Data Processing Addendum

UPDATED: January 1, 2023

Route Data Protection Addendum

THIS DATA PROCESSING ADDENDUM (this “DPA”) supplements and is a part of the Master Services Agreement or other written or electronic agreement (in either case, the “Agreement”) for the purchase of services (identified in the Agreement as either “Services” or otherwise, and hereinafter defined as “Services”) entered into between Route App Inc. (“Route”, “we”, “us” and “our”), and the entity that has offered our services pursuant to the Agreement (“Merchant-Customer”, “you” and “your”). This English language version controls regardless of any translation.

Defined Terms. The terms used in this Addendum have the meaning set forth in this Addendum. Capitalized terms not defined herein have the meaning given to them in the Agreement.
1. “Controller” or “Business” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
2. “Consumer-Customer” means a customer of a Merchant that uses Route’s tracking and insurance services.
3. “Data Protection Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); and the United Kingdom Data Protection Act of 2018 (“UK GDPR”).
4. “Data Subject” means any natural person whose Personal Data is Processed in the context of this Addendum.
5. “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Section 4 below and available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.
6. “Europe” means the member states of the European Union (“EU”), Switzerland, the United Kingdom (“UK”), the European Economic Area (“EEA”), the European Free Trade Agreement, and Monaco.
7. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws.
8. “Processor” or “Service Provider” means the entity which Processes Personal Data on behalf of a Controller.
9. “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
10. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Route.
11. “Services” means the services provided to Merchant-Customer under the Agreement.
12. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf)

Relationship of the Parties
- Merchant-Customer Personal Data. Pursuant to the Agreement, Route may collect certain data related to a Merchant’s end users (such as Merchant’s personnel) such as their name, email address and credentials to access the Services (“Merchant-Customer Personal Data”). Route acts as a Controller or Business (as applicable under Data Protection Laws) of such Merchant-Customer Personal Data.
- Consumer-Customer Personal Data. Merchant-Customers offer Route’s add-on tracking and insurance services (“Features”) to Consumer-Customers for the Merchant-Customer’s legitimate business purposes. Merchant-Customers determine what Personal Data to collect from Consumer-Customers in the course of offering the Features and are independent Controllers/Businesses of such Personal Data. Depending on the different ways in which you, and we, may interact with Consumer-Customers, our role with respect to Consumer-Customer Personal Data differs depending upon the circumstances. Route acts as:
  1. A Processor/Service Provider with respect to Consumer-Customer Personal Data that a Merchant-Customer stores in our systems relating to Consumer-Customers that did not affirmatively opt in to the Features (i.e., where Merchant-Customer automatically applies the Features to all orders);
  2. a Joint Controller/Business, along with you, when you store Consumer-Customer Personal Data in our systems from Consumer-Customers who affirmatively choose to enroll in the Features; and
  3. an Independent Controller/Business for Consumer-Customer Personal Data provided to us directly by Consumer-Customers (notwithstanding the nature of such Consumer-Customers’ interactions with you, if any), including but not limited to information provided to us by the Consumer-Customer’s use of our online and mobile resources (e.g. our mobile application).

