Search

BCC Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated by reference into and forms a part of each agreement (the “Agreement”) between BCC Software, LLC (“BCC”) and you (“Customer”), each a “Party” and collectively, the “Parties”, and reflects the Parties’ agreement with regard to the use or access of personal information in accordance with the requirements of applicable State Data Protection Laws. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail.
To the extent BCC is required to Process Customer Personal Data, as defined below, in its performance of its obligations under the Agreement, the following terms will apply.

1. ROLE OF PARTIES AND DEFINITIONS

1.1 Definitions.

“Affiliates” means an entity that, directly or indirectly through one or more intermediaries controls, is controlled by, or is under common control with the entity specified.

“Business” means “Controller” or “Business”, as those terms are defined in applicable State Data Protection Laws.

“Customer Personal Data” means Personal Data submitted by or on behalf of Customer to the Services, or otherwise provided by Customer to BCC to provide the Services. Customer Personal Data does not include Personal Data independently collected by BCC as Service Provider as described in BCC’s Privacy Statement (available at https://www.bccsoftware.com/privacy-policy/), including, but not limited to, Personal Data provided by Customer to register a user account to use the Services.

“Data Processing Services” means the Processing of Customer Personal Data for any purpose permitted by applicable State Data Protection Laws, or for any other purpose expressly permitted by applicable State Data Protection Laws, this DPA, and the Agreement.

“Personal Data” means all data that is defined as “personal data” or “personal information” or equivalent terminology under applicable State Data Protection Laws and to which State Data Protection Laws apply, which BCC receives from Customer or on Customer’s behalf in connection with provision of the Services.

“Service Provider” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in applicable State Data Protection Laws.

“Services” means the services provided by BCC to Customer under the Agreement, including the Data Processing Services;

“State Data Protection Laws” means the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq. (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”) and otherwise, the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq. (“VCDPA”); the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq. (“CPA”); Connecticut Data Privacy Act, Pub. Act No. 22015 (“CTDPA”); the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq. (“UCPA”); the Texas Data Privacy and Security Act (“TDPSA”); the Montana Consumer Data Privacy Act (“MTCDPA”); and the Oregon Consumer Privacy Act (“OCPA”), including any implementing regulations thereto, and any other applicable U.S. state laws enacted for the purpose of protecting Personal Data whereby Customer is a Business and BCC is a Service Provider and the terms and conditions of this DPA meet the requirements of such state laws.

“Subprocessor” means any subcontractor engaged by BCC that Processes Customer Personal Data on behalf of BCC.

“Contractor”, “Controller”, “Consumer”, “Process”, “Processing”, “Sale(s)”, “Sell”, and “Share”, as used in this DPA have the meanings given in the applicable State Data Protection Laws.

1.2 Role of the Parties.

With regard to the Processing of Personal Data under this DPA, the Parties acknowledge and agree that Customer is the Business and BCC is the Service Provider. Customer, as the Business, is the party responsible for determining the purposes and means of Processing Customer Personal Data. Customer will act as a single point of contact for its Affiliates with respect to State Data Protection Law compliance, such that if BCC gives notice to Customer, such information or notice will be deemed received by Customer’s Affiliates.

2. PROCESSING

2.1 Customer Personal Data Processing

BCC will Process Customer Personal Data solely as permitted by the Agreement, Customer’s Processing instructions, and this DPA for the specific purpose of providing the Services or as otherwise permitted by applicable State Data Protection Laws. Except as expressly permitted by the State Data Protection Laws, BCC is prohibited from (i) Selling or Sharing Customer Personal Data, (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the Services, (iii) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties, and (iv) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer.
Processing Customer Personal Data outside the scope of this DPA, the Agreement, or Customer’s Processing instructions will require prior written agreement between Customer and BCC on additional instructions for Processing.

2.2 Required Consents and Notices

Where required by applicable laws, Customer will ensure that it has obtained all necessary consents, authorizations, and rights, and has given all necessary notices, for the Processing of Customer Personal Data by BCC in accordance with the Agreement.

