Data Protection and Processing Agreement

This Data Protection and Processing Agreement (the “DPPA”) governs your (“Service Provider”) use, storage, or other processing of Personal Information or Confidential Information on behalf of Daily Harvest, Inc. (“Daily Harvest”). 

1. Definitions. The following definitions and rules of interpretation apply in this DPPA:

(a) “Authorized Persons” means the employees or other personnel acting on behalf of Daily Harvest whom Daily Harvest authorizes to give Service Provider processing instructions, as have been identified to Service Provider. 

(b) “Business Purpose” means the services described in the agreement that references and incorporates this DPPA (the “Governing Agreement”) under which Service Provider receives or accesses Personal Information or Confidential Information.

(c) “Confidential Information” means all non-public information maintained in confidence Daily Harvest and received or accessed by Service Provider, in any form or medium, that is identified by Daily Harvest as confidential or proprietary or that a reasonable person would understand to be confidential, given the nature of the information or circumstances of disclosure. Confidential Information may include, without limitation, information about current, former, or prospective customers, services, products, software, data, technologies, recipes, formulas, processes, know-how, plans, operations, research, personnel, suppliers, distributors, manufacturers, finances, pricing, marketing, strategies, opportunities and all other aspects of business operations and any copies or derivatives thereof. 

(d) “Data Subject" means an individual who is the subject of Personal Information and to whom or about whom Personal Information relates or identifies, directly or indirectly.

(e) "Personal Information" means any information Service Provider processes for Daily Harvest that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Service Provider's possession or control or that the Service Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.

(f) "Processing, processes, or process" means any activity that involves the use of Personal Information or Confidential Information, or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information or Confidential Information to third parties.

(g) "Privacy and Data Protection Requirements" means all applicable foreign, federal and state laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Colorado Privacy Rights Act, the Connecticut Connecticut Personal Data Privacy and Online Monitoring Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act.

(h) "Security Breach" means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or Confidential Information, or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information or Confidential Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

2. Service Provider's Obligations.

(a) Service Provider will only process, retain, use, or disclose the Personal Information or Confidential Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with Daily Harvest's written instructions from Authorized Persons. Service Provider will not process, retain, use, or disclose the Personal Information or Confidential Information for any other purpose, outside of the parties' business relationship, or in a way that does not comply with this DPPA or the Privacy and Data Protection Requirements. This includes not combining or updating the Personal Information with personal information obtained outside of this contract unless the Privacy and Data Protection Requirements permit the action. Service Provider must promptly notify Daily Harvest if, in its opinion, Daily Harvest's instruction would not comply with the Privacy and Data Protection Requirements.

(b) Service Provider will maintain the confidentiality of all Personal Information and Confidential Information, will not sell it to or share it with anyone, and will not disclose it to third parties unless Daily Harvest or this DPPA specifically authorizes in writing the disclosure, or as required by law. If a law requires Service Provider to process or disclose Personal Information or Confidential Information, Service Provider must first inform Daily Harvest of the legal requirement and give Daily Harvest an opportunity to object or challenge the requirement, unless the law prohibits such notice.

(c) Service Provider must promptly comply with any Daily Harvest request or instruction requiring the Service Provider to provide, amend, transfer, or delete the Personal Information or Confidential Information, or to stop, mitigate, or remedy any unauthorized processing.

(d) If the Business Purposes requires the collection of personal information from individuals on Daily Harvest’s behalf, Service Provider will always provide a notice compliant with the Privacy and Data Protection Requirements at collection that Daily Harvest specifically pre-approves in writing. Service Provider will not modify or alter the notice in any way without Daily Harvest’s prior written consent.

(e) If the Governing Agreement and the Privacy and Data Protection Requirements permit, Service Provider may aggregate, deidentify, or anonymize Personal Information so it no longer meets the personal information definition, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes. Service Provider will not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.

3. Assistance with Daily Harvest’s Data Protection Requirements Obligations.

(a) Service Provider will reasonably assist Daily Harvest with meeting its compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of Service Provider's processing and the information available to Service Provider. 

(b) Service Provider must promptly notify Daily Harvest of any changes to the Privacy and Data Protection Requirements, or its ability to meet those obligations, that may adversely affect Service Provider's performance of the Governing Agreement or this DPPA.

 (c) Service Provider must notify Daily Harvest immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party's compliance with the Privacy and Data Protection Requirements.

(d) Service Provider must notify Daily Harvest within three working days if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions. Service Provider will give Daily Harvest its full cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request.

