Skip to main content

Generix & Open Sky Group Advance Their Joint Mission to Accelerate Supply Chain Digitization in North America View the press release

Search

Generix US Data Processing Agreement

 

This Data Processing Agreement (“DPA”) supplements any existing agreement(s) either previously or concurrently made between Generix, Inc. (“GENERIX”) and its customers (each, a “Customer”) in connection with the services provided by GENERIX to Customer under one or more agreements between GENERIX and Customer (collectively, the “Agreement”) relating to the Processing of Personal Information originating from the United States or relating to individuals residing in the United States.

All capitalized terms not otherwise defined in this DPA will have the meanings given to them in the Agreement. If there is any inconsistency or conflict between this DPA and any Agreement in effect between GENERIX and Customer, then as it relates to data protection or Processing, this DPA will control and will survive any termination or expiration of the Agreement.

This DPA only applies to the extent GENERIX Processes Personal Information on behalf of Customer and is therefore a Processor.

1. Definitions

    • Applicable Laws” means all laws and regulations in force on data protection and data privacy relating to Personal Information for each jurisdiction in the United States where GENERIX provides Services to the Customer.
    • Business Purpose” means the use of Personal Information for the Customer’s or GENERIX’s operational purposes, or other notified purposes, as defined in the CCPA, which is reasonably necessary and proportionate to achieve the operational purpose for which Personal Information was collected or processed or for another operational purpose that is compatible with the context in which Personal Information was collected.
    • CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. as amended from time to time.
    • Collects,” “Collected,” or “Collection” means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means.
    • Commercial Purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
    • Consumer” means a natural person.
    • Controller” means a legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects Consumers’ Personal Information, or on behalf of whom such information is collected and that alone or jointly with others determines the purposes and means of processing Consumers’ Personal Information. In jurisdictions that use the term “Business” to refer to a person or entity fitting the foregoing description, the term “Controller” as used in this DPA has the same meaning as the term “Business”.
    • Personal Information” means any information provided or made available to GENERIX by Customer that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifier.
    • “Process,” “Processing,” and “Processes” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
    • Processor” means a legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that Processes information on behalf of a Controller and to which the Controller discloses a Consumer’s Personal Information for a Business Purpose. In jurisdictions that use the term “Service Provider” to refer to the person or entity fitting the foregoing description, the term “Processor” as used in this DPA has the same meaning as the term “Service Provider”.
    • Security Breach” means a breach of security leading to the unauthorized access to or acquisition of Personal Information, which compromises the security, confidentiality, or integrity of that Personal Information.
    • Sell” means selling, renting, licensing to others, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information to another business or a third party for monetary or other valuable consideration.
    • Sensitive Personal Information” has the meaning assigned in Applicable Laws.
    • Services” means the services or other activities to be provided by or on behalf of GENERIX for Customer pursuant to the Agreement, including the Customer’s use of GENERIX’s software-as-a-service offerings.
    • Subcontractor” means a person (but excluding an employee) engaged or appointed by GENERIX to receive or Process Personal Information in connection with the Agreement.

2. Responsibilities of the Parties

    • Roles of the Parties and Details of the Processing. The parties acknowledge and agree that GENERIX, a Processor, is providing Services to and Processing Personal Information on behalf of the Customer, a Controller. GENERIX will Process Customer’s Personal Information solely for the purposes of providing the Services and Professional Services in accordance with the Agreement and otherwise in accordance with any documented instructions of Customer.
    • Compliance with Laws. GENERIX shall at all times be aware of and comply with Applicable Laws in the Processing of Personal Information.
    • GENERIX’s Responsibilities. When Processing Personal Information on behalf of the Customer, GENERIX shall not: (i) retain, use, or disclose Personal Information it receives, collects or Processes in connection with the Services for any purpose other than for performing the Services and in accordance with the terms of this DPA, the Agreement and the Customer’s instructions; (ii) use or Process Personal Information for a Commercial Purposes other than performing the Services; (iii) Sell Personal Information; or (iv) disclose or transfer Personal Information outside the direct business relationship between the parties.
    • Permitted Activities. The parties agree that GENERIX may Process Personal Information for the following activities that are necessary to support the Services: (i) retain and employ another service provider as a Subcontractor, where the Subcontractor meets the requirements for a Processor under the CCPA; (ii) detect data security incidents; (iii) protect against fraudulent or illegal activity; (iv) effectuate repairs; and (v) maintain or improve the quality of the Services. GENERIX also may Process Personal Information, subject to Section 6.3, when necessary to comply with federal, state, or local laws or legal process; cooperate with law enforcement; and cooperate with a government agency request for emergency access to Personal Information if a person is at risk or danger of death or serious physical injury.
    • GENERIX shall promptly notify the Customer if it determines or reasonably suspects that it is unable to comply with its obligations set forth in Section 2.3. Upon any such notice to the Customer, GENERIX shall immediately cease all use of Personal Information hereunder, but its obligations regarding safeguarding Personal Information shall remain in effect.

