California and Virginia Data Protection Laws

Last updated March 13, 2023

This Exhibit applies to the processing of Customer Personal Data protected under Applicable US Laws.

1. Definitions.
Applicable US Laws” means, as applicable: the CCPA and Virginia’s Consumer Data Protection Act.

CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its final regulations.

Customer Personal Data” means the personal information or personal data provided or made available or accessible by Customer to OneSignal in connection with the Agreement.

The terms “business”, “business purpose”, “commercial purpose”, “consumer”, “controller”, “personal data”, “personal information”, “process”, “processing”, “processor”, “sell”, “service provider”, and “share” as used in this Exhibit have the meanings given in the Applicable US Laws.

2. Processing.

2.1. Responsibilities. The parties acknowledge and agree that:

2.1.1. OneSignal is a service provider and processor of Customer Personal Data under Applicable US Laws;

2.1.2. Customer is a business and controller of Customer Personal Data under Applicable US Laws;

2.1.3. Each party will comply with the obligations applicable to it under the Applicable US Laws with respect to the processing of Customer Personal Data;

2.1.4. Nothing in this Exhibit shall be construed to relieve a controller/business or a processor/service provider from the liabilities imposed on it by virtue of its role in the processing relationship as defined by Applicable US Laws; and

2.1.5 The parties agree to the following:

a) Nature of the processing: collecting, organizing, structuring, storing, altering, using, disclosing, combining, deleting and destroying.

b) Purpose of the processing: for OneSignal to provide the Services to Customer, including, specifically, delivering push notifications, in-app messaging, email messaging, and SMS messaging to the Customer’s intended recipients; and supporting and communicating with Customer’s employees who use the Services.

c) Type of personal information that is subject to the processing:

The types and extent of personal data processed are determined and controlled by the Customer in its sole discretion; provided that no Sensitive Information will be shared with OneSignal. Personal data may include name, email, and IP address.

  1. d) Type of consumer whose personal information is being processed: Customer’s employees and contractors
    Users of Customer’s website and/or mobile apps

  2. e) Duration of processing:

The term of the Agreement until Customer Personal Data is deleted.

2.2. Instructions. Customer instructs OneSignal to process Customer Personal Data in accordance with the following, and OneSignal will comply to the extent not prohibited under Applicable US Laws: (a) to provide the Services; (b) as set forth in the Agreement and this Exhibit; (c) as set forth in any other written instructions given by Customer; and (d) to process Customer Personal Data as permitted under Applicable US Laws for service providers and processors.

2.3. Confidentiality. OneSignal will ensure that all persons authorized to process Customer Personal Data are subject to a duty of confidentiality with respect to the Customer Personal Data.

2.4. Data Deletion. Customer instructs OneSignal to delete all Customer Personal Data from OneSignal’s systems upon termination of the Agreement, except to the extent retention of Customer Personal Data is required by applicable law.

2.5. Demonstration of Compliance. Upon Customer’s reasonable request, OneSignal will make available to Customer all information in its possession necessary to demonstrate OneSignal’s compliance with its obligations under Applicable US Laws.

2.6. Data Security. OneSignal will implement and maintain technical and organizational measures to protect Customer Personal Data against unauthorized access to or acquisition of Customer Personal Data on systems managed by or otherwise controlled by OneSignal.

2.7. Data Incidents. Taking into account the nature of processing and the information available to OneSignal, OneSignal will reasonably assist Customer in meeting its obligations in relation to the security of processing the Customer Personal Data and in relation to the notification of a Data Incident pursuant to Applicable US Laws. If OneSignal becomes aware of a Data Incident, OneSignal will notify Customer without unreasonable delay and take reasonably steps to minimize harm and secure Customer Personal Data. “Data Incident” means a breach of the security of the system (as defined under Applicable US Laws) of OneSignal, including a breach of security leading to the unauthorized access to or acquisition of (or reasonable belief of such unauthorized access to or acquisition of) Customer Personal Data on systems managed by or otherwise controlled by OneSignal, excluding unsuccessful attempts that do not compromise the security of Customer Personal Data such as unsuccessful pings, log-in attempts, and other network attacks on firewalls or networked systems. OneSignal’s notification of or response to a Data Incident will not be construed as an acknowledgement by OneSignal of any fault or liability with respect to the Data Incident. For the avoidance of doubt, OneSignal is not responsible or liable for any personal data breach or incident to the extent the breach or incident arose from the actions, omissions, personnel, users, service providers, or systems of Customer. Customer is responsible for complying with breach and incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.

