SERVICE PROVIDER DATA PROCESSING ADDENDUM

This Service Provider Data Processing Addendum (“SPDPA”) is incorporated by reference into and forms a part of each agreement (the “Agreement”) between BCC Software, Inc. (“BCC”) and you (“Customer”), each a “Party” and collectively, the “Parties”, and reflects the Parties’ agreement with regard to the use or access of personal information in accordance with the requirements of the California Consumer Privacy Act, when applicable. In the event of a conflict between any of the provisions of this SPDPA and the provisions of the Agreement, the provisions of this SPDPA will prevail.

To the extent BCC is required to Process CCPA Personal Information, as defined below, in its performance of its obligations under the Agreement, the following terms will apply.

1. ROLE OF PARTIES AND DEFINITIONS

1.1 Role of the Parties.
For the purposes of the CCPA, the Parties acknowledge and agree that BCC will act as a “Service Provider”, as that term is defined in the CCPA, in its performance of its obligations pursuant to this SPDPA or the Agreement. BCC will be referred to as “Service Provider” throughout this Section II. Customer will act as a single point of contact for its Affiliates with respect to CCPA compliance, such that if Service Provider gives notice to Customer, such information or notice will be deemed received by Customer’s Affiliates.

1.2 Definitions.
“Affiliates” means an entity that, directly or indirectly through one or more intermediaries controls, is controlled by, or is under common control with the Company;
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this Data Processing Addendum.
“CCPA Consumer” means a “consumer”, as defined in the CCPA.
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Service Provider Processes on behalf of Customer and/or Customer’s Affiliates in connection with Service Provider’s provision of the Services;
“Data Processing Services” means the Processing of CCPA Personal Information for any purpose permitted by the CCPA, such as for a permitted “business purpose,” as such term is defined in the CCPA, or for any other purpose expressly permitted by the CCPA;
“Processing” has the meaning given in the CCPA, and “Process” will be interpreted accordingly;
“Services” means the services provided by Service Provider to Customer under the Agreement, including the Data Processing Services;
“Subprocessor” means any subcontractor engaged by Service Provider who Processes CCPA Personal Information on behalf of Service Provider.

2. CCPA PERSONAL INFORMATION PROCESSING

2.1 Instructions for CCPA Personal Information Processing
Service Provider will not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purpose of providing the Services, or as otherwise permitted by the CCPA. Service Provider acknowledges and agrees that it will not retain, use or disclose CCPA Personal Information for a commercial purpose other than providing the Services.

Processing CCPA Personal Information outside the scope of this SPDPA or the Agreement will require prior written agreement between Customer and Service Provider on additional instructions for Processing.

2.2 Required Consents and Notices
Where required by applicable laws, Customer will ensure that it has obtained all necessary consents, and has given all necessary notices, for the Processing of CCPA Personal Information by Service Provider in accordance with the Agreement.

3. TRANSFER OF CCPA PERSONAL INFORMATION

3.1 No Disclosure of CCPA Personal Information
Service Provider will not disclose, release, transfer, make available or otherwise communicate any CCPA Personal Information to another business or third party without the prior written consent of Customer unless and to the extent that such disclosure is made to a Subprocessor for a business purpose, provided that Service Provider has entered into a written agreement with Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of CCPA Personal Information as are imposed on Service Provider under this SPDPA and the Agreement. Notwithstanding the foregoing, nothing in this Agreement will restrict Service Provider’s ability to disclose CCPA Personal Information to comply with applicable laws or as otherwise permitted by the CCPA.

3.2 No Sale of CCPA Personal Information
Service Provider will not Sell any Customer Personal Data to another business or third party without the prior written consent of Customer.

4. CONSUMER RIGHTS REQUESTS

4.1 CCPA Consumer Rights Requests
On and after the effective date of the CCPA, Service Provider will comply with all applicable requirements of the CCPA, and will, where possible, assist Customer with responding to CCPA Consumer Rights Requests as required by applicable CCPA requirements. In requesting such assistance, Customer warrants and represents that the information it provides to Service Provider will be accurate and complete and that it has verified the identity of any CCPA Consumer who is requesting that a specific action be taken.

4.2 Notice of Requests
Service Provider will promptly notify Customer of any request received by Service Provider from a CCPA Consumer in respect of the CCPA Personal Information of the CCPA Consumer, and will not, unless otherwise required by the CCPA, respond to the CCPA Consumer except to direct such CCPA Consumer to contact Customer.

5. MISCELLANEOUS

5.1 Limitation of Liability
BCC’s liability arising out of or related to this SPDPA, whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability and Limitation of Damages sections of the Agreement.

5.2 No Other Modifications
Except as expressly set forth herein, the terms of the Agreement will remain unmodified and in full force and effect.

5.3 Counterparts
This Addendum may be executed in one or more counterparts (including electronically), each of which when executed will be deemed to be an original but all of which taken together will constitute one and the same instrument.