3. Personnel and Subcontractors

    • GENERIX Personnel. GENERIX will take reasonable steps to ensure that each of its employees and agents who Process Personal Information are made aware of GENERIX’s obligations under this DPA, and where required by Applicable Law, shall require that they enter into binding obligations with GENERIX as appropriate to maintain the levels of security and protection required under this DPA.
    • Access to Personal Information. GENERIX shall limit access to Personal Information to those individuals who need to know, as necessary for the purpose of providing Services.
    • The list of Subcontractors that may Process data on GENERIX’s behalf is available at: https://generixgroup.file.force.com/servlet/fileField?id=0BE7T000000L0TH. GENERIX may update this list from time to time. GENERIX remains obligated and fully liable to the Customer for the acts and omissions of any Subcontractor.

4. Security of Personal Information

    • GENERIX’s Responsibilities. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, GENERIX will maintain appropriate technical and organizational measures, to ensure a level of security appropriate to the risk of Processing Personal Information.
    • Transfer and Access Restrictions. Except as otherwise specifically authorized by Customer in writing in advance: (i) all Personal Information shall be stored within the United States; (ii) GENERIX will not transfer Personal Information outside of the United States; and (iii) no GENERIX employee or agent (including any Subcontractor) will have the ability to access or use Personal Information from outside the United States.

5. Consumer Rights and Requests

    • Consumer Rights. If GENERIX receives a request from a Consumer to exercise their rights under an Applicable Law, it shall communicate this request to the Customer without first responding to the request except on the prior written instructions of the Customer, unless otherwise required by the Applicable Laws.
    • GENERIX shall work with, and if necessary reasonably assist, the Customer with responding to the Consumer’s request. GENERIX will do so in a manner that allows the Customer to respond to such requests within the timeframes set under such Applicable Law.

6. Security Breach

    • Breach Response. In the event of a Security Breach, GENERIX will (i) reasonably investigate the Security Breach and perform a root cause analysis; (ii) develop a remediation plan to address the Security Breach and reduce the likelihood of future Security Breaches; and (iii) promptly upon request, provide to the Customer any required information to enable it to comply with its notification obligations under Applicable Laws, if any.
    • Consumer Notifications. To the extent an Applicable Law requires the affected Consumers or governmental authorities to be notified of a Security Breach, GENERIX will cooperate with the Customer’s reasonable requests in enabling Customer to respond to such Security Breach.

7. General Provisions

    • Limitation of Liability. The total liability of each of Customer and GENERIX (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA, whether in contract, tort, or other theory of liability, will not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.
    • Customer Controls and owns all right, title and interest in and to Personal Information and at all times remains the data Controller under the Agreement and Applicable Laws. Personal Information that Customer discloses or provides to GENERIX is provided to GENERIX for a Business Purpose, and Customer does not Sell Personal Information to GENERIX in connection with the Agreement. Nothing in the Agreement transfers or conveys to GENERIX any ownership interest in or the right to control Personal Information. Customer warrants that it has complied with all relevant laws in collecting, using, transferring, and disclosing the Personal Information.
    • Entire Agreement. This DPA and the Agreement represent the entire agreement between the parties and supersede any and all prior oral or written agreements between the parties related to the Processing of Personal Information.
    • If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in effect.
    • As an amendment to the original Agreement, this DPA is binding upon all respective successors and permitted assigns of the Agreement.
    • The obligations established under this DPA will survive termination of the Agreement and will continue in full force and effect until GENERIX has returned or destroyed all Personal Information
    • Changes to Applicable Laws. In the event of new Applicable Laws, or modifications, amendments or changes to Applicable Laws, the parties agree to cooperate in good faith with respect to any necessary modifications or amendments to this DPA, to the extent required. GENERIX shall further take reasonable measures to remain compliant with any changes in the Applicable Laws.