Data Processing Addendum
Flowhub Holdings, Inc. (“Provider”) and the entity identified in the Agreement (as defined below) (“Customer”) enter into this Data Processing Addendum (including the annexes attached hereto, this “DPA”) which forms part of any agreement, order form, statement of work, or purchase order that incorporates it (as amended, supplemented or replaced from time to time the “Agreement”) between the parties.
1. Definitions
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.
(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
(b) Applicable Data Protection Laws means, as and to the extent applicable, the State Privacy Laws.
(c) Controller means the entity that, alone or jointly with others, determines the purposes or means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the California Consumer Privacy Act.
(d) Customer Data means information provided or made available by Customer to Provider for Processing on Customer’s behalf to perform the Services.
(e) Data Subject means the identified or identifiable natural person to whom Personal Data relates.
(f) Information Security Incident means an actual breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
(g) Personal Data means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” as defined in Applicable Data Protection Laws, except that Personal Data does not include such information received by Provider directly or from other sources (such as its other customers) independent of Provider’s relationship with Customer.
(h) Process or Processing means any operation or set of operations which is performed by Provider on behalf of Customer under this Agreement, on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(i) Processor means the entity that Processes Personal Data on behalf and at the direction of the Controller, including, as applicable, any “service provider” as that term is defined by the California Consumer Privacy Act.
(j) Security Measures has the meaning given in Section 4(a) (Provider Security Measures).
(k) Service Data means any data relating to the use, support and/or operation of the Services, which is collected by Provider from and/or about Users of the Services and/or Customer’s use of the Service for use for Provider’s own purposes (certain of which may constitute Personal Data). Service Data includes Personal Data of Customer’s business representatives.
(l) Services means the services that Provider performs for Customer under the Agreement.
(m) State Privacy Laws means, collectively, the comprehensive state-specific data privacy laws and their regulations currently in effect and applicable to Provider’s Processing of Personal Data under the Agreement.
(n) Subprocessors means third parties that Provider engages to Process Personal Data in relation to the Services.
(o) User has the meaning given in the Agreement.
2. Duration and Scope of DPA
(a) This DPA will remain in effect so long as Provider Processes Personal Data, notwithstanding the expiration or termination of the Agreement. Processing of Personal Data subject to the State Privacy Laws with respect to which Customer is a Business, Controller, Processor, or Service Provider and Provider is Customer’s service provider or processor (as such terms are defined in State Privacy Laws) shall be subject to Annex 2 (State Privacy Laws Annex) to this DPA.
3. Customer Instructions
Provider will Process Personal Data as a Processor only in accordance with Customer’s instructions to Provider. By entering into this DPA, Customer instructs Provider to Process Personal Data to provide the Services and to perform its other obligations and exercise its rights under the Agreement. The Parties acknowledge and agree that the details of Provider’s Processing of Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
4. Security
(a) Provider Security Measures. Provider will implement and maintain technical, administrative, physical and organizational measures designed to protect Personal Data against Information Security Incidents as described in Annex 3 (the “Security Measures”). Provider may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
(b) Security Compliance by Provider Staff. Provider shall require that its personnel who are authorized to access Personal Data are subject to appropriate confidentiality obligations.
(c) Information Security Incidents. Provider will notify Customer without undue delay of any Information Security Incident of which Provider becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Provider recommends Customer take to address the Information Security Incident. Provider’s notification of or response to an Information Security Incident will not be construed as Provider’s acknowledgement of any fault or liability with respect to the Information Security Incident. Provider shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Information Security Incident. Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Information Security Incident. If Customer determines that an Information Security Incident must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Provider, where permitted by applicable laws, Customer agrees to (i) notify Provider in advance, and (ii) in good faith, consult with Provider and consider any clarifications or corrections Provider may reasonably recommend or request to any such notification, which: (i) relate to Provider’s involvement in or relevance to such Information Security Incident; and (ii) are consistent with applicable laws.
(d) Customer’s Security Responsibilities. Customer agrees that Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Provider uses to provide the Services; and (d) backing up Personal Data.
(e) Customer’s Security Assessment. Customer has determined that the Services, the Security Measures and Provider’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Data.
5. Data Subject Rights
(a) Data Subject Request Assistance. Provider will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary and technically feasible for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Provider’s possession or control, including but not limited to, access, correction, deletion, and cessation of Processing of Personal Data. Customer shall compensate Provider for any such assistance at Provider’s then-current professional services rates, which shall be made available to Customer upon request.
(b) Customer’s Responsibility for Requests. If Provider receives a Data Subject Request, Provider will (i) notify Customer; and (ii) advise the Data Subject to submit the request to Customer. Customer will be solely responsible for responding to any such request.
6. Customer Responsibilities
(a) Customer shall ensure (and is solely responsible for ensuring) that it has given such notices to and obtained such consents and permissions from third parties (including, without limitation, Data Subjects), and has all rights, in each case, as may be required under applicable law or otherwise for Provider to Process Personal Data as contemplated by the Agreement.
