Plasmic US data processing addendum
(CALIFORNIA AND VIRGINIA)
This U.S. Data Processing Addendum (the “Addendum”) between Plasmic, Inc. (“Plasmic”) and the customer accessing or using the Services (the “Customer”), is incorporated into the SaaS Services Agreement located at https://plasmic.app/tos (if applicable) or such other commercial agreement between Plasmic and the Customer whereby Plasmic provides the Customer with access to the Services (the “Agreement”). “Services” is defined in the Agreement and in some cases is referred to as the Builder Services. This Addendum applies with respect to the provision of the Services to Customer, if the Processing of Customer Personal Data (as defined below) is subject to Applicable US Laws (as defined below). References to the Agreement will be construed as including this Addendum. Plasmic may revise and update this Addendum from time to time when required by applicable law. All changes are effective within 30 days after we post them, and will apply to all access to and use of the Services thereafter.
“Applicable US Laws” means, as applicable, the CCPA and the VCDPA.
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its final regulations.
“Customer Personal Data” means the personal information or personal data provided or made available or accessible by Customer to Plasmic in connection with the Agreement.
“VCDPA” means Virginia’s Consumer Data Protection Act.
The terms “business”, “business purpose”, “commercial purpose”, “consumer”, “controller”, “personal data”, “personal information”, “process”, “processing”, “processor”, “sell”, “service provider”, and “share” as used in this Addendum have the meanings given in the Applicable US Laws.
2.1. Responsibilities. The parties acknowledge and agree that:
2.1.1.Plasmic is a service provider and processor of Customer Personal Data under Applicable US Laws;
2.1.2.Customer is a business and controller of Customer Personal Data under Applicable US Laws;
2.1.3.Each party will comply with the obligations applicable to it under the Applicable US Laws with respect to the processing of Customer Personal Data; and
2.1.4.(a) the nature of the processing is collecting, organizing, structuring, storing, altering, using, disclosing, combining, deleting and destroying data; (b) the purpose of the processing is for Plasmic to provide the Services to Customer, including, specifically, providing a platform for visual content management and low-code application development, providing support and communicating with Customer’s representatives using the Services, processing billing, tailoring features of the Services, performing Plasmic’s obligations, operating, maintaining, analyzing, developing, updating and improving the Services, detecting, investigating, and preventing illegal acts and security threats, sending marketing information to Customer representatives, and otherwise processing Customer Personal Data as reasonably requested by Customer; (c) the types of personal information that are subject to the processing are name, email address, phone number, IP address, device identifier, cookie identifier, account login information, usage and page view information, text entered, movements, audio and electronic email for business communications, location information provided by mobile device or when associated with IP address, professional and employment-related information, and other information made available by the Customer; (d) the types of consumer whose personal information is being processed are individuals using the Services on behalf of the Customer and Customer end users; and (e) the duration of processing is the term of the Agreement until Customer Personal Data is deleted.
2.2. Instructions. Customer instructs Plasmic to process Customer Personal Data in accordance with the following, and Plasmic will comply to the extent not prohibited under Applicable US Laws: (a) to provide the Services; (b) as set forth in the Agreement and specifically in this Addendum; (c) as set forth in any other written instructions given by Customer; and (d) to process Customer Personal Data as permitted under Applicable US Laws for service providers and processors.
2.3. Confidentiality. Plasmic will ensure that all persons authorized to process Customer Personal Data are subject to a duty of confidentiality with respect to the Customer Personal Data.
2.4. Data Deletion. Customer instructs Plasmic to delete all Customer Personal Data from Plasmic’s systems upon termination of the Agreement, except to the extent retention of Customer Personal Data is required by applicable law.
2.5. Demonstration of Compliance. Upon Customer’s reasonable request, Plasmic will make available to Customer all information in its possession necessary to demonstrate Plasmic’s compliance with its obligations under Applicable US Laws.
2.6. Data Security. Plasmic will implement and maintain technical and organizational measures to protect Customer Personal Data against unauthorized access to or acquisition of Customer Personal Data on systems managed by or otherwise controlled by Plasmic.
2.7. Data Incidents. Taking into account the nature of processing and the information available to Plasmic, Plasmic will reasonably assist Customer in meeting its obligations in relation to the security of processing the Customer Personal Data and in relation to the notification of a Data Incident pursuant to Applicable US Laws. If Plasmic becomes aware of a Data Incident, Plasmic will notify Customer without unreasonable delay and take reasonably steps to minimize harm and secure Customer Personal Data. “Data Incident” means a breach of the security of the system (as defined under Applicable US Laws) of Plasmic, including a breach of security leading to the unauthorized access to or acquisition of (or reasonable belief of such unauthorized access to or acquisition of) Customer Personal Data on systems managed by or otherwise controlled by Plasmic, excluding unsuccessful attempts that do not compromise the security of Customer Personal Data such as unsuccessful pings, log-in attempts, and other network attacks on firewalls or networked systems. Plasmic’s notification of or response to a Data Incident will not be construed as an acknowledgement by Plasmic of any fault or liability with respect to the Data Incident. For the avoidance of doubt, Plasmic is not responsible or liable for any personal data breach or incident to the extent the breach or incident arose from the actions, omissions, personnel, users, service providers, or systems of Customer. Customer is responsible for complying with breach and incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.
