This United States Data Processing Addendum for Embedded Applications (the “Addendum”) supplements and is incorporated into GOMETA, INC.’s (“YouAi” or “Company”) Terms of Use (the “Terms”) entered into and accepted by you (“Customer”) as a Developer (Company and Customer collectively, the “parties”) and includes terms required by applicable Privacy Laws (defined below). This Addendum governs the Processing of Personal Data by YouAi on behalf of Customer in connection with Embedded Applications. Any terms not defined in this Addendum shall have the meaning set forth in the Terms.
- Definitions
- “Authorized Subprocessor” means a third-party subprocessor, subcontractor, agent, reseller, or auditor engaged by Company, or employee of the same, that has a need to know or otherwise access Company’s Personal Data to enable Company to perform its obligations under this Addendum or the Terms, and that has been previously approved by Customer in accordance with Section 4.1 of this Addendum, and who is bound in writing by a data processing agreement pursuant to Section 4.4.
- “Company Account Data” means Personal Data that relates to Company’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.
- “Company Usage Data” means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
- “Consumer” means a natural person who is a resident of, as applicable: (1) California, however identified, including by any unique identifier; or (2) Colorado, Virginia, or Utah acting only in an individual or household context; or (3) Connecticut, acting only in an individual context.
- “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of Processing Personal Data. “Controller” includes a “Business” as defined by the CCPA.
- “Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable Consumer that is processed by Company on behalf of the Customer pursuant to the Terms. “Personal Data” includes “Personal Information” or “Personal Data” as defined by the applicable Privacy Law.
- “Privacy Laws” means, as applicable, (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), (ii) the Virginia Consumer Data Protection Act (“VCDPA”), (iii) the Colorado Privacy Act (“CPA”), (iv) the Connecticut Data Privacy Act (“CTDPA”), and the Utah Consumer Privacy Act (“UCPA”) in each case as updated, amended or replaced from time to time.
- “Process” or “Processing” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means.
- “Processor” means a natural or legal entity that Processes Personal Data on behalf of a Controller or a Business. “Processor” includes “Service Provider,” and “Contractor,” as defined by applicable Privacy Laws.
- Nature and Purpose of Processing
- Nature and Purpose of Processing: Except with respect to Company Account Data and Company Usage Data, the Company shall Process Personal Data provided by Customer in connection with Embedded Applications as necessary to provide the Services under the Terms, for the purposes specified in the Terms and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum. Such purposes shall include supporting Customer’s use of the Embedded Application(s).
- Duration of Processing: Company shall Process Personal Data provided by Customer as long as required (i) to provide the Services to Customer under the Terms, or (ii) by applicable law or regulation.
- Categories of Consumers: The Company may Process the Personal Data (provided by Customer) of the following categories of Consumers: Customer end-users.
- Categories of Personal Data: Company may Process the following categories of Personal Data provided by Customer: identifying information provided through use of the Embedded Application(s) and corresponding Output, device ID, and/or session ID.
- Customer Obligations Regarding Personal Data: Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the Processing of such Personal Data. Customer shall not provide or make available to Company any Personal Data in violation of the Terms or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith. Customer shall, in its use of the Embedded Applications, at all times Process Personal Data, and provide instructions for the Processing of Personal Data, in compliance with Privacy Laws. Customer shall ensure that the Processing of Personal Data in accordance with Customer’s instructions will not cause Company to be in breach of the Privacy Laws.
- Audits
- To the extent required by applicable Privacy Laws, and upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall either (1) make available for Customer’s review copies of certifications or reports demonstrating Company’s compliance with prevailing data security standards applicable to the Processing of Personal Data provided by Customer in connection with Embedded Applications under the Terms, or (2) if the provision of reports or certifications pursuant to (1) is not reasonably sufficient under the applicable Privacy Laws, allow Customer or Customer’s independent third party representative to conduct an audit or assessment of the Company’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments, that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Company’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Company for any time expended for on-site audits.
- Authorized Subprocessors
- A list of Company’s current Authorized Subprocessors (the “List”) will be made available to Customer, either attached hereto, at a link provided to Customer, via email or through another means made available to Customer. Such List may be updated by Company from time to time. Company may provide a mechanism to subscribe to notifications of new subprocessors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Authorized Subprocessors to access or participate in the Processing of Personal Data, Company will add such third party to the List and notify Customer. Customer may object to such an engagement by informing Company within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain subprocessors are essential to providing the Services and that objecting to the use of a subprocessor may prevent Company from offering the Services to Customer.