(b) Customer represents and warrants to Provider that Customer Data does not and will not contain any Personal Data that contains racial, ethnic or national origin; religious or philosophical beliefs; political opinions; protected health information subject to the Health Insurance Portability and Accountability Act (“HIPAA”); health insurance information; pregnancy; sex life, sexuality or sexual orientation; status as transgender or non-binary; citizenship; citizenship or immigration status; union membership; status as a victim of crime; genetic, biometric, neural or biological data; personal information of children or teens; precise location information; Social Security number; account login information; financial information or account number; tax return data; contents of a communication to which you were not a party; or any bulk U.S. sensitive personal data or U.S. government-related data, in each case as defined in the U.S. Department of Justice’s Final Rule on Prohibition on Bulk Data Transfers to Foreign Adversaries (28 C.F.R. Part 202), as amended, or any successor or similar rule, law, or regulation (collectively, “Restricted Data”).
7. Subprocessors
(a) Consent to Subprocessor Engagement. Customer generally authorizes Provider to engage third parties as Subprocessors in accordance with this Section 7.
(b) Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available in Annex 4 of this DPA. Provider may continue to use those Subprocessors already engaged by Provider as at the date of this DPA.
(c) Requirements for Subprocessor Engagement. When engaging any Subprocessor, Provider will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Provider shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor in connection with the services they provide to Provider to the same extent as Provider would have been had it performed the Processing itself.
(d) Opportunity to Object to Subprocessor Changes. When Provider engages any new Subprocessor after the effective date of the DPA, Provider will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by written means. If Customer objects to such engagement in a written notice to Provider within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Provider will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Provider and pay Provider for all amounts due and owing under the Agreement as of the date of such termination.
8. Audits
Reviews and Audits of Compliance. Customer may audit Provider’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Protection Laws. Provider will contribute to such audits by providing Customer with the information and assistance reasonably necessary to conduct the audit. Due to the nature of the Services, on-site audits are not necessary for Customer to audit Provider’s compliance with this DPA. If a third party is to conduct the audit, Provider may object to the auditor if the auditor is, in Provider’s reasonable opinion, not independent, a competitor of Provider, or otherwise manifestly unsuitable. Such objection by Provider will require Customer to appoint another auditor or conduct the audit itself. To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 8 shall require Provider to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Customer will promptly notify Provider of any non-compliance discovered during the course of an audit and provide Provider the audit reports generated in connection with the audit(s) under this Section 8, unless prohibited by Applicable Data Protection Laws. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Provider for any time expended by Provider and any third parties in connection with any audits or inspections under this Section 8 at Provider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
9. Return and Deletion
(a) Subject to Sections 9(b) and 9(c), upon the date of cessation of any Services involving the Processing of Personal Data (the “Cessation Date”), Provider shall promptly cease all Processing of Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA.
(b) Subject to Section 9(d), to the extent technically possible in the circumstances (as determined in Provider’s sole discretion), on Customer’s written request to Provider (to be made no later than fourteen (14) days after the Cessation Date (“Post-cessation Storage Period”)), Provider shall within fourteen (14) days of such request, at Customer’s election either: (i) return a complete copy of all structured Personal Data within Provider’s possession to Customer by secure file transfer, promptly following which Provider shall delete or anonymize all other copies of such Personal Data, or (ii) either (at Provider’s option) delete or anonymize all structured Personal Data within Provider’s possession.
(c) In the event that during the Post-cessation Storage Period, Customer does not instruct Provider in writing to either delete or return Personal Data pursuant to Section 9(b), Provider shall, subject to Section 9(d), promptly after the expiry of the Post-cessation Storage Period either (at its option) delete; or render anonymous, all structured Personal Data then within Provider possession to the fullest extent technically possible in the circumstances.
(d) Nothwithstanding the above, Provider may retain Personal Data, where permitted or required by applicable law, for such period as may be permitted or required by such applicable law, provided that Provider shall (i) maintain measures designed to protect all such Personal Data, and (ii) Process the Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.
10. Service Data
(a) Customer acknowledges that Provider may collect, use and disclose Service Data for its own business purposes: (i) for accounting, tax, billing, audit, and compliance purposes; (ii) to provide, improve, develop, optimise, market and maintain the Services; (iii) to investigate fraud, spam, wrongful or unlawful use of the Services; (iv) to combine Service Data with other data; (v) to de-identify Personal Data so the de-identified data can be used and disclosed by Provider for lawful business purposes; and/or (vi) as otherwise permitted or required by applicable law.
(b) In respect of any such Processing described in Section 10(b), Provider: (i) independently determines the purposes and means of such Processing; (ii) shall comply with Applicable Data Protection Laws (if and as applicable in the context); (iii) shall process consumer sale/share opt-out requests that are forwarded to Provider by Customer to the extent required by Applicable Data Protection Laws and upon request provide documentation to Customer that it has done so; (iv) shall Process such Service Data as described in Provider’s relevant privacy notices/policies, as updated from time to time; and (iv) where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures.
11. Miscellaneous
(a) Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Provider’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Provider to Customer under this DPA may be given (i) in accordance with any notice clause of the Agreement; (ii) to Provider’s primary points of contact with Customer; or (iii) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
(b) Provider agrees to cooperate in good faith with Customer concerning any amendments as may be reasonably necessary to address compliance with the Applicable Data Protection Laws.
