Connecticut Privacy Addendum

Version 1.1.0

CDCK and Customer agree to add the following terms to their Agreement:

Compliance

Both sides agree to do their respective parts to comply with Connecticut Public Act No. 22-15, the Connecticut Data Privacy Act, consistent with Customer’s role as controller and CDCK’s role as processor.

Cooperation

Whenever it is feasible and legal to do so, each side will give the other prompt Notice of consumer rights requests, regulatory inquiries, and other communications under the Connecticut Data Privacy Act. Both sides agree to cooperate in good faith to respond to and honor such communications.

Security and Breach Response

Taking into account the nature of processing and the information available to CDCK, CDCK will give Customer reasonable assistance in meeting the Customer’s obligations to secure personal data and notify of breaches.

Processor Requirements

CDCK and Customer intend the following terms to meet the requirements of section 7(b) of the Connecticut Data Privacy Act:

Processing

CDCK will process personal data on Customer’s behalf and in accordance with Customer’s instructions in order to provide services under the Agreement, for the duration of the Agreement.

Confidentiality

CDCK will ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.

Deletion or Return

At Customer’s direction, CDCK will delete or return all personal data to Customer as requested at the end of the provision of services, unless retention of the personal data is required by law.

Make Available

Upon the reasonable request of Customer, CDCK will make available to Customer all information in its possession necessary to demonstrate CDCK’s compliance with the obligations of the Connecticut Data Privacy Act.

Assessments

CDCK will allow, and cooperate with, reasonable assessments of Connecticut Data Privacy Act compliance by Customer or Customer’s designated assessor. Alternatively, CDCK may arrange for a qualified and independent assessor to conduct an assessment of CDCK’s policies and technical and organizational measures in support of the obligations under the Connecticut Data Privacy Act using an appropriate and accepted control standard or framework and assessment procedure for such assessments. CDCK shall provide a report of such independent assessment to Customer upon request.

Subcontractors

CDCK will provide Customer the opportunity to object to the engagement of any subcontractor by giving Customer seven calendar days’ advance Notice. CDCK will engage any subcontractor pursuant to a written contract in accordance with Connecticut Data Privacy Act section 7(b)(4) that requires the subcontractor to meet the obligations of CDCK with respect to the personal data.

De-Identified Data

If CDCK receives de-identified data from Customer, CDCK will comply with sections 1 to 11 of the Connecticut Data Privacy Act, inclusive.

Conflicts

If the terms of this addendum conflict with terms of the Agreement, the terms of this addendum take precedence for personal data subject to the Connecticut Data Privacy Act.

Terminology

  1. This addendum uses the terms consumer, de-identified data, processing, processor, and controller as defined by the Connecticut Data Privacy Act.

  2. This addendum uses the term personal data as defined by the Connecticut Data Privacy Act, limited to consumer personal data processed by CDCK on behalf of Customer.

  3. This addendum uses the term Notice as defined in the Agreement.