CCPA Obligations Clause Samples

CCPA Obligations a. Supplier will only collect, use, retain, or disclose personal information for the contracted business purposes. b. Supplier will not collect, use, retain, disclose, sell, or otherwise make personal information available for Supplier's own commercial purposes or in a way that does not comply with the CCPA. If a law requires the Supplier to disclose personal information for a purpose unrelated to the contracted business purpose, the Supplier must first inform the Foundation or Participating Agency (as applicable) of the legal requirement and give the Foundation or Participating Agency (as applicable) an opportunity to object or challenge the requirement, unless the law prohibits such notice. c. Supplier will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the contracted business purposes or another compatible operational purpose. d. Supplier must promptly comply with any request or instruction from a software user or Participating Agency requiring the Supplier to provide, amend, transfer, or delete the personal information, or to stop, mitigate, or remedy any unauthorized processing. e. If the contracted business purposes require the collection of personal information from individuals on the Participating Agency’s behalf, Supplier will always provide a CCPA- compliant notice addressing use and collection methods that the Participating Agency specifically pre-approves in writing. Supplier will not modify or alter the notice in any way without the Participating Agency’s prior written consent.

CCPA Obligations. Sendbird does not accept or disclose any Customer Data as consideration for any payments, services or other items of value. Sendbird does not sell or share any Customer Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Sendbird processes Customer Data only for the business purposes specified in the written Contract. Sendbird does not retain, use, or disclose Customer Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Sendbird does not combine Customer Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA. To the extent Sendbird receives deidentified data from Customer or the Services under the Agreement allow for the deidentification of Customer Data, Sendbird represents and warrants to not reidentify, attempt to reidentify, or direct any other party to reidentify any data that has been deidentified, unless such services are contemplated under the Contract.

CCPA Obligations. (1) Notwithstanding any other provisions of this DPA, this section applies solely to the processing of Personal Information of residents of the State of California, USA. Terms such as "Business," "Service Provider," "Personal Information," "Consumers," "Sell," and "Share" shall have the meanings assigned to them under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). (2) The Controller acknowledges that it is the business, and the Processor (Dash0) acts as the Service Provider with respect to the personal information of consumers provided by the Controller under this Agreement. (3) The Processor shall not sell or share the personal information of consumers processed on behalf of the Controller, except as required for the provision of the Platform and/or services as outlined in the Terms of Service. (4) The Processor shall not retain, use, or disclose consumer personal information for any purpose other than the specific purposes of performing the services under this DPA and as part of the direct relationship between the Controller and Processor. Furthermore, the Processor shall not combine personal information received from the Controller with information obtained from any other entity or interaction, except as permitted under the CCPA. (5) Upon receiving a deletion request from a consumer, the Processor shall, upon the Controller’s instruction, promptly delete the relevant personal information and instruct any engaged Sub-processors to do the same. The Processor shall not respond to Consumer deletion requests directly unless legally obligated to do so, and shall inform the Controller of any such obligations. (6) The Controller is responsible for providing any required notices to consumers regarding the sharing of their personal information with the Processor. The Processor shall immediately notify the Controller if it determines it is unable to comply with its obligations under the CCPA. (7) The Controller has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. The Processor shall cooperate reasonably with the Controller in responding to any requests from consumers or data protection authorities related to personal information processing under this DPA. If the Processor receives a direct request from a consumer, it shall not respond without the Controller’s prior authorization unless required by law. (8) The Processor certifies tha...

