Data Processing Addendum (DPA)
Version: November 1, 2024 | Previous Versions
This Data Processing Addendum (DPA) (“Addendum”) supplements the Terms of Service incorporated by reference into the written or electronic order, schedule, statement of work, work order, quote, or other document (collectively, the “Order”) that also incorporates this Addendum by reference. In addition to the Terms of Service, this Addendum governs responsibilities with respect to processing and protection of personal data by Acxiom LLC (“Acxiom”) and the identified Acxiom client (“Client”) when the Order has been executed by the parties to be bound thereto or otherwise formally approved by them in accordance with the process identified in the Order. The Order, the Terms of Service (including any other applicable addenda incorporated by reference therein), this Addendum, and any other terms or documentation incorporated by reference in the Order are collectively referred to as, the “Agreement”. Any claim brought under the terms of this Addendum will be subject to the applicable limitation of liability provision in the Terms of Service, including any applicable exceptions thereto. From time to time, Acxiom may modify this Addendum. Unless otherwise specified by Acxiom due to a change in law or other contingency beyond Acxiom’s control, changes will become effective for Client upon renewal of the then-current Order or upon the effective date of a new Order after the updated version of this Addendum goes into effect. Capitalized terms not defined herein shall have the meanings ascribed to them elsewhere in the Agreement.
The parties agree as follows:
1. Information Security Program. Acxiom has implemented and will maintain for the duration of the Term of the Agreement an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue. If Client receives Data Products, then the foregoing obligation or implementation and maintenance of an information security program as outlined above will also apply to Client.
2. Encryption. Each party will encrypt any personally identifiable information (PII) using industry standard encryption measures before transferring such information to the other over a public network. For any PII other than Sensitive Data (defined below), such requirement may be met by transferring such PII via Secure File Transfer Protocol (SFTP) or by using file-level encryption. If the Order expressly authorizes the provision of Sensitive Data, Client must encrypt such data at the file level before transfer to Acxiom over a public network. Using SFTP alone, without file-level encryption, will not be sufficient to meet such requirement.
3. Sensitive Data. Unless expressly authorized in the Order, Client will not provide to Acxiom, nor permit any third party to provide to Acxiom on Client’s behalf, any of the following information (“Sensitive Data”): (i) a government-issued identification number (e.g., Social Security Number, driver’s license number, state identification number, or passport number); (ii) a financial or customer account number, including financial institution or bank account number or a credit or debit card number; (iii) information regarding an individual’s sexual orientation, religion, or health or medical condition, including Protected Health Information, as defined in 45 CFR 160.103; (iv) unique biometric data or digital representation of biometric data; (v) an individual’s full date of birth; (vi) maiden name of the individual’s mother; (vii) an individual’s digitized or other electronic signature; (viii) PII about an individual under the age of 18; (ix) a user name, email address, or other unique electronic identifier or routing code sent in combination with a personal identification code, password, or security question and answer that would permit access to an online account; or (x) Special Categories of Personal Data, as that term is defined by the European Union’s General Data Protection Regulation (GDPR). If Client should transfer Sensitive Data to Acxiom in violation hereof, Client will immediately notify Acxiom and inform Acxiom of the date, time, and other pertinent information related to the transfer so Acxiom may take the steps necessary to remove the Sensitive Data from its systems.
4. Cloud Environment. Notwithstanding anything to the contrary in the Agreement, the Services may be performed, in whole or in part, in an environment provided from any location by an established third-party cloud service provider (CSP) (e.g., Amazon Web Services (AWS); Google Cloud; Microsoft Azure) that resides in a segmented, secured instance managed by Acxiom, its Affiliates, or their subcontractors (“Cloud Environment”). Minimum CSP information security, certification, and independent audit standards will include ISO/IEC 27001 and AICPA SSAE 18 SOC 2 Type II / SOC 3 (collectively, “CSP Standards”). A description and evidence of the CSP Standards will be available at the CSP’s public-facing website. Any terms in the Agreement inconsistent with applicable CSP standards or requiring further documentation of the CSP Standards will not apply to the CSP but will continue to apply to Acxiom in its configuration and use of its Cloud Environment instance. Client Data maintained in the Cloud Environment will remain logically segregated from the data of any other Acxiom client. Any act or omission of the CSP in providing the Cloud Environment to support the Services will be deemed an act or omission of Acxiom, for which Acxiom will be liable in accordance with the terms of the Agreement.
5. Inspections and Assessments.
5.1 Inspections. Each party will have the right, after ten business days’ written notice, to inspect the other party’s facilities during normal business hours for the purpose of reviewing security policies and procedures and to ensure that the party’s Confidential Information is not being used in an unauthorized manner. Such inspections will occur no more frequently than once per any twelve-month period during the Term and will be performed in accordance with the other party’s reasonable security policy and procedures. Any third party engaged to perform an inspection shall first enter into a written agreement with the party whose facility is being inspected protecting the confidentiality of any information gathered. The results of such inspections, as well as any documentation prepared during the course of thereof, will be deemed the Confidential Information of both Acxiom and Client.
