Data Processing Addendum
This Data Processing Addendum (“this Addendum”) applies to Azuga, as Data Processor / Service Provider, and Customer as the DataController of the Personal Data of End Users. Capitalized terms used but not defined in this Addendum have the meaning set out in the General Terms.
A. Definitions
i. “Personal Data” means for that subset of data processed under the Agreement that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household or relating to an identified or identifiable natural person (a “Data Subject”).
ii. “Privacy Laws” means all applicable national, international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements, currently in effect and as they become effective relating in any way to data privacy, Personal Data, Personal Data protection, and trans-border Personal Data flow, and data breach notification.
iii. “process” or “processing” means any operation or set of operations performed upon Personal Data, or set of Personal Data, whether by manual or automatic means, including collection, use, sale, storage, disclosures, analysis, deletion, or modification.
iv. “Personal Data Security Incident” used in this Addendum means a breach of security leading to the actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or acquisition of, or access to, Personal Data transmitted, stored, or otherwise Processed under this Addendum.
v. “Services” means the Azuga Services and the Azuga Devices provided by Azuga’s suppliers under the Agreement.
B. Customer Obligations
i. To the extent that the Services include the processing of Personal Data, Azuga will process Personal Data only on behalf of and for the benefit of Customer in connection with Azuga’s provision of the Services. The Customer determines: (i) the purposes for which the Services are used; (ii) the means to collect Personal Data through the Services, which Customer can control through setting in Products and in the Services; and (iii) the type of Personal Data collected. Without limitation of its obligations under the General Terms, Customer agrees to comply with all applicable Privacy Laws in any relevant jurisdiction worldwide and with all other Data laws, regulations, or guidelines, including applicable industry guidelines, principles, agreements, and standards applicable to the use of videos, cameras, or video surveillance, geolocation devices and data, telemetric data, and biometric data, including, for example, the Illinois Biometric Information Privacy Act, 720 ILCS 14; and any implementing or successor legislation, amendments, and/or restatements or reenactments of the foregoing.
ii. Azuga will enable the Customer to respond to Personal Data requests to exercise rights under the applicable Privacy Laws. To the extent that the Customer as the Controller does not have the ability to address a request, then upon the Customer’s request Azuga will provide reasonable assistance to the Customer to facilitate such request to the extent possible and required by applicable law. Taking into account the nature of the processing and the information available to Azuga, Azuga will assist Customer by providing information to Customer necessary to enable Customer to conduct and document any data protection assessments required by applicable Privacy Laws. The Customer will reimburse Azuga for the costs arising from providing this assistance.
iii. Azuga and the Services allow Customer to manage and control all Customer Content and Driver Information on the Services and fulfill the rights of other Persons on Customer’s account. If Customer has any issue with respect to Customer’s obligations as a Controller for the Services for any Person, please contact privacy@azuga.com.
C. Data Processing
i. The parties acknowledge and agree that Customer is the Controller of Personal Data of any Person and Azuga is the Processor of that Personal Data. Azuga will collect, process and use Personal Data only within the scope of Customer’s instructions as the Controller. The purposes of the processing of Personal Data are determined solely by the Customer as Controller. The processing activities will include, without limitation, the delivery of the Services (as configured by Customer) as well as the de-identification of Personal Data and aggregation of de-identified Personal Data. Azuga will process Personal Data collected from Products and Services interfaces, including through equipment and services, and integrations to equipment and services, that which the Customer has provided, whether directly or through another Person on its behalf. Azuga shall collect, process and use Personal Data only within the scope of Customer’s instructions as the Controller. Azuga will not retain, use or disclose Personal Data for any purposes other than providing the Services and as otherwise expressly specified in the Agreement or in this Addendum.
ii. This Addendum is Customer’s complete and final instruction to Azuga in relation to Personal Data. Additional instructions would require written agreement between the parties. Customer will inform Azuga as Processor without delay about any errors or irregularities related to the processing of Personal Data.
iii. Customer will implement and maintain appropriate and up-to-date technical and organizational measures to adequately protect Personal Data stored or accessible on the Product(s) against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. Azuga will notify the Customer without undue delay after it becomes aware of any Personal Data Security Incident. At the Customer’s request, Azuga will provide the Customer as Controller with reasonable assistance necessary to enable the Controller to notify the applicable data protection authorities, if the Customer is required to do so under the applicable law.
D. Sharing of videos or other Personal Data
i. The Services enable the Customer to create and review live video streams from connected Products, and to share a link through which the stored videos and other Product and driving data and events, such as speeding, violent turns, and sudden stops, can be accessed and viewed, (“Shared Data”). Such Shared Data may include Personal Data of the driver, passengers, and other people outside the vehicle.
ii. Customer will pay careful consideration when sending Shared Data to any third party within or outside Customer’s organization (“Recipient”). Customer will consider the Privacy Laws, applicable to any Person whose Personal Data is part of the Shared Data, their rights, and Customer’s obligations as the Controller. Customer will consider carefully its legal basis and legitimate interest in such sharing of Shared Data and compliance with all applicable Laws. Customer will ensure Recipients also implement and maintain appropriate up-to-date technical and organizational measures to adequately protect Personal Data, especially against unauthorized disclosure or access. Customer should make use of the controls within the Services that allow limits on the access to Shared Data, for example by time or amount of views.
iii. Recipients, by accessing any Shared Data, may be subject to certain obligations pursuant to applicable Privacy Laws. Recipients are responsible for any action they take with respect to such Shared Data. Recipients will consider carefully the privacy rights of any Person whose Personal Data is part of the Shared Data, their rights, and Recipient’s obligations as a Recipient of such data. Recipient will limit distribution and usage of Shared Data to the minimum needed to fulfill its duties, legal basis, or legitimate interest in accessing and processing Shared Data. Recipients will inform Customer in case it does not agree with any specific instruction issued by the Customer and will not access Shared Data until it has clarified the obligations of each party. Where Personal Data is transferred or accessed from a country that is not considered to have an adequate data protection level under applicable Privacy Laws, parties will inform each other and ensure that the Personal Data transfer complies with the Privacy Laws, including the adoption of one effective cross-border transfer mechanism and the necessary risk assessments.