2.8. Assistance; Assessments. OneSignal will reasonably assist Customer in meeting its obligations under Applicable US Laws, including the following:

2.8.1. taking into account the nature of processing and the information available to OneSignal, by appropriate technical and organizational measures, insofar as this is reasonably practicable,

assisting Customer in fulfilling Customer’s obligation to respond to consumer rights requests pursuant to Applicable US Laws; and

2.8.2. providing necessary information to enable Customer to conduct and document data protection assessments pursuant to Applicable US Laws. OneSignal will allow and cooperate with reasonable assessments by Customer (or Customer’s designated assessor, subject to execution of a confidentiality agreement with OneSignal); provided, that OneSignal may alternatively arrange for a qualified and independent assessor to conduct an assessment of OneSignal’s policies and technical and organizational measures in support of the obligations under Applicable US Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. OneSignal shall provide Customer a report of such assessment upon Customer’s request.

2.9. Subcontractors. If OneSignal engages any subcontractor to process Customer Personal Data on OneSignal’s behalf, OneSignal will enter into a written contract with such subcontractor that requires the subcontractor to meet the obligations of OneSignal under Applicable US Laws with respect to the Customer Personal Data. OneSignal’s list of subcontractors is located on this web page: OneSignal will notify Customer if OneSignal engages any other subcontractors to assist it in processing Customer Personal Data for a business purpose on behalf of Customer (or if any other person engaged by OneSignal engages another person to do the same). Customer acknowledges and agrees that an update to the web page is sufficient notice.

3. Additional Customer Responsibilities.
3.1. Customer will disclose Customer Personal Data to OneSignal only for the limited and specified

business purposes set forth in this Exhibit and the Agreement.

3.2. Customer will limit the disclosure of Customer Personal Data to OneSignal to what is reasonably necessary for the purposes of OneSignal providing the Services to Customer. Customer will not disclose any sensitive personal information or sensitive data (as defined under Applicable US Laws) to OneSignal.

3.3. Customer will not request OneSignal to process Customer Personal Data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such Customer Personal Data is processed, as disclosed to the consumer, unless Customer obtains the consumer’s consent.

3.4. Customer will establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of Customer Personal Data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.

3.5. Customer will not request OneSignal to process Customer Personal Data in violation of applicable laws that prohibit unlawful discrimination against consumers and Customer will not discriminate against a consumer for exercising its rights under Applicable US Laws.

3.6. Customer will provide consumers with a reasonably accessible, clear and meaningful privacy notice with means for consumers to submit requests and to opt out and opt in to certain data practices, as required by Applicable US Laws.

3.7. Customer will inform OneSignal of any consumer request that OneSignal must comply with and provide information necessary for OneSignal to comply with the request.

4. Additional CCPA Obligations. To the extent that CCPA applies to the processing of Customer Personal Data, OneSignal will act as Customer’s service provider, and as such, unless otherwise permitted for service providers under CCPA:

4.1. OneSignal will not sell or share any Customer Personal Data that it obtains from (or on behalf of) Customer in connection with the Agreement;

4.2. OneSignal will not retain, use or disclose Customer Personal Data (including outside of the direct business relationship between OneSignal and Customer) for any purpose (including any commercial purpose), other than for a business purpose under the CCPA on behalf of Customer and the specific purposes of performing the Services as described on in this Exhibit;

4.3. OneSignal will not combine (or update) Customer Personal Data that OneSignal receives from, or on behalf of, Customer with (i) personal information that OneSignal receives from, or on behalf of, another person or persons or (ii) personal information collected from OneSignal’s own interaction with a consumer;

4.4. OneSignal will comply with applicable obligations under CCPA and will provide the same level of privacy protection as is required by CCPA, including by cooperating with Customer in responding to and complying with consumer requests and implementing reasonable security procedures and practices appropriate to the nature of the personal information to protect the Customer Personal Data from unauthorized or illegal access, destruction, use, modification or disclosure in accordance with CCPA;

4.5. OneSignal will grant Customer the right to take reasonable and appropriate steps to ensure that OneSignal uses the Customer Personal Data in a manner consistent with Customer’s obligations under CCPA, including ongoing manual reviews and automated scans (subject to notification and mutual agreement of the parties with respect to the method) of OneSignal’s system and regular assessments, audits, or other technical and operating testing (not to exceed once per year);

4.6. OneSignal will promptly notify Customer if OneSignal makes a determination that it can no longer meet its obligations under the CCPA; and

4.7. If Customer reasonably believes that OneSignal is processing Customer Personal Data in an unauthorized manner, the parties will work together in good faith to remediate the allegedly violative processing activities, if necessary.