Company | Legal
Policies & Agreements
Data Protection Addendum
Effective Date: April 28, 2023
This Data Protection Addendum (“Addendum”) establishes minimum data protection standards for Motive Technologies, Inc. (“Service Provider”) in connection with its performance of services for You and/or Affiliate(s) (“Company”) or to the extent it otherwise has access to Personal Information (defined below) in connection with the provision of services to Company under the Motive Terms of Service (https://gomotive.com/legal/terms-of-service/ ) , between Company and Service Provider (the “Terms”) (such services, “Services”). This Addendum is incorporated into and forms part of the Terms. Terms not defined in this Addendum shall have the meaning given in the Terms. Unless otherwise stated in the Terms, in the event of any conflict between the terms of this Addendum and the Terms, the terms of this Addendum shall govern.
1. Effect of Addendum.
Subject to the above modifications, the Terms remain in full force and effect.
2.1. “Applicable Law” means the federal, state, or provincial law applicable to the products or services provided under the Terms which relate to the confidentiality, security, use, and availability of Personal Information.
2.2. “Personal Information” means any information defined as personal information or personal data, relating to an identified or identifiable natural person (“Data Subject”) under Applicable Law. An identifiable natural person is one who can reasonably be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier; or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.3. “Sale” or “Sell” has the meaning provided in Section 1798.140(ad) of the California Civil Code.
2.4. “Security Incident” means a breach of security of a system under Service Provider’s management or control leading to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information, as defined by Applicable Law.
2.5. “Share” has the meaning provided in Section 1798.140(ah) of the California Civil Code.
3. Service Provider Representations.
3.1. Service Provider represents and warrants that, under Applicable Law, it is a “service provider,” for the purposes of the services it provides to Company pursuant to the Terms, according to the meaning given to that term in any Applicable Law, as of the date of execution of this Addendum.
4.1. Service Provider, and any subcontractor of Service Provider, shall not Sell or Share Personal Information it receives from, or on behalf of, Company.
4.2. Service Provider shall only use Personal Information for the purpose(s) of providing the Services as set out in the Terms to which this Addendum is attached, or as otherwise permitted by Applicable Law. Service Provider may only disclose Personal Information to third parties for the limited and specified business purpose(s) set forth within the Terms, or as otherwise permitted by Applicable Law.
4.3. Service Provider, and any subcontractor, may not retain, use, or disclose Personal Information received from, or on behalf of, Company for any purposes other than the provision of those Services detailed in a Statement of Work, or as otherwise permitted by Applicable Law.
4.4. Service Provider, and any subcontractor, may not retain, use, or disclose Personal Information received from, or on behalf of, Company for any commercial purpose other than the business purposes specified in the Terms, including in the servicing of a different business, unless expressly permitted by Applicable Law.
4.5. Service Provider, and any subcontractor, may not retain, use, or disclose Personal Information received from, or on behalf of, Company outside the direct business relationship between the Service Provider and Company, unless permitted by Applicable Law.
4.6. Service Provider shall comply with all applicable sections of Applicable Law, including providing the same level of privacy protection as required by Company; including cooperating with Company in responding to and complying with Data Subject’s requests made pursuant to Applicable Law, and implementing reasonable security procedures and practices appropriate to the nature of the Personal Information received from, or on behalf of, Company to protect such Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure.
4.7. Service Provider grants Company the right to take reasonable and appropriate steps to ensure that Service Provider uses Personal Information that it received from, or on behalf of, Company in a manner consistent with Company’s obligations under Applicable Law.
4.8. Service Provider shall notify Company, no later than five (5) business days after it makes such a determination, if it can no longer meet its obligations under Applicable Law.
4.9. Company may require Service Provider to provide documentation that 1) verifies that Service Provider no longer retains or uses Personal Information of Data Subjects that have made a valid request to delete Personal Information which is not subject to an exception to such deletion obligation under Applicable Law; 2) verifies that Service Provider had limited the use of Personal Information of Data Subjects that have made a valid request to limit the use of Sensitive Personal Information which is not subject to an exception to such obligation under Applicable Law; or 3) verifies that Service Provider does not sell or share Personal Information of Data Subjects as defined by Applicable Law.
4.10. Service Provider shall inform Company of any Data Subject request made pursuant to Applicable Law that either Service Provider or Company must comply with, and provide information necessary for Company to comply with the request.
5. Breach Notification.
5.1. Service Provider will a) notify Company of a Security Incident without undue delay after becoming aware of the Security Incident, and b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Such notification shall be effectuated in time for Company to be able to fulfill any obligations it may have under Applicable Law.
5.2. Service Provider will assist Company in relation to any personal data breach notifications Company is required to make under Applicable Law. Service Provider will include in the notification under this section such information about the Security Incident as Service Provider is reasonably able to disclose to Company, taking into account the nature of the Services, the information available to Service Provider, and any restrictions on disclosing the information, such as confidentiality.
5.3. Company agrees that an unsuccessful Security Incident will not be subject to this Section. An unsuccessful Security Incident is one that results in no unauthorized access to Personal Information, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
Service Provider shall provide Company with reasonably requested information necessary to demonstrate compliance with Applicable Law. Service Provider may, provide to Company an independent evaluation by a recognized third-party audit firm such as an American Institute of Certified Public Accountants (“AICPA”) compliant Service Organization Control 2 (“SOC 2″) Type 2 audit covering the relevant scope of systems, applications and services used in providing Services to Company to demonstrate compliance with Service Provider’s obligations under the Terms. Should Service Provider not provide Company with such third party independent evaluation, Company may conduct, in a mutually agreed upon time and scope, an audit of those systems of Service Provider as is reasonably necessary to confirm compliance with Service Provider’s obligations under the Terms.
7. Termination Obligations.
At Company’s direction following expiration or termination of these Terms, Service Provider shall return, in a mutually agreed upon format, or safely destroy all Personal Information that Service Provider obtained in connection with performing the Services exclusively for Company, within thirty (30) days of such expiration or termination. Service Provider shall promptly notify Company in writing once all such information has been returned or destroyed (as applicable in accordance with Company’s direction) provided that Service Provider may maintain copies of Personal Information where continued storage is required or permitted by Applicable Law. For avoidance of doubt, the provisions of this Addendum shall continue to apply to the Personal Information concerned, and Service Provider shall only Process this Personal Data pursuant to the purposes permitted by Applicable Law.