CCPA/CPRA Service Provider Addendum

Last Updated: December 30, 2022

This Addendum shall form part of the agreement entered into by the parties for Litmus to provide services to Customer (the “Agreement”) and is effective as of the later of January 1, 2023 or the Effective Date of the Agreement between Customer and Litmus.

1. Relationship of the Parties. Litmus is a Service Provider to Customer in connection with the provision of services as specified in the Agreement. Customer is a Business that is subject to the California Consumer Privacy Act and the California Privacy Rights Act. Customer intends to send Personal Information relating to California Consumers to Litmus in connection with Litmus’ performance of the Agreement. Pursuant to this, the parties seek to clarify their applicable responsibilities in this Addendum.
2. Definitions.
1. “Business”, “Collects”, “Consumer”, “Business Purpose”, “Sell”, “Service Provider”, and “Share” shall have the meanings given to them in §1798.140 of the CCPA.
2. “Business Purpose” has the meaning given in Section 5 of this Addendum. 
3. “California Consumer Privacy Act” or “CCPA” means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§1798.100—1798.199), as amended or superseded from time to time.
4. “California Privacy Rights Act” or “CPRA” means the California Privacy Rights Act of 2020 (2020 Cal. Legis. Serv. Proposition 24, codified at Cal. Civ. Code §§1798.100 et seq.), and its implementing regulations, as amended or superseded from time to time.
5. “Personal Information” means personal information as defined by §1798.140 of the CCPA submitted to Litmus for processing pursuant to the Agreement.

Capitalized terms used but not defined in this Addendum shall have the meanings given in the Agreement. 

3. Relationship with the Agreement.
1. This Addendum supersedes any conflicting or inconsistent provisions in the Agreement related to data protection and, in the event of conflict, this Addendum will govern and control. The terms of the Agreement, as amended by this Addendum, remain in full force and effect.
2. Any claims brought under or in connection with this Addendum shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
3. No one other than a party to this Addendum, its successors and permitted assignees shall have any right to enforce any of its terms.
4. This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction as specified in the Agreement, unless otherwise required by CCPA and/or CPRA.
5. This Addendum shall continue in effect, and shall survive termination or expiration of the Agreement, as long as Litmus retains possession, custody, or control of, or access to, any Personal Information in connection with or as a result of the Agreement.
6. The parties agree that this Addendum shall be interpreted in favor of their intent to comply with the CCPA and CPRA and therefore any conflict or ambiguity shall be resolved in favor of a meaning that complies and is consistent with the CCPA and CPRA, as applicable.
4. Scope. This Addendum only applies where, and to the extent that, Litmus processes Personal Information that is subject to the CCPA and/or the CPRA on behalf of Customer as a Service Provider in the course of providing the services pursuant to the Agreement. In this Addendum, references to sections of the CCPA are to those sections as amended by the CPRA.
5. Business Purpose. Litmus shall only Collect and process Personal Information as a Service Provider upon lawful documented instructions from Customer, including those in the Agreement, this Addendum, and Customer’s configuration of the Services or as otherwise necessary to provide the Services specified in the Agreement (the “Business Purpose”). Litmus will not process the Personal Information for any purpose other than for the Business Purpose, except where and to the extent permitted by the CCPA and/or CPRA.
6. Data Protection.
1. Service Provider Appointment. Customer is a Business and appoints Litmus as its Service Provider to Collect and process the Personal Information for the Business Purpose. Litmus is responsible for its compliance with its obligations under this Addendum and for compliance with its obligations as a Service Provider under the CCPA and CPRA. Customer is responsible for compliance with its own obligations as a Business under CCPA and CPRA and shall ensure that it has provided notice and has obtained (or shall obtain) all consents and rights necessary under the CCPA and the CPRA for Litmus to Collect and process the Personal Information for the Business Purpose.
2. Service Provider Certification. Litmus shall not: (a) Sell the Personal Information; (b) retain, use, or disclose the Personal Information for any purpose other than for the Business Purpose; (c) retain, use, or disclose the Personal Information outside of the direct business relationship between Litmus and Customer (except where Litmus has engaged a subcontractor to assist in the provision of services); (d) Share or process the Personal Information for targeted and/or cross context behavioral advertising; (e) combine Personal Information with any other data if and to the extent this would be inconsistent with the limitations on Service Providers under the CCPA and/or CPRA. Litmus certifies that it understands the restrictions set out in this Section and will comply with them. Litmus shall notify Customer if it determines that it cannot meet its obligations under the CPRA.
3. Consumer Rights. Litmus will, upon Customer’s instructions (and at Customer’s expense): (a) use reasonable efforts to assist Customer in deleting Personal Information in accordance with a Consumer’s request (and shall instruct any subcontractors it has engaged to do the same) except to where and to the extent permitted to retain the Personal Information pursuant to an exemption under the CCPA and/or CPRA; and (b) use reasonable efforts to assist Customer in responding to verified Consumer requests received by Customer to provide information as it relates to the Collection of Personal Information for the Business Purpose.
4. Assistance. Litmus will, upon Customer’s instruction and upon proof of such a communication, provide reasonable assistance to Customer to enable Customer to respond to any correspondence, inquiry, or complaint received from a Consumer for the California Attorney General in connection with the Collection and processing of the Personal Information.
5. Deletion. Upon receipt of Customer’s written request, Litmus shall, at Customer’s election, delete or return any Personal Information within ninety (90) days of termination, except where Litmus is permitted by applicable law to retain some or all of the Personal Information, which Personal Information Litmus shall continue to protect from any further processing, except to the extent required by applicable law.
6. Reasonable Steps. Customer has the right to take reasonable and appropriate steps to (i) ensure that Litmus uses the Personal Information received from Customer under the Agreement consistent with applicable law; and (ii) stop and remediate any unauthorized use of Personal Information. 
7. Subcontractors. If Company wishes to engage a subcontractor to assist in processing Personal Information for purposes of performing the services under the Agreement, Litmus shall provide prior notice of any new subcontractor, and shall enter into written and binding contract with the subcontractor that requires the subcontractor to observe all requirements set forth in this addendum.
8. Security. Litmus shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information it will process to protect the Personal Information from and against unauthorized or illegal access, destruction, use, modification, or disclosure. Litmus shall notify Customer without undue delay (and in time to fulfil any applicable reporting obligations) after becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access of or to the Personal Information, and provide timely information relating to such, as it becomes known or is reasonably requested by Customer.
9. Contact. If Customer has any questions or complaints with respect to this Addendum, Customer may contact Litmus by mail at Litmus Software, Inc., 675 Massachusetts Ave., Suite 10, Cambridge, MA 02139, email at privacy@litmus.com, or by phone at +1 (866) 787-7030, 9:00 AM – 6:00 PM EST, Monday through Friday (excluding Litmus holidays).
10. If Customer requires an executable version of this Addendum, please see Litmus’ Security FAQ.