Frontdesk Data Processing Addendum

This Frontdesk Data Processing Addendum (“DPA”) applies to the extent Frontdesk Processes any Covered Data as Client’s Processor or Service Provider in connection with Frontdesk’s provision of the Services to Client pursuant to the Frontdesk Terms of Service or Master Services Agreement (as applicable, the “Underlying Agreement”).

1. DEFINITIONS

1.1 Applicable Data Protection Law

“Applicable Data Protection Law” means privacy and data protection Laws applicable to Frontdesk’s Processing of Covered Data on behalf of Client in connection with Frontdesk’s provision of the Services, including but not limited to the CCPA, together with its implementing regulations and as amended, superseded, or replaced from time to time.

1.2 CCPA

“CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

1.3 Client Account Data

“Client Account Data” means Personal Data or Personal Information that relates to Client’s relationship with Frontdesk, such the names and contact information of Authorized Users, billing information associated with Client’s account, and any Personal Data or Personal Information Frontdesk may need to collect for the purpose of identity verification (including providing multi-factor authentication).

1.4 Covered Data

“Covered Data” means any Personal Data or Personal Information pertaining to a Consumer or Data Subject within the Territory that is provided to Frontdesk by Client or otherwise Processed by Frontdesk as a Processor or Service Provider in connection with Frontdesk’s provision of the Services to Client pursuant to the Underlying Agreement. Covered Data excludes Client Account Data.

In addition, “Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Information”, “Process”, “Processor”, “Sale”, “Share”, and “Service Provider” and their respective derivative terms as used in this DPA shall be interpreted in accordance with Applicable Data Protection Laws. All other capitalized terms used in this DPA have the meanings ascribed to them in the Underlying Agreement.

2. FRONTDESK AS A PROCESSOR OF COVERED DATA

2.1 Processing Details

The parties acknowledge and agree that with respect to the Covered Data, Client is the Controller and Frontdesk acts as a Processor or Service Provider for, and on behalf of, Client and conducts its Processing operations in accordance with Client’s instructions. Client hereby instructs Frontdesk to Process Covered Data on Client’s behalf pursuant to this DPA and the Underlying Agreement. Notwithstanding anything to the contrary in this DPA, Frontdesk may de-identify, aggregate, and/or anonymize all or portions of Covered Data so that it no longer constitutes Personal Data or Personal Information under Applicable Data Protection Laws, at which point such data will no longer constitute Covered Data under this DPA.

2.2 Client’s Obligations

Client determines the purposes for and means by which Covered Data is being or will be Processed, and the manner in which Covered Data is or will be Processed. Client represents and warrants that: (a) with respect to Covered Data, Client complies with data security and other obligations prescribed by Applicable Data Protection Laws for Controllers/Businesses and Financial Institutions (if applicable), and the provision of Covered Data to Frontdesk complies with all Applicable Data Protection Laws; and (b) Client will provide notice to individuals and obtain all consents, rights, authorizations, or other lawful basis regarding Client’s Processing and sharing of Covered Data with Frontdesk as required by applicable Law, including without limitation Applicable Data Protection Laws. Client will promptly notify Frontdesk of any Consumer or Data Subject request made pursuant to any Applicable Data Protection Law with which Client must comply that requires Frontdesk to take any action with respect to Covered Data being Processed, and will provide the information necessary for Frontdesk to comply with such request.

2.3 Frontdesk’s Obligations

2.3.1 Unless otherwise permitted or required by applicable Law, Frontdesk will Process Covered Data in accordance with Client’s instructions as a Processor or Service Provider to provide the Services described in the Underlying Agreement to Client, and Client hereby instructs Frontdesk to do so.

2.3.2 Frontdesk will ensure that any person authorized to Process Covered Data under this DPA is bound by appropriate obligations of confidentiality.

2.3.3 Frontdesk has developed and implemented, and will maintain, a comprehensive written information security program that contains administrative, technical, and physical safeguards that are appropriate to Frontdesk’s size and complexity, the nature and scope of Frontdesk’s activities, and the sensitivity of any Covered Data at issue, designed to protect the security and confidentiality of Covered Data, protect against any anticipated threats or hazards to the security or integrity of Covered Data, and protect against unauthorized access to or use of Covered Data that could result in substantial harm or inconvenience to any Consumer, Data Subject, or Customer.