(c) In the event of any conflict or inconsistency between (i) this DPA and the Agreement, this DPA shall prevail, or (ii) this DPA and any AI Features Addendum, this DPA shall prevail with respect to the Processing of Personal Data.
(d) Provider will not re-identify de-identified Personal Data.
12. Limitation of Liability
THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY TOWARDS THE OTHER PARTY, HOWSOEVER ARISING, UNDER OR IN CONNECTION WITH THE AGREEMENT, THIS DPA WILL UNDER NO CIRCUMSTANCES EXCEED ANY LIMITATIONS OR CAPS ON, AND SHALL BE SUBJECT TO ANY EXCLUSIONS OF, LIABILITY AND LOSS AGREED BY THE PARTIES IN THE AGREEMENT.
Annex 1
Data Processing Details
PROVIDER DETAILS
Name: Flowhub Holdings, Inc. is a U.S. corporation
Address: 1630 Welton Street - Suite 905, Denver, CO 80202 USA
Contact Details for Data Protection: Hugh Hunter, VP of Engineering; hugh.hunter@flowhub.com
Provider Activities: Developer of a retail management software designed for cannabis sector business customers. The company offers a platform that creates a global catalogue of products, suppliers, and strains to deliver compliance, point of sale, inventory tracking, and business intelligence data from a single platform.
Role: Processor (and Controller of Service Data)
CUSTOMER DETAILS
Name: The entity or other person who is a counterparty to the Agreement
Customer’s address is: As provided in the Agreement
Customer’s Contact Details for Data Protection: As provided in the Agreement
Customer Activities: Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role: Controller
Categories of Data Subjects: Relevant Data Subjects include any Data Subjects of Personal Data that Customer causes Provider to process as part of the provisions of the Service, including Users, customers, and prospective customers of Customer’s products and services.
Categories of Personal Data: Relevant Personal Data is determined by Customer, and includes any Categories of Personal Data Customer causes Provider to process as part of the provisions of the Service, including:
Personal details– for example any information that identifies the Data Subject, including name, and contact information.
Authentication details – for example username, password or PIN code, security questions and other access protocols.
Technological details – for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.
Employment information – for example employer and job title.
Transactional data – for example information relating to or needed to complete orders, including order numbers and transaction history. This includes purchase considerations, consuming history and tendencies.
Sensitive Categories of Data:
Categories of sensitive data: As determined by Customer.
Frequency of transfer: Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the Processing: Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing: as necessary to provide the Services as initiated by Customer in its use thereof, and to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA, specifically for the purposes of providing retail management software.
Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and DPA, including Section 9 of the DPA.
Transfers to (sub)processors: Transfers to Subprocessors are as, and for the purposes, described from time to time in Annex 4.
Annex 2
State Privacy Laws Annex
For purposes of this Annex 2, the terms “business,” “commercial purpose,” “sell,” “share,” “targeted advertising” and “service provider” shall have the respective meanings given thereto in the State Privacy Laws, and “personal information” shall mean Personal Data that constitutes personal information governed by the State Privacy Laws.
It is the parties’ intent that with respect to any personal information, Provider is a service provider. Provider (a) acknowledges that personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State Privacy Laws; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that Provider’s use of personal information is consistent with Customer’s obligations under the State Privacy Laws; (d) shall notify Customer in writing of any determination made by Provider that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
Provider shall not (a) sell or share any personal information or use it for targeted advertising; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; (c) retain, use or disclose the personal information outside of the direct business relationship between Provider and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) or collected from Provider’s own interaction with any Consumer to whom such personal information pertains, except in each case (a) through (d) as and to the extent necessary as a part of Provider’s provision of the Services or as otherwise permitted by a service provider or processor under the State Privacy Laws. Provider hereby certifies that it understands its obligations under this Section 3 and will comply with them.
Giving Customer notice of Subprocessor engagements in accordance with Section 7 of the DPA shall satisfy Provider’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.
Provider agrees that Customer may conduct audits, in accordance with Section 8 of the DPA, to help ensure that Provider’s use of personal information is consistent with Provider’s obligations under the State Privacy Laws.
The parties acknowledge that Provider’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Provider’s provision of the Services and the business relationship between the parties.
Annex 3
Security Measures
Organizational management and dedicated staff responsible for the Provider’s information security program.
Data security controls which include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available industry standard technologies for Personal Data that is transmitted over public networks (i.e., the internet).
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords.
Monitoring and maintenance of technology and information systems, including secure disposal of systems and media prior to final disposal or release from the Provider’s possession.
Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Provider’s technology and information assets.
Incident management procedures design to allow Provider to investigate, respond to, mitigate and notify of events related to the Provider’s technology and information assets.
Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
Vulnerability assessment, patch management and threat protection technologies designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.
Annex 4
List of Subprocessors
Customer approves that Provider engages the following Subprocessors to Process Personal Data pursuant to this DPA:
Sub-Processor | Function | Location |
Google (Google Cloud) | Cloud hosting and infrastructure | USA |
Google (Gemini Enterprise Agent Platform) | Artificial intelligence and machine learning platform | USA |