In the event that any provisions of thisExhibit conflict with the terms of the Agreement and/or any Statement of Workbetween the parties, the provisions of this Exhibit shall govern. Except asotherwise provided herein, the Agreement and any fully executed Statement of Work between the parties shall remain in full force and effect.
1. Processing ofPrivacy Data. For purposes of applicablelaws, including without limitation the California Consumer Privacy Act of 2018(“CCPA”) and the Virginia Consumer Data Protection Act (“CDPA”), CreativePartner shall be a service provider or processor or equivalent term,respectively, with regard to Privacy Data (as defined herein), and Client shallbe a business or controller or equivalent term, respectively, with regard toPrivacy Data. Privacy Data shall only be accessed, used, maintained, collected,modified, merged, shared or disclosed by Creative Partner as necessary forCreative Partner to perform its obligations on behalf of Client under thisExhibit and the Agreement, and otherwise required by Client in writing. “Privacy Data” shall mean any informationthat identifies, relates to, describes, is capable of being associated with, orcould reasonably be linked, directly or indirectly, with a particular consumeror household including, without limitation, any inferences drawn therefrom orderivatives thereof. Except as expresslyprovided to Creative Partner, no right, title, or interest in Privacy Data istransferred to Creative Partner, and as between Creative Partner and Client,all Privacy Data is and will be deemed to be and will remain the exclusiveproperty of Client. Except as set forthin this Exhibit, or as Client otherwise directs in writing, Creative Partnermay not modify the Privacy Data, merge it with other data, or sell, resell,lease, assign, rent, sublicense, distribute, transfer, disclose, time-share orotherwise use Privacy Data (or any portion thereof) for any purpose, commercialor otherwise. The acts or omissions ofCreative Partner's employees, agents, representatives, contractors,subcontractors or affiliates (and such affiliates' employees, agents, representatives,contractors, or subcontractors) will also be deemed the acts or omissions ofCreative Partner.
1. Sensitive PersonalData. Creative Partner shall notcollect, solicit, request, or receive any Sensitive Personal Data in connectionwith this Agreement or otherwise on behalf of Client. “Sensitive Personal Data” means: (1) personaldata that reveals (A) a consumer’s social security, driver’s license, stateidentification card, or passport number; (B) a consumer’s account log-In,financial account, debit card, or credit card number in combination with anyrequired security or access code, password, or credentials allowing access toan account; (C) a consumer’s precise geolocation; (D) a consumer’s racial orethnic origin, religious or philosophical beliefs, or union membership; (E) thecontents of a consumer’s mail, email, or text messages, unless the business isthe intended recipient of the communication; (F) a consumer’s genetic data;(2)(A) the processing of biometric data for the purpose of uniquely identifyinga consumer; (B) personal data collected and analyzed concerning a consumer’shealth; or (C) personal data collected and analyzed concerning a consumer’s sexlife or sexual orientation; and (3) personal data of an individual known to beunder the age of 13 years. SensitivePersonal Data is a subset of Privacy Data. In the event the parties agree to allow Creative Partner to processSensitive Personal Data, additional security terms must be agreed in connectiontherewith prior to any collection, use, or processing of such Sensitive PersonalData.
1. Transfer of PrivacyData. The parties agree that anytransfer or disclosure of personal Privacy Data between Creative Partner andClient under the Agreement is not for monetary or other valuable considerationand therefore does not constitute a sale of personal information under theCalifornia Consumer Privacy Act of 2018. Additionally, Creative Partner shall not further transfer or disclosePrivacy Data in exchange for any monetary or other valuable considerationwithout Client’s prior written consent, in all cases subject to Section 4 below(“Privacy Data Sales”).
1. Privacy Data Sales. Creative Partner shall not sell any PrivacyData unless in each instance: (a) Client has provided express prior writtenapproval; and (b) Creative Partner (or another party acting on CreativePartner’s behalf) has provided the applicable consumers with (1) explicitnotice about the potential sale of their information by Creative Partner and(2) an opportunity to opt out of such sale within a reasonable time (but in noevent less than ten business days) of receiving such notice. Such notice and opt-out opportunity shall beseparate from any notice or opt-out opportunity originally provided to suchconsumers by Client. If Creative Partnerreceives any direction from a consumer not to sell the consumer’s Privacy Data(or if the consumer is a minor and Creative Partner has not received consent tosell the minor’s Privacy Data), Creative Partner shall not sell the consumer’sPrivacy Data going forward, unless the consumer subsequently provides expressauthorization for such sale.
