California Data Processing Agreement
Supplemental agreement for CCPA compliance for our California customers
Last Updated: March 10, 2023
This California Data Processing Agreement (“California DPA”) is incorporated into and forms part of the Master Services Agreement (the “Agreement”) between DroneDeploy, Inc. (together with its affiliates, “Company”) and the customer defined in the Agreement (“Customer”). If Customer shares Personal Information from the State of California, then, by agreeing to the terms of the Agreement containing a link to this California DPA, Customer is deemed to have signed this California DPA, including its Annexes, as of the effective date of the Agreement. This California DPA prevails over any conflicting terms of the Agreement but does not otherwise modify the Agreement.
- Definitions. For the purposes of this California DPA:
- “CCPA” means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199).
- “Personal Information,” “Share,” “Shared,” “Sharing,” “Sale,” “Selling,” “Business,” “Service Provider,” “Contractor,” “Consumer,” “Processing,” “Process,” and “Processed” have the meaning defined in the CCPA.
- “Customer Personal Information” means Personal Information provided by Customer to, or which is collected on behalf of Customer by, Company to provide services, to Customer pursuant to the Agreement.
- “Services” has the meaning given to it in the Agreement. The services include services provided through the Company’s DroneDeployⓇ and StructionSiteⓇ branded software products.
- Scope, Roles, and Termination.
- Applicability - This California DPA applies only to Company’s Processing of Customer Personal Information for the nature, purposes, and duration set forth in Annex I.
- Roles of the Parties - For the purposes of the Agreement and this California DPA, Customer is the Party responsible for determining the purposes and means of Processing Customer Personal Information as the Business and appoints Company as a Service Provider or Contractor to Process Customer Personal Information on behalf of Customer for the limited and specific purposes set forth in Annex I.
- Compliance.
- Compliance with Obligations - Company, its employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the CCPA, (b) shall provide the level of privacy protection required by the CCPA, (c) shall provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the CCPA, and (d) understand and shall comply with this California DPA.
- Compliance Assurance - Customer has the right to take reasonable and appropriate steps to ensure that Company uses Customer Personal Information consistent with Customer’s obligations under the CCPA.
- Compliance Remediation – Company shall promptly notify Customer if it determines that it can no longer meet its obligations under the CCPA. Upon receiving notice from Company in accordance with this subsection, Customer may direct Company to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information.
- Restrictions on Processing.
- Limitations on Processing - Company will Process Customer Personal Information solely as instructed in the Agreement and this California DPA. Except as expressly permitted by the CCPA, Company is prohibited from (i) Selling or Sharing Customer Personal Information, (ii) retaining, using, or disclosing Customer Personal Information for any purpose other than for the specific purpose of performing the services specified in Annex I, (iii) retaining, using, or disclosing Customer Personal Information outside of the direct business relationship between the Parties, and (iv) combining Customer Personal Information with Personal Information obtained from, or on behalf of, sources other than Customer.
- Subcontractors; Sub-processors – Company’s current subcontractors and sub-processors are available at https://dronedeploy.com/legal/subprocessors. If Customer wishes to receive notification of new subcontractors and sub-processors, it should send an email to [email protected] with the subject line “Subscribe to Subprocessor updates.” Further, Company shall ensure that Company’s subcontractors or sub-processors who Process Customer Personal Information on Company’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to Company in this California DPA and the Agreement with respect to Customer Personal Information, as well as to comply with the CCPA.
- Consumer Rights.
- Company provides Customer with tools to enable Customer to respond to a Consumer rights’ requests to exercise their rights under the CCPA regarding Customer Personal Information. To the extent Customer is unable to respond to a Consumer’s request using these tools, Company shall provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to CCPA-related Consumer rights requests.
- If Company, directly or indirectly, receives a request submitted by a Consumer to exercise a right it has under the CCPA in relation to that Consumer’s Personal Information, it will provide a copy of the request to the Customer. The Customer will be responsible for handling and communicating with Consumers in relation to such requests.
- Company may charge Customer a reasonable fee for assistance under this Section 5. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.
- Exemptions.
- Notwithstanding any provision to the contrary in the Agreement or this California DPA, the terms of this California DPA shall not apply to Company’s Processing of Customer Personal Information that is exempt from the CCPA.
- Sale of Information.
- The Parties acknowledge and agree that the exchange of Personal Information between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this California DPA.
- Changes to the CCPA.
- The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to the CCPA.
- Notifications.
- Customer will send all notifications, requests and instructions under this California DPA to Company’s Legal Department via email to [email protected]. Company will send all notifications under this California DPA to Customer’s account owner email address, or to the email address(es) for which Customer elects to receive legal communications.
- Liability.
- Subject to any limitation of liability set out in the Agreement, to the extent permitted by applicable law, where Company has paid damages or fines, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the damages or fines.
- Company’s liability arising out of or related to this California DPA, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of Company means the aggregate liability of Company under the Agreement and all DPAs between Company and Customer together.
- Termination.
- This California DPA is terminated upon the termination of the Agreement.
- Modification of this DPA
- Company may modify this California DPA upon notice to Customer to the extent required to comply with changes to the CCPA. Other than as set forth in the preceding sentence, this California DPA may only be modified by a written amendment signed by both Company and Customer.
- Invalidity and Severability.
- If any provision of this California DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this California DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
- If any provision of this California DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this California DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Annex I - Description of Processing
- Categories of Personal Information Transferred:
Customers may submit Personal Information to the Services, the extent to which is determined and controlled by the Customer and which may include, but is not limited to, the following categories of Personal Information:- First and last name;
- Title
- Position;
- Employer;
- Contact information (company, email, phone, physical business address);
- Professional life data;
- Personal life data;
- Geolocation data; and/or
- Localization data.
- Nature of the Processing:
The data will be transferred for the provision of the Services to Customer. - Purpose of the Processing:
Performing services on behalf of the Customer, including Processing Customer data and providing analytic, implementation and similar services on behalf of the Customer. The services include services provided through the Company’s DroneDeployⓇ and StructionSiteⓇ branded software products.