E. Children
The Services compose a technology platform for driving safety and documentation and are not intended for use by or with children. Azuga does not intentionally collect or process children’s Personal Data . Customer will not permit any use of the Services with or by children and Customer is liable and responsible for all such use and for the Personal Data collected by such use. If any children’s Personal Data, including videos of children, in or outside the vehicle, are captured by the Services, Customer certifies that the End User is the parent or legal guardian of such children or has another strong legal justification for the processing, and that the End User has provided consent for any processing of such data and videos as part of the normal operations of the Services. Customer acknowledges and agrees that Azuga reserves the right to delete or prevent further processing of any Personal Data or videos containing Personal Data of children in its sole discretion to comply with any Privacy Laws or other Laws and to protect children’s rights or its legal interests.
F. Other processors
Azuga uses additional processors around the world for various processing activities needed for the performance of the Services, Azuga’s other products and services, its operations, and its business, and shares information with such processors on a need basis. Without derogating from the generality of the above, such processors include hosting and backup providers, analytics providers, website technology, advertising technology, telecommunication services, media transmission services, security technology, and more. Azuga shares information with each processor based on the business need in using such processor, to protect Personal Data while still effectively benefiting from the services of such processor. Azuga takes appropriate safeguards in the selection of its processing vendors around the world to require that Personal Data is well protected. It may be the case that a country where Customer’s Personal Data is processed has different, or less protective, data protection and privacy regulation than in Customer’s country, and Customer agrees to such data transfers and processing by the other processors selected by Azuga. Customer hereby acknowledges and accepts that Azuga might transfer Customer’s Personal Data for service operation purposes to countries outside the jurisdiction where Customer operates.
G. Security
Azuga will implement, maintain, and enforce a written information security program that incorporates organizational, administrative, physical, and technical measures to protect the security and confidentiality of Personal Data and the systems used to process Personal Data (the “Security Measures”). Such Security Measures will, at a minimum: (i) be no less rigorous than accepted industry standards and practices for information security (i.e., ISO 27001/2 certified or SSAE 16 (Type 2) compliant); (ii) be appropriate to the risks presented by the nature of the Services and Azuga’s processing of Personal Data, in particular from any potential Security Incident; and (iii) comply with applicable Laws. Without limitation, if Azuga processes cardholder or other payment card data under the Agreement, then Azuga will ensure that it is in compliance with the U.S. Payment Card Industry Data Security Standard (“PCI - DSS”) and certify to the same, upon request.
H. Personal Data Security Incident
In the event of any Personal Data Security Incident, Azuga will, at its sole cost and expense: (i) immediately (and in no event later than seventy-two (72) hours after becoming aware of the Personal Data Security Incident) notify Customer; and (ii) promptly undertake an investigation of the Personal Data Security Incident and reasonably cooperate with Customer in connection with its investigation; and (iii) permit Customer to take reasonable and appropriate steps to stop and remediate unauthorized use of the Personal Data concerned.
I. Audits
At least once per year covering the preceding twelve (12) month period, Azuga will undertake an independent third-party audit of its policies and technical and organizational measures in support of the obligations under this Addendum using an appropriate and accepted control standard or framework and audit procedure as applicable. Upon Customer’s request, Azuga will provide copies of such audits to Customer. Azuga will permit Customer the right to take reasonable and appropriate steps to ensure that Azuga uses the Personal Data that it processes for Customer in a manner consistent with Customer’s applicable obligations applicable Privacy Laws and with this Addendum. At Customer’s request, Azuga will provide information necessary for Customer to meet its obligations under applicable Privacy Laws.
J. Certification
Azuga certifies that it understands and will comply with the requirements and restrictions set forth in this Addendum.
K. Return or Destruction of Personal Data
At the choice of Customer, Azuga will delete or return all Personal Data to Customer as requested at the end of the provision of Services, unless retention of the Personal Data is required by Azuga’s retention policies, or applicable Laws, including Data Laws.
Exhibit 1 Regarding U.S. Personal Data
Specifics of Business Purpose, Services, Personal Information, and Duration of Processing The Business Purpose(s) of the Processing to be performed by Azuga: “Business purpose” means the use of Personal Data for Customer’s operational purposes, or other notified purposes, including to provide Customer with driver scores for End User and to provide feedback to individual drivers, provided that the use of Personal Data shall be reasonably necessary and proportionate to achieve the purpose for which the Personal Data was collected or processed or for another purpose that is compatible with the context in which the Personal Data was collected.
The nature of the Services that require use of Personal Data: Provision of a telematics data system to Customer.
Types of Personal Data processed: First name; Last name; Email Id; Contact Phone Number; Address - Address 1, 2, city, state and zip; Personal Phone Number; Work Phone Number; DOB; Age; Blood Group
During of Processing: As provided in the Agreement.