4. Service Provider’s Employees.

(a) Service Provider will limit Personal Information and Confidential Information access to: (i) those employees who require Personal Information or Confidential Information access to meet Service Provider's obligations under this DPPA and the Governing Agreement; and (ii) the part or parts of the Personal Information or Confidential Information that those employees strictly require for the performance of their duties.

(b) Service Provider will ensure that all employees: (i) are informed of the confidential nature of the Personal Information and Confidential Information and the use restrictions relating thereto and are obliged to keep the Personal Information and Confidential Information confidential; (ii) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and (iii) are aware both of Service Provider's duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPPA.

5. Subcontracting.

(a) If permitted under the Governing Agreement, Service Provider may use subcontractors to provide the Business Services only if Service Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPPA and, upon Daily Harvest’s written request, provides Daily Harvest with copies of such contracts.

(b) For each subcontractor used, Service Provider will give Daily Harvest an up-to-date list disclosing: (i) the subcontractor's name, address, and contact information; (ii) the type of services provided by the subcontractor; and (iii) the personal information categories disclosed to the subcontractor in the preceding 12 months.

(c) Service Provider remains fully liable to Daily Harvest for the subcontractor's performance of its agreement obligations.

(d) Upon Daily Harvest’s written request, Service Provider will audit a subcontractor's compliance with its personal information obligations and provide Daily Harvest with the audit results.

6. Cyber Insurance. In addition to any insurance requirements in the Governing Agreement, Service Provider shall purchase and maintain cyber liability insurance that: (i) covers all liability to Daily Harvest arising out of any Security Breach; (ii) provides for limits of liability equaling at least $5,000,000.00; and (iii) is primary, and not excess over or contributing with any insurance maintained by Daily Harvest.  Service Provider shall provide a certificate of insurance with the coverages and limits required above stating that Daily Harvest has been named as an additional insured on the liability policy and that the policy shall not be canceled, nor any material change made in the coverages provided thereunder, until not less than thirty (30) calendar days’ prior written notice has been given to Daily Harvest. Service Provider shall maintain the required insurance during at all times that the Governing Agreement is in effect and provide new certificates upon any policy renewals.

7. Security.

(a) Service Provider must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information and Confidential Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage. Service Provider must document those measures in writing and periodically review them, at least annually, to ensure they remain current and complete.

(b) Service Provider must take reasonable precautions to preserve the integrity of any Personal Information and Confidential Information it processes and to prevent any corruption or loss, including but not limited to establishing effective back-up and data restoration procedures.

8. Security Breaches and Personal Information Loss.

(a) Service Provider will promptly notify Daily Harvest if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable and Service Provider will restore such Personal Information at its own expense. 

(b) Service Provider will immediately notify Daily Harvest if it becomes aware of: (i) any unauthorized or unlawful processing of the Personal Information; or (ii) any Security Breach.

(c) Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will coordinate with each other to investigate the matter. Service Provider will reasonably cooperate with Daily Harvest in Daily Harvest's handling of the matter, including but not limited to assisting with any investigation and making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by Daily Harvest.

(d) Service Provider will not inform any third party of a Security Breach without first obtaining Daily Harvest's prior written consent, except when law or regulation requires it.

(e) Service Provider agrees that Daily Harvest has the sole right to determine: (i) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in Daily Harvest's discretion, including the contents and delivery method of the notice; and (ii) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

(f) Service Provider will cover all reasonable expenses associated with the performance of the obligations under this Section, unless the matter arose from Daily Harvest's specific instructions or Daily Harvest’s breach of this DPPA. Service Provider will also reimburse Daily Harvest for reasonable expenses Daily Harvest incurs when responding to and mitigating damages including all costs of notice and any remedy as set out in Section 8(e).

9. Termination Right. Service Provider's failure to comply with the terms of this DPPA is a material breach of the Governing Agreement. In such event, Daily Harvest may terminate the Governing Agreement effective immediately upon written notice to Service Provider without further liability or obligation.

10. Survival. Notwithstanding anything to the contrary in the Governing Agreement, this DPPA shall remain in effect as to Personal Information and Confidential Information for so long as Service Provider has access to such information or such information remains in the custody or control of Service Provider.

11. Issuance Date and Amendments.  This DPPA was issued and effective as of April 18, 2023.  It was last updated on October 17, 2023.   It may be updated, revised, and amended by Daily Harvest in the future.