Route’s Obligations when Acting as a Processor or Service Provider.
1. Obligations. Solely to the extent Route is acting as a Processor/Service Provider to Merchant-Customer with respect to Consumer-Customer Personal Data, Route will:
  1. Process Consumer-Customer Personal Data solely: (1) to fulfill its obligations to Merchant-Customer under the Agreement, including this Addendum; (2) on Merchant-Customer’s behalf; and (3) in compliance with Data Protection Laws. Route will not “sell” Consumer-Customer Personal Data or “share” or Process Customer-Customer Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Consumer-Customer Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Merchant-Customer.
  2. not attempt to link, identify, or otherwise create a relationship between Consumer-Customer Personal Data and non-Personal Data or any other data without the express authorization of Merchant-Customer.
  3. Ensure that the persons it authorizes to Process Consumer-Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  4. Taking into account the nature of the processing, assist Merchant-Customer by implementing appropriate technical and organizational measures to ensure that Merchant-Customer may respond to request(s) from their Consumer-Customers exercising their rights under Data Protection Laws.
  5. Promptly notify Merchant-Customer of (i) any third-party or Data Subject complaints regarding the Processing of Consumer-Customer Personal Data that Route Processes as a Processor/Service Provider; or (ii) any government or Data Subject requests for access to or information about Route’s Processing of Consumer-Customer Personal Data that Route Processes as a Processor/Service Provider on Merchant-Customer’s behalf, unless prohibited by applicable Data Protection Laws. Route will provide Merchant-Customer with reasonable cooperation and assistance in relation to any such request. If Route is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Merchant-Customer, Route shall inform Merchant-Customer that it can no longer comply with Merchant-Customer’s instructions under this Addendum without providing more details and await Merchant-Customer’s further instructions.
  6. Provide reasonable assistance to and cooperation with Merchant-Customer for Merchant-Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Consumer-Customer Personal Data, when required by applicable Data Protection Laws, and at Merchant-Customer’s reasonable expense.
  7. Provide reasonable assistance to and cooperation with Merchant-Customer for Merchant-Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Consumer-Customer Personal Data, including complying with any obligation applicable to Route under Data Protection Laws to consult with a regulatory authority in relation to Route’s Processing or proposed Processing of Consumer-Customer Personal Data.
2. Security Breach. Route will notify Merchant-Customer without undue delay of any known Security Breach of Consumer-Customer Personal Data that Route Processes as a Processor/Service Provider on behalf of Merchant-Customer and will assist Merchant-Customer in Merchant-Customer’s compliance with its Security Breach-related obligations, including without limitation, by:
  1. Taking commercially reasonable steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
  2. Providing Merchant-Customer with the following information, to the extent known:
    1. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Merchant’s Consumer-Customer Personal Data records concerned.
    2. The likely consequences of the Security Breach; and
    3. Measures taken or proposed to be taken by Route to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
3. Subprocessors. Solely to the extent Route is acting as a Processor/Service Provider to Merchant-Customer with respect to Consumer-Customer Personal Data:
  1. Merchant-Customer acknowledges and agrees that Route may use subprocessors to Process Consumer-Customer Personal Data in accordance with the provisions in this Addendum and Data Protection Laws. Where Route sub-contracts any of its rights or obligations concerning Consumer-Customer Personal Data, Route will take steps to select and retain subprocessors that are capable of maintaining appropriate privacy and security measures to protect Consumer-Customer Personal Data consistent with applicable Data Protection Laws.
  2. Route’s current list of subprocessors, and Merchant-Customer hereby consents to Route’s use of such subprocessors. Route will maintain an up-to-date list of its subprocessors, and it will provide Merchant-Customer with commercially reasonable prior notice of any new subprocessor added to the list. In the event Merchant-Customer has a commercially reasonable objection to a new subprocessor, Route will use reasonable efforts to make available to Merchant-Customer a change in the services or recommend a commercially reasonable change to, Merchant-Customer’s use of the services to avoid Processing of Consumer-Customer Personal Data by the objected-to subprocessor without unreasonably burdening the Merchant-Customer. Merchant-Customer may, in its sole discretion, terminate the Agreement in the event that Route is not able to provide a reasonable change to cure Merchant-Customer’s subprocessor objection.
4. Audits. Route shall permit Merchant-Customer or its appointed third party auditors (the “Auditors”) to audit Route’s compliance with this Addendum, at Merchant-Customer’s sole expense, and shall make available to the Auditors all information systems and staff reasonably necessary for the Auditors to conduct such audit. Route acknowledges that the Auditors may enter its premises for the purposes of conducting its audit, provided that Merchant-Customer gives at least 30 days’ prior notice of its intention to audit, conducts its audit during normal business hours and takes all reasonable measures to prevent unnecessary disruption to Route’s operations. Merchant-Customer shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period, unless (1) required by instruction of a relevant regulator; or (2) following a Security Breach.
5. Return or Destruction of Personal Data. When the Agreement terminates or when Route ceases to Process Consumer-Customer Personal Data as a Processor/Service Provider on behalf of Merchant-Customer, upon Merchant-Customer’s request, Route shall either delete or return all Consumer-Customer Personal Data that Route Processes as a Processor/Service Provider, unless Route is required or authorized by applicable Data Protection Law to store such Consumer-Customer Personal Data for a longer period.
6. Liability. Notwithstanding anything to the contrary in the Agreement or this Addendum, Route will not be liable for any claim made by a Data Subject arising from or related to Route’s acts or omissions with respect to the Processing of Consumer-Customer Personal Data, to the extent that Route was acting in accordance with Merchant-Customer’s instructions.

