Last Updated: November 30, 2022
This Data Processing Addendum ("DPA") forms part of the agreement (“Agreement”) between Locance, Inc. or its subsidiary LocationSmart Geolocation LLC (individually or collectively “Locance”) and its customer (“Customer”) under which Locance provides Customer and, if applicable, its Affiliates and/or Clients the Services and in which this DPA is referenced unless Customer’s Agreement includes a separate data processing addendum. Capitalized terms that are not defined in this DPA shall have the same meaning ascribed to them in the Agreement.
- a. “Data Protection Laws” means all applicable privacy and data protection laws, rules, regulations, decrees, orders and other government requirements.
- b. The terms “personal data”, “personal data breach”, “processing”, “processor,” and “data subject”, will have the same meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as “personal information” instead of “personal data,” they will be read herein as the same.
This DPA applies to the processing of End User personal data by Locance on behalf of Customer and, if applicable, Customer’s Affiliates and/or Clients under the Agreement.
3. Scope of Processing
- a. Processing by Locance will be governed by this DPA, in particular, Locance will process the personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by the applicable law to which Locance is subject; in such a case, Locance will inform Customer of that legal requirement before processing, unless that law prohibits Locance from doing so on important grounds of public interest.
- b. The subject matter of the processing is the personal data provided in respect of the Services under this Agreement. The duration of the processing is the duration of the provision of the Services under the Agreement until disposal of the personal data in accordance with the Agreement. The nature and purpose of the processing is in connection with the provision of the Services under the Agreement. The types of personal data processed are those submitted to Locance by or at the direction of Customer as part of the Services. The categories of data subjects are those whose personal data is submitted to Locance by or at the direction of Customer as part of the Services.
- c. The Agreement, including this DPA, along with Customer use and configuration of the Services, are the complete and final documented instructions to Locance for the processing of the personal data. Additional or alternate instructions must be agreed upon separately by the parties. Locance will ensure that its personnel engaged in the processing of the personal data will process such data only on documented instructions provided by the Customer unless required to do so by applicable law.
Locance will ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security of Processing
- a. Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, Customer and Locance will implement appropriate technical
and organizational measures to ensure a level of security appropriate to the risk, as described
in the Agreement and including inter alia as appropriate:
- i. the pseudonymization and encryption of personal data;
- ii. the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
- iii. the ability to restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident; and
- iv. a process for regularly testing, assessing and evaluating the effectiveness of
technical and organizational measures for ensuring the security of the processing.
- b. In assessing the appropriate level of security, account will be taken in particular of the
risks that are presented by processing, in particular from accidental or unlawful destruction,
loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or
- c. Customer and Locance will take steps to ensure that any natural person acting under the
authority of Customer or Locance who has access to personal data does not process data except on
instructions from Customer unless he or she is required to do so by applicable law.
- d. Notwithstanding any provision to the contrary, Locance may modify or update its security
measures at its discretion provided that such modification or update does not result in a
material degradation in the protection offered by the Agreement.
- a. Customer hereby provides Locance with general authorization to engage other processors for the processing of personal data in accordance with this DPA. Locance will maintain a list of such processors in section 16 below, which Locance may update from time to time. At least 14 days before authorizing any new such processor to process the personal data, Locance will update such list on its website. Customer may object to the change without penalty, subject to the Agreement’s dispute resolution process or any applicable refund or termination rights Customer may have under the Agreement.
- b. Where Locance engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this DPA will be imposed on that other processor by way of a contract or under the Data Protection Laws. Where that other processor fails to fulfill those data protection obligations, Locance will (subject to the terms of the Agreement) remain fully liable to Customer for the performance of that other processor's obligations.
7. Data Subject Rights
- a. Taking into account the nature of the processing, Locance will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising the data subject's rights.
- b. Locance will, to the extent legally permitted, promptly notify Customer of any data subject requests received by Locance and reasonably cooperate with Customer to fulfill its obligations under the Data Protection Laws in relation to such requests. Customer will be responsible for any reasonable costs arising from Locance providing assistance to Customer to fulfill such obligations.
8. Assisting the Customer
Locance will assist Customer in ensuring compliance with data security, personal breach notification and other obligations as required under the Data Protection Laws, taking into account the nature of processing and the information available to Locance.
9. Termination of Processing
Upon the expiration or termination of Customer’s use of the Services, unless applicable law requires storage of the personal data, Customer instructs Locance to delete or return the personal data in accordance with the terms and timelines, if any, for the Services set forth in the Agreement. Where the Agreement provides Customer the choice to delete or return the personal data and Customer does not make that choice within 30 days following the termination of the Agreement, Customer hereby instructs Locance to delete the personal data, unless applicable law requires storage of the personal data. In such cases, Locance will delete the personal data as soon as practicable.