CCPA Obligations. 12.3.1 Processor will not Process any Personal Data on behalf of Controller except consistent with the stated Nature and Purpose of the Processing (as set forth in the attached Appendix A), which the parties agree constitutes a Business Purpose. 12.3.2 Processor will not engage in the Sale of Data unless otherwise permitted under the Agreement or the DPA without the prior express written consent of Controller, and, when required, the persons to whom such Personal Data relates. 12.3.3 Processor will maintain the Technical and Organizational Security Measures in Appendix B, which the parties agree constitute Reasonable Security Procedures and Practices. 12.3.4 Processor will not use any Personal Data it receives from Controller for Cross- Context Behavioral Advertising. 12.3.5 Processor shall provide reasonable assistance to Controller for the fulfilment of Controller’s obligation to respond to and address requests of Consumers relating to rights provided by CCPA. Controller shall be responsible for any costs arising from Processor’s provision of such assistance. Processor shall not be required to delete any of the Personal Data to comply with a request to exercise CCPA rights directed by Controller if it is necessary to maintain such information in accordance with Cal. Civ. Code 1798.105(d), in which case Processor shall promptly inform Controller of the exceptions relied upon under ▇▇▇. Civ. Code 1798.105(d) and Processor shall not use the Personal Data retained for any other purpose than provided for by that exception. 1. Subject matter of processing of

CCPA Obligations. As a non-profit corporation, TLF is not a “business” for purposes of the CCPA. To the extent the CCPA applies to the Processing of Personal Data that one Party provides to the other Party, and without limiting other obligations herein, the following shall apply: a) The Parties agree that the Parties disclose Personal Data to one another for the Permitted Purposes; b) The Parties will (i) comply with all applicable Data Protection Laws in the Processing of Personal Data and shall provide the same level of privacy protection as is required by Data Protection Laws and this Addendum; and (ii) only Process Personal Data for the Permitted Purposes or as permitted or required by applicable Data Protection Laws; c) If either Party believes it will be unable to comply with Data Protection Laws, such Party will promptly notify the other Party. Without limiting the foregoing, the Parties grant one another the right to take reasonable and appropriate steps: (i) to help ensure the Recipient uses Personal Data transferred in a manner consistent with Disclosing Party’s obligations under Data Protection Laws; and (ii) to, upon notice, stop and remediate any unauthorized use and Processing of Personal Data. Upon request by a Party, the other Party will provide the information necessary to demonstrate compliance with this Addendum and the CCPA; and d) To the extent the Parties receive or otherwise Processes Deidentified Data associated with, derived from, or otherwise related to Personal Data under the Agreement, the Parties will: (i) take reasonable measures to ensure that the Deidentified Data cannot be associated with an individual, household or device; (ii) publicly commit to maintain and use the information in deidentified form and not attempt to reidentify the information; (iii) otherwise comply with applicable requirements for retention and Processing of Deidentified Data under Data Protection Laws; and (iv) contractually obligate any further recipient to comply with all provisions of this Section 5(d).

CCPA Obligations. As a non-profit corporation, Event Operator is not a “business” for purposes of the CCPA. To the extent the CCPA applies to the Processing of Personal Data that one Party provides to the other Party, and without limiting other obligations herein, the following shall apply: a) The Parties agree that the Parties disclose Personal Data to one another for the Permitted Purposes;‌ b) The Parties will (i) comply with all applicable Data Protection Laws in the Processing of Personal Data and shall provide the same level of privacy protection as is required by Data Protection Laws and this Addendum; and (ii) only Process Personal Data for the Permitted Purposes or as permitted or required by applicable Data Protection Laws; c) If either Party believes it will be unable to comply with Data Protection Laws, such Party will promptly notify the other Party. Without limiting the foregoing, the Parties grant one another the right to take reasonable and appropriate steps: (i) to help ensure the Recipient uses Personal Data transferred in a manner consistent with Disclosing Party’s obligations under Data Protection Laws; and

CCPA Obligations. Upstash is a “service provider” as defined in the CCPA. You have provided notice to your end users that you share Customer Personal Data with your service providers. We will not retain, use, or disclose Customer Personal Data for any purpose other than providing the Cloud Services, and will not sell Customer SCHEDULE 1 CROSS BORDER DATA TRANSFERS

CCPA Obligations. MongoDB is a “service provider” as defined in the CCPA. You have provided notice to your end users that you share Customer Personal Data with your service providers. We will not retain, use, or disclose Customer Personal Data for any purpose other than providing the Cloud Services, and will not sell Customer Personal Data (as the term “sell” is described in the CCPA). For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. THE PARTIES HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.