2.3 Deidentified Data

If BCC receives deidentified data from or on behalf of Customer, then BCC will: (i) take reasonable measures to ensure the information cannot be associated with a Consumer; (ii) publicly commit to Process deidentified data solely in deidentified form and not attempt to reidentify the information; and (iii) contractually obligate any recipients of deidentified data to comply with the foregoing requirements and State Data Protection Laws.

3. COMPLIANCE

3.1 Use of Services

Customer is solely responsible for using and configuring the Services in a manner that enables Customer to comply with State Data Protection Laws, and BCC shall not be responsible for Customer’s use of the Services in violation of State Data Protection Laws.

3.2 Security

Each Party will implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure.

3.3 Compliance Monitoring

BCC regularly reviews its security and data handling practices through a combination of internal audits and audits conducted by third parties. If Customer reasonably believes it does not have sufficient information to demonstrate compliance with applicable State Data Protection Laws, then Customer may request additional information from BCC, including by Customer’s submission and BCC’s completion of a security questionnaire, no more than once annually. As required by applicable State Data Protection Laws, BCC will notify Customer if BCC determines it can no longer meet its obligations under applicable State Data Protection Laws.

3.4 Assistance

Upon reasonable notice and appropriate confidentiality agreements, BCC will provide Customer with reasonable assistance in fulfilling Customer’s obligations under applicable State Data Protection Laws.

4. SUBCONTRACTORS

4.1 Engagement of Subcontractors.
Notwithstanding the restrictions in Section 2.1, Customer acknowledges and agrees that BCC may engage other Service Providers to Process Customer Personal Data in conjunction with the Services (“Subcontractors”). Any such engagement will be subject to a written contract binding each such Subcontractors to terms providing at least the same level of protection for Customer Personal Data as those specified in this DPA.

4.2 Notification

BCC has engaged the following Subcontractors to Process Customer Personal Data in conjunction with the Services, and Customer approves of their use by BCC:

  • Peachtree Data, Inc.
  • AtData, LLC
  • Global-Z International, Inc.

Notice that BCC has engaged different and/or additional Subcontractors will be provided to Customer by addition of the new Subcontractor’s name to the foregoing list in Section 4.2 of the DPA posted at https://bccsoftware.com/ccpa at least thirty (30) days before such Subcontractor begins Processing Customer Personal Data in conjunction with the Services (each a “Subcontractor Update”). Customer acknowledges and agrees that updating that web page is sufficient notice hereunder.

4.3 Objection

Customer may object to a new Subcontractor on reasonable grounds related to the protection of Customer Personal Data by sending an email to marketing@bccsoftware.com within twenty (20) days of the applicable Subcontractor Update. If Customer does not timely object to a new Subcontractor, Customer will be deemed to have authorized BCC’s use of the Subcontractor and to have waived its right to object.

5. CONSUMER RIGHTS REQUESTS

5.1 Consumer Rights Requests

BCC will, where possible, assist Customer with responding to Consumer rights requests as required by applicable State Data Protection Laws. In requesting such assistance, Customer warrants and represents that the information it provides to BCC will be accurate and complete and that it has verified the identity of any Consumer who is requesting that a specific action be taken.

5.2 Notice of Requests

BCC will promptly notify Customer of any request received by BCC from a Consumer in respect of the Personal Data of said Consumer, and will not, unless otherwise required by the applicable State Data Protection Law, respond to the Consumer except to direct such Consumer to contact Customer.

6. MISCELLANEOUS

6.1 Limitation of Liability

BCC’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability and Limitation of Damages sections of the Agreement.

6.2 No Other Modifications

Except as expressly set forth herein, the terms of the Agreement will remain unmodified and in full force and effect.

6.3 Exemptions

Notwithstanding any provision to the contrary of the Agreement or this DPA, the terms of this DPA will not apply to BCC’s Processing of Customer Personal Data that is exempt from applicable State Data Protection Laws.

6.4 Changes to State Data Protection Laws

The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the State Data Protection Laws.

V1.24

Scroll to Top