The rights for conducting audits are set forth in the Agreement. In the absence of such requirements in the Agreement, where the Data Protection Laws so require, audits will be: (i) subject to the execution of appropriate confidentiality or non-disclosure agreements; (ii) conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon 30 days written notice and having provided a plan for such review; and (iii) be conducted at a mutually agreed upon time, place, and manner.
11. Cross-border Transfer
Locance will ensure that, to the extent that any personal data originating from Customer’s country is transferred by Locance to another country such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws.
12. Personal Data Breach
Locance will notify Customer without undue delay after becoming aware of a personal data breach involving personal data processed under this DPA and will reasonably respond to Customer’s request for further information so that Customer may fulfill its obligations under the Data Protection Laws.
13. Records of Processing Activities
Locance will maintain all records required by the Data Protection Laws and, to the extent applicable to the processing of the personal data on behalf of Customer, make them available as required.
14. Lawful Basis for Processing
Customer warrants that, where required by the Data Protection Laws, it has provided notice to any and all data subjects and has received requisite consent from the data subject or its legally authorized representative or guardian.
15. Jurisdiction-Specific Terms
To the extent that Locance is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms.
Capitalized terms used in this paragraph that are not defined in this DPA shall have the meaning ascribed to them in the California Consumer Privacy Act of 2018, as amended (“CCPA”). To the extent that Locance is processing on behalf of Customer any personal data in scope of the CCPA, Locance shall conduct such processing as a Service Provider to Customer, and Locance shall comply with all applicable obligations under the CCPA. Locance is prohibited from retaining, using or disclosing the personal data for any purpose other than for the specific purpose of performing the Services, or as otherwise permitted by the CCPA, including retaining, using or disclosing the personal data for a Commercial Purpose other than providing the Services. Locance is prohibited from Selling or Sharing personal data. Locance is prohibited from retaining, using or disclosing the personal data outside of the direct business relationship between Locance and Customer. Locance is prohibited from combining the personal data with other personal data that Locance receives from, or on behalf of, another person or persons, or collects from its own interaction with the Consumer, provided that Locance may combine such personal data to perform any business purpose authorized in the CCPA. Locance hereby certifies that it understands these restrictions and will comply with them. Locance shall promptly notify Customer if it determines that it can no longer meet its obligations under the CCPA.
European Economic Area, United Kingdom, and Switzerland
- a. To the extent that Customer transfers personal data from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to Locance located outside the EEA, UK or Switzerland, and the parties do not rely on an alternative transfer mechanism or basis under the Data Protection Laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:
- i. Customer is the “data exporter” and Locance is the “data importer”;
- ii. the footnotes, Clause 9(a) Option 1, Clause 11(a) Option and Clause 17 Option 1 are
omitted, the time period in Clause 9(a) Option 2 is 14 days, and the applicable annexes
are completed respectively with the information set out in the DPA and the Agreement
- iii. to the extent that Customer acts as a controller and Locance acts as a processor,
Module Two applies and Modules One, Three and Four are omitted, and to the extent that
each party acts as a processor, Module Three applies and Modules One, Two and Four are
- iv. the “competent supervisory authority” is the supervisory authority in Ireland;
- v. the Clauses are governed by the law of Ireland;
- vi. any dispute arising from the Clauses will be resolved by the courts of Ireland;
- vii. if there is any conflict between the terms of the Agreement and the Clauses, the
Clauses will prevail.
- b. In relation to transfers of personal data from the UK, the Clauses as implemented under
section a, above will apply subject to the following modifications:
- i. the Clauses are amended as specified by Part 2 of the international data transfer
addendum to the European Commission’s standard contractual clauses issued under Section
119A of the UK Data Protection Act 2018, as may be amended or superseded from time to
time (“UK Addendum”);
- ii. tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the
information set out in the DPA and the Agreement (as applicable); and
- iii. table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.
- c. In relation to transfers of personal data from Switzerland, the Clauses as implemented under
section a, above will apply subject to the following modifications:
- i. references to “Regulation (EU) 2016/679” shall be interpreted as references to the
Swiss Federal Act on Data Protection (“FADP”);
- ii. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with
the equivalent article or section of the FADP;
- iii. references to “EU”, “Union”, “a Member State” and “Member State law” shall be
replaced with references to “Switzerland” or “Swiss law”, as applicable;
- iv. the term “member state” shall not be interpreted in such a way as to exclude data
subjects in Switzerland from the possibility of accessing their rights;
- v. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory
authority” is the Swiss Federal Data Protection Information Commissioner;
- vi. the Clauses are governed by the law of Switzerland; and
- vii. any dispute arising from the Clauses will be resolved by the courts of Switzerland
- a. To the extent that Locance is processing any personal information in scope of the South African Protection of Personal Information Act, No. 4 of 2013 (POPIA) for Customer, Locance will further establish and maintain the security measures referred to in section 19 of POPIA.
- b. Locance will notify Customer immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person.
The following sub-processors may be utilized by Locance in the provision of Services to Customer:
Amazon Web Services