The Parties’ Obligations as Independent Controllers or Businesses.Where the Parties serve as Independent or Joint Controllers or Businesses under the Agreement, the Parties agree as follows:
1. Cooperation. Each party will cooperate with the other party to fulfill compliance obligations under applicable Data Protection Law and enter into any further privacy, confidentiality, or information security agreement reasonably requested by the other party for purposes of compliance with applicable Data Protection Law. In case of any conflict between the Agreement and any such further privacy, confidentiality, or information security agreement, such further agreement shall prevail with regard to the Processing of Consumer-Customer Personal Data covered by it.
2. Security Breach. Where the parties act as Joint Controllers, each party will promptly report to the other party any Security Breach related to Consumer-Customer Personal Data processed in connection with the Agreement and use diligent efforts to remedy such Security Breach in a timely manner. Except as prohibited by law, the content of any filings, communications, notices, press releases or reports related to any such Security Breach in connection with the Agreement must be prepared in cooperation with the other party before any such publication or communication.
3. Cooperation. The parties agree to cooperate with one another in responding to requests from relevant supervisory authorities and in responding to Data Subject requests related to the Processing of Consumer-Customer Personal Data under the Agreement.

Liability. Subject to the liability clauses in the Agreement and to the maximum extent permitted by applicable Data Protection Law, each party agrees that it will be liable to Data Subjects for the entire damage resulting from a violation of applicable Data Protection Law with regard to Processing of Consumer-Customer Personal Data for which it is a Controller or Business. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. Merchant-Customer will indemnify Route for any damages or claims arising from a violation of Merchant-Customer’s obligations to comply with applicable Data Protection Law, in particular from a failure to provide notice to, and where required under applicable Data Protection Law obtain consent from, individuals as specified under Section 5(c) below.
Merchant-Customer’s Obligations as a Data Controller. In addition to the obligations in Section 4, where Merchant-Customer serves as a Controller, Merchant-Customer hereby agrees to:
1. only provide instructions to Route that are lawful;
2. comply with and perform its obligations under applicable Data Protection Law, including with regard to Data Subject rights, data security and confidentiality, and ensuring an appropriate legal basis for the Processing of Consumer-Customer Personal Data; and
3. provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice) regarding Route’s and Merchant-Customer’s Processing of Consumer-Customer Personal Data for the purposes described in the Agreement and this Addendum.