1. Access Limitations. Creative Partnershall not disclose or transfer Privacy Data to any third party, including anyagent, contractor or sub-contractor, without the prior permission of Clientgiven in writing or via email, or other electronic means, except to the extentthat a disclosure or transfer is required by law or is authorized under theAgreement or an applicable Statement of Work. Creative Partner will restrictaccess to Privacy Data only to those individuals who have a need to know orotherwise access the Privacy Data to enable Creative Partner to perform itsobligations under this Exhibit, and as otherwise permitted by this Exhibit,provided that (a) a background check has been conducted of those individualsand (b) those individuals have committed in writing to follow thisExhibit. Upon Client's written request,Creative Partner will promptly identify in writing all individuals who havebeen granted access to the Privacy Data as of the date of the request. Creative Partner will at all times cause itsemployees and others to whom it provides Privacy Data to strictly abide byCreative Partner's obligations under this Exhibit. Creative Partner further agrees that it willmaintain a disciplinary process to address any unauthorized access, use ordisclosure of Privacy Data by any of Creative Partner’s officers, partners,principals, employees, agents or independent contractors.
1. Assistance. Should Client receive a request from an individualexercising their rights under applicable privacy or data security laws,including, without limitation, the California Consumer Privacy Act, CreativePartner shall promptly (and in any event, within seven (7) days) and at nocharge to Client, assist Client in the fulfillment of Client’s obligation torespond to such request. Individualrequests may seek, without limitation, easily portable copies of, correctionsto, or deletion of all Privacy Data relating to the individual. Creative Partner shall implement technicaland administrative procedures necessary to categorize, access, modify, delete,and upload Privacy Data so that Creative Partner may promptly and fully assistClient if requested. If Creative Partnerreceives a request directly from an individual, Creative Partner will, to theextent not prohibited by applicable law or any regulatory authority: (a)promptly (and in no event longer than 24 hours after receipt of such request)forward the request to Client for handling; (b) if requested, provide Clientwith copies of documents relating to the request; (c) not refer to Client orits affiliates in any correspondence with the requester without Client’s priorwritten consent; and (d) not disclose any confidential information of Client orits affiliates without Client’s prior written consent. Creative Partner shall, upon Client’srequest, cooperate in good faith with Client to enter into additional ormodified contract terms to address any modifications, amendments, or updates toapplicable laws, including, without limitation, the California Consumer PrivacyAct of 2018.
1. Confidentiality. Creative Partnershall: (a) keep confidential all such Privacy Data which it uses pursuant tothe terms of the Agreement; and (b) limit access to such Privacy Data only tothose of its employees who have a need to access such Privacy Data in order toperform their job functions, and to ensure that those employees are trainedwith respect to the obligations imposed by this Exhibit and sign an undertakingto comply with these obligations as described below. This obligation shallsurvive termination of the Agreement to the extent that Creative Partner hasany such Privacy Data in its possession.
1. Security. The CreativePartner shall comply with high standards of security in accordance withindustry best practices and applicable laws and regulations. The CreativePartner shall implement appropriate technical and organizational measures toprevent unauthorized access, disclosure, alteration, or destruction of data,including but not limited to encryption, firewalls, access controls, andregular security audits. The Creative Partner shall also ensure that allpersonnel who have access to the data, tools, and systems are trained in andcomply with the highest standards of security. In the event of a breach orpotential breach of security, the Creative Partner shall notify the other partyimmediately and take prompt action to mitigate any harm caused. CreativePartner warrants that it has adopted and implemented, and will maintain for aslong as this Agreement is in effect or as long as Creative Partner stores orprocesses Privacy Data (whichever is later), technical and organizationalmeasures to protect Privacy Data against accidental, unauthorized or unlawfuldestruction, loss, alteration, disclosure, and access, and against all otherunlawful activities. To fulfill itsobligations under this section, Creative Partner shall have in place, at aminimum, any physical, technical, administrative, and organizational safeguardsthat provide for and ensure: (a) protection of business facilities, paperfiles, servers, computing equipment, including without limitation all mobiledevices and other equipment with information storage capability, and backupsystems containing Privacy Data; (b) network, application (including databases)and platform security; (c) business systems designed to optimize security andproper disposal of Privacy Data according to the terms of this Exhibit; (d)secure transmission and storage of Privacy Data; (e) authentication and accesscontrol mechanisms over Privacy Data, media, applications, operating systemsand equipment; (f) personnel security and integrity, including backgroundchecks where consistent with applicable law; (g) annual training to Creative Partner’semployees on how to comply with the Creative Partner’s physical, technical andadministrative information security safeguards and confidentiality obligationsunder applicable laws, rules, regulations and guidelines; (h) reasonably up todate versions of security agent software for systems that house Privacy Data,which include malware protection, and use reasonably up-to-date patches andvirus definitions; and (i) storage limitations such that Privacy Data residesonly on servers in data centers that comply with industry standard data centersecurity controls, and restrictions to ensure that Privacy Data files are notplaced on any notebook hard drive or removable media, such as compact disc orflash drives, unless encrypted. Exceptas otherwise required by law, all digital and hard copies of Privacy Data shallbe securely deleted or destroyed once such information is no longer requiredfor Creative Partner to perform its obligations under the Agreement orapplicable Statement of Work. Creative Partner shall immediately delete orsecurely return, at Client’s discretion, all copies of Privacy Data uponexpiration or termination of the Agreement, or upon Client’s request.