2.3.4 Taking into account the nature of the Processing and the information available to Frontdesk, Frontdesk will provide Client with reasonable cooperation and assistance to enable Client as a Business or Controller to fulfill Client’s binding obligations with respect to the Covered Data, if any, under Applicable Data Protection Laws to: (a) respond to requests from Data Subjects or Consumers for the exercise of their rights; and (b) provide notification of a Covered Data breach (or analogous concept) as required under Applicable Data Protection Laws.

2.3.5 Upon written request, Frontdesk will take reasonable and appropriate steps to make available to Client information to demonstrate Frontdesk’s compliance with provisions of Applicable Data Protection Laws applicable to Processors/Service Providers, and will allow Client to verify Frontdesk’s compliance with Frontdesk’s obligations under this DPA as set forth in Section 2.3.6 below.

2.3.6 Upon Client’s written request no more than once per year, Frontdesk will: (a) provide a high-level summary of its then-current information security program and internal security policies; and (b) respond to a reasonable security questionnaire provided by Client regarding Frontdesk’s security practices in relation to the Processing of Covered Data. Any such summaries, responses, or information provided shall be deemed Frontdesk’s Confidential Information.

2.3.7 Upon termination of the Underlying Agreement and receipt of Client’s written request, Frontdesk will delete Covered Data in Frontdesk’s possession, subject to any limitations described in the Underlying Agreement and unless applicable Law requires further storage.

3. CCPA-SPECIFIC TERMS

In addition to the general terms in Section 2 of this DPA, this Section 3 applies to the extent that Client is a Business under the CCPA and Frontdesk Processes Personal Information subject to the CCPA as a Service Provider in connection with its provision of the Services to Client. Frontdesk will: (a) not Sell or Share such Personal Information, nor retain, use, or disclose such Personal Information for any purpose other than the Business Purposes specified in the Underlying Agreement, unless otherwise permitted by the CCPA; (b) except to perform the specific Business Purposes or as otherwise permitted by the CCPA, not combine such Personal Information with Personal Information received from or on behalf of another person or source; (c) otherwise comply with provisions of the CCPA applicable to Service Providers, providing the same level of privacy protection required of Businesses by the CCPA, and notify Client if Frontdesk can no longer meet these obligations; and (d) upon receipt of written notice that Client reasonably believes Frontdesk is using Personal Information in an unauthorized manner, take reasonable and appropriate steps to work with Client to remediate the allegedly unauthorized use, if necessary. Frontdesk will notify Client in the event Frontdesk determines it can no longer meet its obligations under the CCPA.

4. FRONTDESK SERVICE PARTNERS

Client specifically authorizes Frontdesk to engage sub-Processors/Service Providers from the agreed list of sub-Processors/Service Providers (“Frontdesk Service Partner List”):

• Amazon Web Services, Inc.
• Google
• Twilio Inc.

In the event that Frontdesk seeks to use additional sub-Processors/Service Providers and update the Frontdesk Service Partner List, Frontdesk will provide notice of such update to Client (which may be via email, an online posting or notification, or other reasonable means). Client may reasonably object to a change to the Frontdesk Service Partner List on legitimate grounds within 30 days of notice of this change by emailing legal@frontdesk.ai. Notwithstanding the foregoing, Client acknowledges that Frontdesk’s sub-Processors/Service Providers are essential to provide the Services and if Client objects to Frontdesk’s use of a sub-Processor/Service Provider, then notwithstanding anything to the contrary in the Underlying Agreement (including this DPA), Frontdesk will not be obligated to provide to Client the Services for which Frontdesk uses that sub-Processor/Service Provider.

5. FRONTDESK AS A CONTROLLER OF CLIENT ACCOUNT DATA

Client acknowledges that, with regard to the Processing of Client Account Data, Client is a controller and Frontdesk is an independent Controller/Business, not a joint Controller with Client. Frontdesk will Process Client Account Data as a Controller in order to: (a) manage the relationship with Client; (b) carry out Frontdesk’s core business operations, such as billing and accounting; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; and (e) as otherwise permitted under Applicable Data Protection Laws and in accordance with this DPA, the Underlying Agreement, and Frontdesk’s Privacy Policy.

6. CONFLICTS

To the extent there is a conflict or inconsistency between this DPA and the Underlying Agreement, this DPA will control.