privacy Laws.
6.5. Vendor shall provide Customer with all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, or other technical and operational testing conducted by Customer or an auditor mandated by Customer at least once every twelve (12) months.
6.6. Vendor will provide Customer with all information necessary to enable Customer to conduct and document data protection assessments.
7. Consumer Rights.
7.1. Vendor shall provide commercially reasonable assistance, including through appropriate technical and organizational measures, as necessary to permit Customer to comply with the Privacy Laws, including responding to complaints or requests from individuals regarding their Personal Information and government orders or requests.
7.2. Upon termination or expiration of each Agreement, or upon direction by Customer, and in any event no later than thirty (30) days after receipt of a request from Customer, Vendor shall promptly delete or return Customer’s Personal Information as directed by Customer.
7.3. Vendor shall not be required to delete any of Customer’s Personal Information to comply with a Consumer’s request directed by Customer if it is necessary to maintain such information in accordance with Cal. Civ. Code 1798.105(d), in which case Vendor shall promptly inform Customer of the exceptions relied upon under 1798.105(d) and Vendor shall not use Customer’s Personal Information retained for any other purpose than provided for by that exception.
8. Deidentified Information.
8.1. In the event that either Party shares Deidentified Information with the other Party, the receiving Party warrants that it: (i) has implemented technical safeguards that prohibit reidentification of the Consumer to whom the information may pertain; (ii) has implemented business processes that specifically prohibit reidentification of the information; (iii) has implemented business processes to prevent inadvertent release of Deidentified Information; and (iv) will make no attempt to reidentify the information.
9.1. This Addendum is for the sole benefit of the parties hereto and their respective successors and permitted assigns and nothing herein, express or implied, is intended to or shall confer upon any other person any legal or equitable right, benefit or remedy of any nature whatsoever, under or by reason of this Addendum. Customer reserves the right to update this Addendum from time to time and Vendor is responsible for reviewing this Addendum for changes. Customer will notify Vendor of material updates to this Addendum.
9.2. Each Party shall deliver all notices, requests, consents, claims, demands, waivers and other communications under this Addendum (each, a “Notice”) pursuant to the notice provisions set forth in the applicable Agreement.