1. PCI Compliance. To the extentapplicable to the services provided under the Agreement, Creative Partneracknowledges that it is responsible for the security of the credit, debit orother cardholder payment information it processes, and hereby represents andwarrants that it will comply with the most current PCI Standard in connectionwith the processing of such data, including, but not limited to: (a) creatingand maintaining a secure network to protect cardholder data; (b) using alltechnical and procedural measures reasonably necessary to protect cardholderdata it maintains or controls; (c) creating and implementing secure measures tolimit access to cardholder data; (d) monitoring access to cardholder data itmaintains or controls; and (e) creating and implementing an informationsecurity policy that assures employee compliance with the foregoing. Creative Partner acknowledges that it isresponsible for maintaining compliance with the then-current PCI DSSrequirements and monitoring the PCI DSS compliance of all associated thirdparties Creative Partner may provide with access to cardholder data inaccordance with the terms of the Agreement.
1. Encryption. Creative Partnershall ensure that (a) any Privacy Data that it transmits over a network,whether via email, file transfer protocol, or other means of electronicexchange, and (b) any Privacy Data stored on a portable device, including butnot limited to a laptop computer, USB drive, floppy disk, or CD, shall beencrypted using a cryptographic algorithm employing a key length of at least128 bits.
1. Data Breaches. In the event ofany actual or suspected unauthorized access to or acquisition of Privacy Dataor Client Confidential Information (“Data Breach”), Creative Partner shallinform Client in writing or via email or facsimile of the same within one (1)day of Creative Partner’s discovery of the Data Breach. In addition, CreativePartner shall investigate and remediate the Data Breach and, to the extent thata Data Breach results in a legal obligation on Creative Partner or Client tonotify impacted individuals or would put impacted individuals at risk, CreativePartner shall provide Client with assurances satisfactory to Client that a DataBreach will not recur. Creative Partner warrants that if there has been a DataBreach, all responsive steps will be documented, and a post-incident reviewwill be made of both the events and also actions taken, if any, to changebusiness practices made relating to Privacy Data. Creative Partner agrees to fully cooperatewith Client in Client's handling of the matter, including without limitationany investigation, reporting or other obligations required by applicable law orregulation, or as otherwise required by Client, and will work with Client tootherwise respond to and mitigate any damages caused by the Data Breach. Creative Partner shall not notify any thirdparty of the Data Breach without Client’s prior, written authorization. Creative Partner shall reimburse Client forall costs incurred in responding to and/or mitigating damages caused by a DataBreach, including, without limitation, costs of forensic investigation,regulatory fines, notification costs, credit monitoring, and/or reasonableattorneys’ fees.
1. Agents and Subcontractors. Creative Partner may sharePrivacy Data with agents, subcontractors, or other third parties only withClient’s prior written consent. Prior toengaging any third party that will process Privacy Data, Creative Partner shallconduct and document a thorough review of such third party’s technical, administrative,and organizational safeguards to protect sensitive information. Any such thirdparty to which Creative Partner discloses Privacy Data shall be required byCreative Partner to enter into written contractual obligations that are no lessstringent than the obligations imposed upon Creative Partner by this Exhibit.Upon written request, Creative Partner shall provide to Client copies of suchwritten contractual obligations to evidence compliance with the foregoing. Creative Partner shall be fully and solelyresponsible for all acts or omissions of its agents, subcontractors, or otherthird parties in relation to this Exhibit.