- If Customer reasonably objects to an engagement in accordance with Section 4.1, and Company cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Company. Discontinuation shall not relieve Customer of any fees owed to Company under the Terms.
- If Customer does not object to the engagement of a third party in accordance with Section 4.1 within ten (10) days of notice by Company, that third party will be deemed an Authorized Sub-Processor for the purposes of this Addendum.
- Company will enter into a written agreement with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on Company under this Addendum with respect to the protection of Personal Data. In case an Authorized Subprocessor fails to fulfill its data protection obligations under such written agreement with Company, Company will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such agreement.
- Security of Personal Data
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data.
- Consumer Requests
- Company shall, to the extent permitted by law, notify Customer upon receipt of a Verifiable Consumer Request, as defined in the applicable Privacy Laws. If Company receives a request from a Consumer in relation to Customer’s data, Company shall advise Consumer to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that any Verifiable Consumer Requests are communicated to Company, and, if applicable, for ensuring that a record of consent to Processing is maintained with respect to each Consumer.
- California-Specific Terms
- Additional Definitions
- For purposes of this Section 7, the terms “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Personal Information,” “Processing,” “Sell,” “Service Provider,” “Share,” and “Verifiable Consumer Request” shall have the meanings set forth in the CCPA.
- Obligations
- In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Information subject to the CCPA.
- Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Service Provider for the purposes of the CCPA (to the extent it applies) and Company is receiving Personal Information from Customer in order to provide the Services pursuant to the Terms, which constitutes a Business Purpose.
- Company shall not Sell or Share Personal Information provided by Customer under the Terms.
- Company shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Terms outside of the direct business relationship with Customer or for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services for Customer pursuant to the Terms, or as otherwise set forth in the Terms or as permitted by the CCPA.
- Company shall notify Customer if Company makes a determination that it can no longer meet its obligations under the CCPA.
- Company will not combine Personal Information received from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.
- Company shall comply with all obligations applicable to Service Providers under the CCPA, including by providing Personal Information provided by Customer under the Terms the level of privacy protection required by the CCPA.
- If Customer determines that Company is Processing Personal Information in an unauthorized manner, Customer may, taking into account the nature of the Company’s Processing and the nature of the Personal Information Processed by Company on behalf of Customer, take commercially reasonable and appropriate steps to stop and remediate such unauthorized Processing.
- Virginia-Specific Terms
- Additional Definitions
- For purposes of this Section 8, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the VCDPA.
- Obligations
- In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the VCDPA.
- Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree Company is a Processor for the purposes of the VCDPA (to extent it applies).
- Company shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the VCDPA by: (i) in the event of a data breach, providing information sufficient to enable Customer to meet its obligations pursuant to Virginia’s breach notification laws (Va. Code § 18.2-186.6); and (ii) Providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by VCDPA.
- Company shall maintain the confidentiality of Personal Data provided by Customer and require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
- Upon Company’s written request, Company shall delete or return all Personal Data provided by Customer under the Terms, unless retention of such Personal Data is required or authorized by law or the Addendum and/or Terms. If return or destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by law, rule or regulation) and shall continue to appropriately protect such Personal Data remaining in its possession, custody, or control.
- Upon Customer’s written request at reasonable intervals, Company shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Company’s compliance with its obligations under the VCDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the VCDPA and in conformance with Section 3 of this Addendum.
- Colorado-Specific Terms
- Additional Definitions
- For purposes of this Section 9, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the CPA.
- Obligations
- In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the CPA.
- Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the CPA (to extent it applies).
- Company shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
- Upon Customer’s written request, Company shall delete or return all Personal Data provided by Customer.
- Upon Customer’s written request at reasonable intervals, Company shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Company’s compliance with its obligations under the CPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the CPA and in conformance with Section 3 of this Addendum.
- Connecticut-Specific Terms
- Additional Definitions
- For purposes of this Section 10, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the CTDPA.
- Obligations
- In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the CTDPA.
- Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the CTDPA (to extent it applies).
- Company shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
- Upon Customer’s written request, Company shall delete or return all Personal Data provided by Customer.
- Upon Customer’s written request at reasonable intervals, Company shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Company’s compliance with its obligations under the CTDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the CTDPA and in conformance with Section 3 of this Addendum.
- Utah-Specific Terms
- Additional Definitions
- For purposes of this Section 11, the terms “Consumer,” “Controller,” “Personal data,” “Processing,” and “Processor” shall have the meanings set forth in the UCPA.
- Obligations
- In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the UCPA.
- Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the UCPA (to extent it applies).
- Company shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.