Data Security. Route will implement appropriate administrative, technical, physical, and organizational measures to protect Merchant-Customer Personal Data, as set forth in Appendix 1.
Data Transfers.
1. Route will not engage in any cross-border Processing of Consumer-Customer Personal Data, or transmit, directly or indirectly, any Consumer-Customer Personal Data to any country outside of the country from which such Consumer-Customer Personal Data was collected, without complying with applicable Data Protection Laws. Where Route engages in an onward transfer of Consumer-Customer Personal Data, Route shall ensure that a lawful data transfer mechanism is in place prior to transferring Consumer-Customer Personal Data from one country to another.
2. With respect to Consumer-Customer Personal Data transferred pursuant to applicable Data Protection Laws in Europe, and except as provided below in Sections 7(c) and 7(d), the Parties agree that:
  1. Where Route acts as a Controller of Consumer-Customer Personal Data, Module 1 of the EU SCCs applies;
  2. Where Route acts as a Processor of Consumer-Customer Personal Data, Module 2 of the EU SCCs applies;
  3. Clause 7 (the optional docking clause) is included;
  4. The optional language in Clause 11 (Redress) is not included;
  5. Under Clauses 17, 18, and 13(a), the Parties choose the laws of Ireland, the courts of Ireland, and the relevant supervisory authorities in Ireland to govern the Addendum for transfers; and (v) Annex I(A), I(B), and II are completed as set forth in Appendix 1 to this Addendum.
3. With respect to Consumer-Customer Personal Data transferred from the United Kingdom for which UK data protection law governs the international nature of the transfer, the UK SCCs form part of this Addendum and take precedence over the rest of this Addendum as set forth in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows: The Parties’ details shall be the Parties and their affiliates; the Key Contacts shall be the contacts set forth in the Agreement; the approved clauses referenced in Table 2 shall be the EU SCCs; the Annexes shall be completed as set forth in Appendices 1 and 2 below; and either Party may end this Addendum as set out in Section 19 of the UK SCCs.
4. For transfers of Merchant-Customer Personal Data that are subject to the FADP, the EU SCCs form part of this Addendum as set forth in Section 7(b) of this Addendum, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

Appendix 1

Annex I

LIST OF PARTIES
- Data exporter(s):
  - Merchant-Customer, and Merchant-Customer’s details and signature shall be as provided in the Agreement.
  - Activities relevant to the data transferred under these Clauses: Collect consent and transfer User Data for purposes of Route providing Services under the Agreement.
  - Role (controller/processor): Controller
- Data importer(s):
  - Name: Route, Inc.
  - Address: 1441 West Innovation Way, Suite 150, Lehi, Utah 84043
  - Contact person’s name, position and contact details: John Jensen, General Counsel, [email protected].
  - Activities relevant to the data transferred under these Clauses: Route will process personal data in accordance with the Addendum and the Agreement that governs Route’s insurance and tracking services for retail purchases. Processing may include collecting, storing, using, altering, and otherwise transferring personal data as required to provide the Services.
  - Role (controller/processor): Controller/Processor
DESCRIPTION OF TRANSFER
- Categories of data subjects whose personal data is transferred
  - Merchant-Customer’s end users of the Services (i.e., Merchant Customer’s personnel)
  - Consumer-Customers
- Categories of personal data transferred
  - Identifiers, such as: phone number, first name, last name, physical address, email address, zip/postal code, device ID, order ID, transaction ID, items purchased, credentials
  - Transaction information, such as: transaction amount, payment method, last 4 digits of a payment card number
  - Internet or Network Activity, such as: login behaviour, behaviour transaction analyses, IP address
  - Professional or Employment Related Data, such as: Merchant-Customer’s end-user contact information
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
  - N/A
- The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
  - Continuous basis per transactions reviewed, as per the Agreement.
- Nature of the processing
  - Route is responsible for performing the services to Merchant-Customers as set forth in the Agreement, in particular providing insurance and tracking services for Merchant-Customers’ products.
- Purpose(s) of the data transfer and further processing
  - N/A
- The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
  - For Merchant-Customer Personal Data: The duration of the Agreement plus a reasonable period thereafter to ensure deletion of backup and archived copies.
  - For Consumer-Customer Personal Data: As long as reasonably required to provide the Services to Merchant-Customer, unless Consumer-Customer establishes an independent relationship with Route (in which case retention is governed by Route’s Privacy Policy)
- For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
  - Subprocessors will be subject to the same nature and purposes of Processing as set out in this Addendum.
COMPETENT SUPERVISORY AUTHORITY
- Identify the competent supervisory authority/ies in accordance with Clause 13
  - Irish Data Protection Authority