2.8. Assistance; Assessments. Plasmic will reasonably assist Customer in meeting its obligations under Applicable US Laws, including the following:
2.8.1. taking into account the nature of processing and the information available to Plasmic, by appropriate technical and organizational measures, insofar as this is reasonably practicable, assisting Customer in fulfilling Customer’s obligation to respond to consumer rights requests pursuant to Applicable US Laws; and
2.8.2. providing necessary information to enable Customer to conduct and document data protection assessments pursuant to Applicable US Laws. Plasmic will allow and cooperate with reasonable assessments by Customer (or Customer’s designated assessor, subject to execution of a confidentiality agreement with Plasmic); provided, that Plasmic may alternatively arrange for a qualified and independent assessor to conduct an assessment of Plasmic’s policies and technical and organizational measures in support of the obligations under Applicable US Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Plasmic shall provide Customer a report of such assessment upon Customer’s request.
2.9. Subprocessors. If Plasmic engages any subprocessor to process Customer Personal Data on Plasmic’s behalf, Plasmic will enter into a written contract with such subprocessor that requires the subprocessor to meet the obligations of Plasmic under Applicable US Laws with respect to the Customer Personal Data. Plasmic’s current list of applicable subprocessors is located at https://docs.plasmic.app/learn/subprocessors. Customer may subscribe to receive updates to such web page. Plasmic will notify Customer if Plasmic engages any other subprocessors to assist it in processing Customer Personal Data on behalf of Customer, by updating its subprocessor web page. Customer acknowledges and agrees that updating the web page is sufficient notice hereunder.
3. Additional CCPA Obligations. To the extent that CCPA applies to the processing of Customer Personal Data, Plasmic will act as Customer’s service provider, and as such, unless otherwise permitted for service providers under CCPA:
3.1. Plasmic will not sell or share any Customer Personal Data that it obtains from (or on behalf of) Customer in connection with the Agreement;
3.2. Plasmic will not retain, use or disclose Customer Personal Data (including outside of the direct business relationship between Plasmic and Customer) for any purpose (including any commercial purpose), other than for a business purpose under the CCPA on behalf of Customer and the specific purposes of performing the Services as described in this Addendum;
3.3. Plasmic will not combine (or update) Customer Personal Data that Plasmic receives from, or on behalf of, Customer with (i) personal information that Plasmic receives from, or on behalf of, another person or persons or (ii) personal information collected from Plasmic’s own interaction with a consumer;
3.4. Plasmic will comply with applicable obligations under CCPA and will provide the same level of privacy protection as is required by CCPA, including by cooperating with Customer in responding to and complying with consumer requests and implementing reasonable security procedures and practices appropriate to the nature of the personal information to protect the Customer Personal Data from unauthorized or illegal access, destruction, use, modification or disclosure in accordance with CCPA;
3.5. Plasmic will grant Customer the right to take reasonable and appropriate steps to ensure that Plasmic uses the Customer Personal Data in a manner consistent with Customer’s obligations under CCPA, including ongoing manual reviews and automated scans (subject to notification and mutual agreement of the parties with respect to the method) of Plasmic’s system and regular assessments, audits, or other technical and operating testing (not to exceed once per year);
3.6. Plasmic will promptly notify Customer if Plasmic makes a determination that it can no longer meet its obligations under the CCPA; and
3.7. If Customer reasonably believes that Plasmic is processing Customer Personal Data in an unauthorized manner, the parties will work together in good faith to remediate the allegedly violative processing activities, if necessary.
4. Additional Customer Responsibilities. Section 59.1-579 of the VCDPA requires the contract between a controller and a processor to include the rights and obligations of both parties. Accordingly, Customer agrees to comply with the following controller obligations.
4.1. Customer will limit the collection of Customer Personal Data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
4.2. Customer will not process Customer Personal Data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such Customer Personal Data is processed, as disclosed to the consumer, unless Customer obtains the consumer’s consent.
4.3. Customer will establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of Customer Personal Data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.
4.4. Customer will not process Customer Personal Data in violation of applicable laws that prohibit unlawful discrimination against consumers.
4.5. Customer will not process sensitive data concerning a consumer without obtaining the consumer’s consent.
4.6. Customer will provide consumers with a reasonably accessible, clear and meaningful privacy notice with all disclosures required by Applicable US Laws and the means for consumers to submit requests and to opt out and opt in to certain data practices, as required by Applicable US Laws.