AXM and Vendor agree as follows: 

 

1. Definitions.

a. The terms “collect”, “consumer”, “personal information”, “sell”, “selling”, “share”, “sharing”, “process”, “processing”, “sensitive personal information”, and “service provider” shall have the meanings given to those terms under Data Privacy Laws and such terms include any analogous terms used under Data Privacy Laws.

b. “Business Purpose” means the performance of the services on behalf of AXM Client(s) as described in the Agreement, any applicable Order Form, and, where applicable, pursuant to 1798.140(e)(5) of the CCPA.

c. “Client Personal Information” means the contact information, online identifiers, and any other personal information that is (i) made available, provided by or on behalf of Client to Vendor, or collected by Vendor; and (ii) Processed by Vendor in connection with the Business Purpose. Client Personal Information does not include personal information Vendor receives from, or on behalf of, another person or persons, from its own interaction with consumers, or outside the scope of this DPA.

d. “Data Privacy Laws” means all applicable data protection, privacy, data security, security breach notification, and related laws, rules, and regulations, in any jurisdiction, such as California Civil Code §§ 1798.100 to 1798.199 (the “CCPA”), and including any implemented regulations, as updated or amended from time to time, and any legally binding requirements, orders, directives or decisions of any regulatory, judicial, or governmental authority in connection with the enforcement thereof.

e. All other capitalized terms used herein shall have the meanings assigned to them in the Agreement. 

 

II. Compliance with Data Privacy Laws. Each Party shall comply at all times with Data Privacy Laws, including all obligations specifically applicable to Vendor as a service provider of Client Personal Information, which are incorporated by reference herein. Each Party shall reasonably cooperate with the other as necessary to fulfill its obligations under Data Privacy Laws. 

 

III. Additional Obligations of Vendor.

a. Vendor shall not, without AXM’s prior express written consent: (i) make any personal information, including sensitive personal information, available to or accessible by AXM; (ii) process Client Personal Information except as authorized by this DPA or the Agreement or as otherwise required by applicable law; or (iii) make Client Personal
Information available to any other party unless required by law or to Vendor’s service providers and employees who have a need to process such Client Personal Information for the Business Purpose.

b. Vendor is prohibited from: (i) selling or sharing Client Personal Information; and (ii) combining Client Personal Information with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer.

c. Vendor shall implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Client Personal Information, including, without limitation, protection against unauthorized or unlawful processing (including, without limitation, unauthorized or unlawful disclosure of, access to and/or alteration of Client Personal Information) and against accidental loss, destruction, or damage of or to it.Vendor shall promptly notify AXM if it can no longer meet the requirements of this Section 4.1(c) or in the event Vendor becomes aware of any actual or reasonably suspected unauthorized access, use, or disclosure of Client Personal Information in Vendor’s (or its service providers’) possession or control (“Security Breach”).

d. To the extent Vendor collects Client Personal Information on behalf of any Client, whether online or offline, Vendor shall make such Client’s then-current version of its privacy policy available to consumers as required by Data Privacy Laws. 

 

IV. Indemnification; Limitation of Liability. In addition to any indemnification obligations elsewhere in the Agreement, Vendor agrees to indemnify, defend, and hold harmless AXM and its Clients and their respective affiliates, subsidiaries, successors and assigns from and against any and all claims, losses, demands, liabilities, damages, settlements, expenses and costs (including reasonable out-of-pocket attorneys’ fees and costs), arising from, in connection with, or based on third party allegations of, any Security Breach or Vendor’s (or its service providers’) failure to comply with any of its obligations set forth in this DPA. This indemnification obligation is not subject to any limitation of liability elsewhere in the Agreement. 

 

V. Deletion and Return. Vendor shall (a) if requested to do so by AXM by the date of termination or expiry of the Agreement, return a copy of all Client Personal Information or provide self-service functionality allowing AXM to do the same; and (b) within 90 days of the termination or expiry of the Agreement, delete and use all reasonable efforts to procure the deletion of all other copies of Client Personal Information processed by Vendor. 

 

VI. Miscellaneous. Except as expressly set forth herein, the terms and conditions of the Agreement, including without limitation, any rights and obligations of the parties thereunder, shall remain unmodified and in full force and effect and shall apply to each Party’s respective obligations under this DPA. If Data Privacy Laws are modified, amended or any part of Data Privacy Laws ceases to be lawful or enforceable, or is otherwise deemed invalid, the obligations in this DPA shall be deemed correspondingly modified, amended or no longer lawful or valid.