5.2 Independent Assessments. For the purpose of providing Client evidence of its implementation of technical and organizational measures required by applicable law, Acxiom may present up-to-date attestations, reports, or extracts thereof from independent bodies (e.g., external auditors, internal audit, the data protection officer, the IT security department, or quality auditors) or suitable certification by way of an IT security or data protection audit.
6. Notification. Each party will, as soon as reasonably practical after discovery, report to the other party any unauthorized disclosure or access to Client Data or Data Products, as applicable, subject to any reasonable restrictions placed on the timing of such notice by a law enforcement or regulatory agency investigating the incident and will take all reasonable measures to prevent any further unauthorized disclosure or access.
7. US Data Protection Law. If any Services described in the Order involve Acxiom processing Client Data that is subject to US Data Protection Law, then the following additional terms will apply, along with any related terms in the Order. “US Data Protection Law” means all applicable privacy, data security, and data protection laws, rules, or regulations of the United States or any state or local jurisdictions thereof, and any legislation replacing or updating any of the foregoing.
7.1 Description of the Processing. Acxiom is authorized to process Personal Information provided by or on behalf of Client under the Agreement for the duration of the Term as necessary to provide the Services or Products or as otherwise authorized by Client in writing. Unless otherwise provided in the Order, the nature and purpose of the processing is to support the marketing of Client’s products or services to consumers or businesses, or the conduct of analytics related thereto. The types of Personal Information that will be subject to processing will be as described in the Order. Unless otherwise provided in the Order, the categories of relevant data subjects will be individual Client customers or prospective customers. “Personal Information” has the meaning ascribed to it under US Data Protection Law as it relates to Client Data. The term includes similar terms, such as “Personal Data” and “Personally Identifiable Information”, as used in the Agreement or defined under US Data Protection Law.
7.2 Obligations. Acxiom will, and will take measures to ensure that any person acting under Acxiom’s authority will:
(a) Handle Personal Information in compliance with all US Data Protection Law;
(b) Retain, use, disclose, transfer, or otherwise process the Personal Information only: (i) as needed to provide the Services or Products; and (ii) in accordance with Client’s instructions, including as set forth in this Addendum, the Order, and the rest of the Agreement;
(c) Keep Personal Information logically or physically segregated in Acxiom’s or any of its external parties’ environments;
(d) Require through a separate agreement that any persons accessing or processing the Personal Information through Acxiom hold the information confidential, other than any Client third-party contractors or other Client-engaged entities to whom Client has directed Acxiom to disclose or grant access to Personal Information, which shall be Client’s responsibility; and
(e) Within a reasonable period of time following a written request from Client (email sufficient), but within a timeframe sufficient for Client to fulfill its obligations under US Data Protection Law, implement or honor all consumer requests that are provided by Client, subject to any fees provided for in the Order to address such requests from Client.
7.3 Restrictions. Acxiom will not, and will take reasonable measures to ensure that any person acting under Acxiom’s authority will not:
(a) Unless otherwise required to perform the Services or deliver the Products described in the Order, combine Personal Information with other information other than Client Data (and in any event will keep Client Data logically segregated); or
(b) Unless otherwise expressly authorized by Client, respond to any requests or complaints with respect to use of Personal Information provided to Acxiom by or on behalf of Client, including any requests to exercise privacy rights under US Data Protection Law, other than to direct the individual to contact Client.
7.4 Prohibition on Selling. Except as expressly authorized by Client in writing, Acxiom will not Sell, use, disclose, or retain Personal Information for: (i) any purposes outside of providing the Services or Products; (ii) for its own commercial purposes; or (iii) outside of the direct business relationship between Acxiom and Client. “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individual’s Personal Information to another person for monetary or other valuable consideration (or as otherwise defined in US Data Protection Law).
7.5 Required Disclosures. If applicable Data Protection Law requires Acxiom to notify or disclose to any government agency or official that Acxiom is licensing or providing Data Products to Client, or such other details as may be related thereto, then notwithstanding anything to the contrary in the Agreement, Client authorizes Acxiom to so notify or disclose.
7.6 Subprocessors. Client authorizes Acxiom to disclose or transfer Personal Information to, or allow access to Personal Information by, Subprocessors (including, without limitation, Acxiom’s Affiliates) solely for purposes of providing the Services or Products. Acxiom confirms that it has entered or (as the case may be) will enter into a written agreement(s) with such Subprocessors as required by the Agreement.
8. Protected Health Information. Subject to Section 3 of this Addendum, if the Services described in the Order will involve Acxiom processing any personal data that is “protected health information” (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and related rules and regulations, then in addition to the terms of this Addendum, the parties’ responsibilities with respect to provision, receipt, and use of such PHI will be governed by the terms of the Business Associate Addendum (BAA) to the Terms of Service, the terms of which will supplement this Addendum.
9. Non-US Client Data. Acxiom’s receipt and processing of any Client Data pertaining to non-U.S. data subjects may require additional terms to be addressed in the Order or in an additional addendum to the Agreement.