DATA PROCESSING ADDENDUM

June 22, 2023

This Data Processing Addendum (“DPA”), is an agreement between the entity you represent (“You”) and ALLDATA LLC  (“ALLDATA”) together with any of its affiliates or subsidiaries. This forms a part of any written or electronic agreement between You and ALLDATA (each an “Agreement”), except with respect to any Agreement under which the Parties have entered into separate data processing terms. ALLDATA and You shall collectively be referred to as the “Parties” or individually as a “Party”.

A. Defined Terms

  1. “ALLDATA Data” refers to all data provided by, on behalf of, or relating to ALLDATA, including but not limited to: Personal Information, vehicle information, health information, government issued identification numbers, payment card information, employment related information, strategic information, non-public product or service information or financial information.
  2. “Data Protection Laws” means any federal or state law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable with respect of a Party’s obligations under the Agreement and this DPA. For illustrative purposes only, Data Protection Laws include, without limitation, and to the extent applicable, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) as amended, the Colorado Privacy Act, Colo. Rev. Stat. Ann. § 6-1-1301 et. seq. (“CPA”), the Connecticut Data Privacy Act, CT PA § 22-15 et. seq. (“CTDPA”), and the Virginia Consumer Data Protection Act, Va. Code § 59.1-575 et seq.(“VCDPA”), and any associated regulations or any other legislation or regulations that transpose, supersede or are deemed substantially similar to the above.
  3. “Data Security Incident” means any actual or reasonably suspected: (i) accidental, unauthorized, or unlawful: access, destruction, theft, loss, alteration, disclosure, acquisition, reproduction, or use of ALLDATA Data whether or not the incident rises to the level of a security breach under the Data Protection Laws; (ii) introduction of unauthorized code, processes or data into Your systems that Process ALLDATA Data; (iii) any other breach of security of Your systems that Process ALLDATA Data; or (iv) any act or omission that compromises the security, confidentiality, or integrity of ALLDATA Data or the physical, technical, administrative, or organizational safeguards put in place to protect ALLDATA Data.
  4. “Data Subject” means an identified or identifiable person to whom Personal Information relates.
  5. “Personal Information” (also referred to herein as “Personal Data”) means any ALLDATA Data or information, in whole or in part in any form or format, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular household, consumer or individual.
  6. “Process,” “Processing,” and “Processed” means any operation or set of operations which is performed upon ALLDATA Data or sets of ALLDATA Data, including Personal Information, whether by manual or automated means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, modification, retrieval, consultation, use, disclosure, analysis, dissemination or otherwise making available, duplication, alignment by combination, redaction, erasure or destruction. Processing also includes transferring Personal Information to third parties.
  7. “Security Measures” means appropriate technological, physical, organizational and procedural safeguards, including, without limitation, policies, procedures, guidelines, practices, standards, controls, hardware, software, firmware and physical security measures, the function or purpose of which is, in whole or in part, to protect the confidentiality, privacy, security, integrity and/or availability of ALLDATA Data.
  8. All capitalized terms set forth in this DPA but not defined in this Section shall have the meaning ascribed to them in the Agreement and/or Data Protection Laws. To the extent that any definition of these capitalized terms in the Agreement conflict with those in Data Protection Laws, the definitions in Data Protection Laws shall prevail.

B. Data Processing Requirements

  1. Data Processing. You acknowledge and agree that You are a Service Provider or Contractor, as defined under CCPA, and/or a Processor, as defined by the CPA, CTDPA, and/or VCDPA, as it relates to Your Processing of ALLDATA Data disclosed to You pursuant to the Agreement. You acknowledge and confirm that:
    1. You do not receive any Personal Information from ALLDATA as consideration for any services or other items provided to ALLDATA;
    2. You shall Process Personal Information received by, created on behalf of, or made available by ALLDATA only for the specific Business Purpose identified in the applicable statement of work or other ordering document executed by the parties (“SOW”) or as otherwise permitted by Data Protection Laws;
    3. You shall not process, retain, use, or disclose Personal Information outside of the direct business relationship between You and ALLDATA;
    4. Except as explicitly permitted under Data Protection Laws, under no circumstances shall You Process such Personal Information for any Commercial Purpose or purpose other than the Business Purpose set forth in any applicable SOW, including, without limitation, Cross-Context Behavioral Advertising or Targeted Advertising, Your own purposes or those of any third party;
    5. You shall not combine Personal Information received by ALLDATA with any personal information received from others. Except as expressly set forth in the Agreement, You shall not have, derive or exercise any rights, title, interest or benefits in ALLDATA Data. You shall not Sell or Share any Personal Information and shall not cause any transfers of Personal Information to or from You to qualify as a Sale or Sharing of Personal Information under Data Protection Laws; and
    6. You shall otherwise comply with all applicable sections of the Data Protection Laws with regard to your Processing of Personal Information, including without limitation by providing the same level of privacy protection to Personal Information as is required by ALLDATA under applicable Data Protection Laws.
    7. In the event of a Data Security Incident, Service Provider shall notify ALLDATA as soon as practicable.
  2. ALLDATA acknowledges and agrees that You may Aggregate and/or De-identify ALLDATA Data for the purpose of improving existing or developing new products and services. Notwithstanding the foregoing, under no circumstances shall You Process ALLDATA Data in violation of any Data Protection Law.
  3. Data Subject Requests. You shall cooperate with ALLDATA (including by appropriate technical and organizational measures) to enable ALLDATA to respond to any requests, complaints or other communications relating to the Processing of Personal Information, including requests from Data Subjects seeking to exercise their rights under Data Protection Laws or requests from legal or regulatory bodies. As required by Data Protection Laws, you shall comply with ALLDATA’s instructions with regard to fulfillment of Data Subject requests to exercise their rights under Data Protection Laws and provide ALLDATA with the information necessary for ALLDATA to comply with Data Subject requests with regard to Personal Information that You Process.
  4. Sub-Contractors/Sub-Processors. In the event that You engage sub-contractors or sub-processors to Process ALLDATA Data, You shall: (i) notify ALLDATA regarding Your use of Sub-contractors or Sub-processors and agree to (ii) contractually impose applicable data protection and privacy obligations with regard to Personal Information that comply in all respects with the Data Protection Laws on any Sub-contractors or sub-processors You engage, including, without limitation, requiring Sub-contractors to cooperate with You in facilitating Data Subjects’ exercise of their rights under Data Protection Laws. You remain fully liable for the acts or omissions of Your Sub-contractors or Sub-processors as provided by Data Protection Laws.
  5. Due Diligence and Compliance. You shall cooperate with ALLDATA to enable ALLDATA to conduct due diligence to ensure Your compliance with this DPA and Data Protection Laws. You grant ALLDATA the right, upon notice, to take reasonable and appropriate steps to, without limitation, validate Your compliance, and stop and remediate unauthorized use of ALLDATA Data. If You determine that You can no longer comply with the requirements of this DPA or Data Protection Laws, You must notify ALLDATA within five (5) days of such determination.