1. No Export; UnitedStates Only. Creative Partner shall notcollect, solicit, request, or receive any Privacy Data from outside of theUnited States. Creative Partner will nottransmit, directly or indirectly, any Privacy Data to any country outside ofthe United States without the prior written consent of Client. Where Client provides its consent, suchcross-border transfer must comply with any relevant requirements of anyapplicable law, rule, or regulation, including, without limitation, thoserelated to the protection of personal information.
1. Written Program. Creative Partner represents and warrants thatit has a written program instructing its employees and Partners how to protectPrivacy Data. Creative Partner furtherrepresents and warrants that it shall use all necessary steps to protectPrivacy Data, including conducting on a regular basis assessments offoreseeable internal and external risks to the security, confidentiality andintegrity of electronic, paper and other records containing personalinformation, and as necessary improving the effectiveness of its safeguards tolimiting such risks, including employee training, ensuring ongoing employeecompliance with its written program, and the development of measures fordetecting and preventing security system failures. Creative Partner has identified a specificrepresentative to be in charge of its program, and shall ensure that thisindividual is available to Client to respond to any questions and to work withClient in the event of a Data Breach.
1. Audit and Inspection. Client reserves the rightto conduct (or have conducted by a third-party auditor) on-site audits toensure Creative Partner's (and its subcontractors’) compliance with the PrivacyData obligations under this Exhibit, including, if applicable, compliance withapplicable privacy and data protection laws, rules, regulations, and orders. Creative Partner shall otherwise cooperatewith Client in Client's efforts to monitor Creative Partner’s compliance. On an annual basis, Creative Partner willprovide a current SSAE16 SOC Type I and/or Type II audit of its internal controls. Creative Partner will promptly, at its soleexpense, remediate any material deficiencies identified in any such audit.
1. Injunctive Relief. Creative Partner acknowledges and agrees thata threatened or actual breach of this Exhibit will result in irreparable harmfor which monetary damages may not provide a sufficient remedy, and that inaddition to all other remedies, Client shall be entitled to obtain specificperformance and injunctive relief, specifically to protect against thedisclosure or improper use of Privacy Data, as a remedy for any such breach ofthis Exhibit by Creative Partner without posting security and without prejudiceto such other rights as may be available under this Exhibit or under applicablelaw. Further, Creative Partner’s failureto comply with any of the provisions of this Exhibit shall be deemed a materialbreach of the Agreement, and Client may terminate the Agreement withoutliability to Creative Partner.
1. Representations and Warranties. Creative Partner represents and warrants that it will comply with all applicable laws, rules,regulations and industry guidelines, including, without limitation, MA 201C.M.R. §§ 17.00 et seq., the VirginiaConsumer Data Protection Act, and the California Consumer Privacy Act of 2018,in the fulfillment of its obligations and otherwise in its rendering ofservices to Client. Creative Partnerrepresents and warrants that it has created written guidelines to ensure itscompliance with its obligations under this Exhibit, and shall provide thosewritten guidelines to Client upon request.
1. Indemnification/Remedies. Creative Partner agrees to indemnify, defendand hold harmless, on demand, Client, including its parent, subsidiaries,affiliates and each of their respective officers, shareholders, directors andemployees (“Indemnified Parties”), from and against any claims, losses,liabilities, costs or expenses (including reasonable attorneys’ fees) arisingout of or in relation to Creative Partner’s performance of its obligations (orthe performance of a third party working on behalf of Creative Partner)relating to the Privacy Data provisions of this Exhibit or Creative Partner’sor any of its employees’ (or the performance of a third party working on behalfof Creative Partner) failure to comply with this Exhibit. Creative Partner’sindemnification obligations under this Exhibit shall not be subject to anydisclaimer of damages, cap on liability, or other limitation of liability.Creative Partner agrees that, without limiting any of its other rights orremedies under the Agreement or at law, Client will have the right to terminatethe Agreement upon written notice to the Creative Partner in the event ofbreach by Creative Partner (or a third party working on behalf of CreativePartner) of any of its Privacy Data obligations under this Exhibit.