C. Safeguarding Data

  1. You are responsible for the security of any ALLDATA Data to the extent that You Process such data. You shall, at your sole cost and expense, implement Security Measures that are no less stringent than, and shall only Process ALLDATA Data in such a manner so as to comply with: (a) Data Protection Laws; and (b) any other requirements of this DPA or the Agreement.
  2. At a minimum, Your Security Measures shall include, when appropriate, based on data type and best practices: (a) access controls (including multi-factor authentication, where appropriate); (b) physical security; (c) encryption of ALLDATA Data at rest and in transit; (d) segregation of ALLDATA Data from Your other customers’ data; (e) privacy and security awareness training; (f) record maintenance, including, without limitation, incident and compliance recordkeeping; (g) secure development practices with regard to applications that Process ALLDATA Data; and (h) incident response, vulnerability mitigation, and vendor management programs.
  3. You shall implement and maintain industry-standard processes to monitor Your systems and software for malicious or unauthorized code, processes and commands designed to: (a) facilitate or permit unauthorized access to Your systems or data contained therein; or (b) disable, erase, or otherwise harm Your systems, services, data or software.
  4. In order to ensure Your Security Measures are consistent with Your obligations under Data Protection Laws, this DPA and the Agreement, You shall, upon reasonable request by or on behalf of ALLDATA: (a) conduct an independent information security or data protection audit through a mutually acceptable auditor, (b) provide ALLDATA with copies of audits and test result information such as SOC2 Type 2, vulnerability assessment or penetration test, (c) respond to information security questionnaires and/or (d) provide copies of Your information security or privacy policies and procedures to ALLDATA.
  5. You shall cooperate with ALLDATA’s reasonable requests to assist ALLDATA with its own compliance objectives pursuant to Data Protection Laws, including, without limitation, completing any documentation, assessments, or questionnaires provided to You regarding the same with complete and accurate information.
  6. You shall, to the extent permitted by law, notify ALLDATA immediately upon receipt of any request from a regulatory authority or government body to access ALLDATA Data, including any request for a data protection assessment or any request to access locations where such data is stored.
  7. You shall immediately notify ALLDATA if You know or reasonably believe that any written instruction given by ALLDATA would cause either Party to violate Data Protection Laws. In the event of any conflict among any of Your obligations as required herein, You shall comply with the obligation that provides the most protective security to ALLDATA Data.

D. Data Destruction and Return

You will retain ALLDATA Data only for as long as it’s necessary for the permitted purpose, or as required by applicable laws. At the termination of the Agreement, or upon ALLDATA’s written request, You will either destroy or return ALLDATA Data to ALLDATA, unless legal obligations require storage of the ALLDATA Data.

F. General Terms

  1. Confidentiality. This DPA and information each Party may receive about the operations and Security Measures of the other Party shall be considered Confidential Information as that term is defined in the Agreement.
  2. Notices. All notices and communications given under this DPA must be provided in accordance with the Agreement. Data Security Incidents should be emailed to SOC@autozone.com and CERT@autozone.com.
  3. Governing Law and Jurisdiction. Any dispute regarding the interpretation of this DPA shall be resolved by the laws regarding contract interpretation of the jurisdiction specified in the Agreement. Any dispute arising in connection with this DPA, which the Parties are not able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts specified in the Agreement.
  4. You represent, warrant, and certify that You understand the rules, restrictions, requirements and definitions of this DPA and Data Protection Laws and agree to comply with and be bound by them.