State Privacy Law Compliance Statement

Effective January 1, 2023 

This State Privacy Law Compliance Statement (“Statement”) summarizes Quid’s procedures with regard to CCPA, CPA, CTDPA, and VCDPA. To the extent that  Quid (referred to herein as “Supplier”) Processes any Customer Personal Information, as defined below, as part of or in connection with Quid’s performance of the Quid Services from California, Colorado, Connecticut, and Virginia residents, the applicable sections of this Statement will apply.   

Supplier reserves the right to update this Statement from time to time as needed to address changes in applicable laws and Supplier’s business practices.  Unless otherwise agreed by the parties, the updated Statement will be effective as of the date noted in the Statement.  Unless otherwise agreed by the parties, Customer’s continued use of the Services will constitute Customer’s agreement to the updated terms. 

1. Definitions. 

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and the regulations issued thereunder, in each case as amended. 

“CPA” means the Colorado Privacy Act and the regulations issued thereunder, in each case as amended.  

“CTDPA” means Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, as amended. 

“Customer” means the entity using Supplier’s Services. 

“Customer Agreement” means the commercial agreement pursuant to which Supplier agrees to provide the Services to Customer.  

“Customer Personal Information” means information about an individual that is defined as “Personal Data” or “Personal Information” by CCPA or VCDPA, and that is Processed by Supplier on behalf of Customer pursuant to the Customer Agreement. 

“Process” or “Processing” means any operation or set of operations, whether by manual or automated means, which is performed on Customer Personal Information, such as collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, delivery or other use of Customer Personal Information. 

“Services” means the services outlined in the Customer Agreement.  

“VCDPA” means the Virginia Consumer Data Protection Act, as amended.  

2. Customer Personal Information Subject to CCPA. 

1. To the extent the CCPA applies to Supplier’s Processing of Customer Personal Information, such Customer Personal Information will be disclosed by Customer to Supplier to perform the Services, and to perform routine debugging and troubleshooting, and Supplier will act as Customer’s “Service Provider” or “Contractor,” as such terms are defined under CCPA, with respect to such information. To the extent that Supplier is deemed to be a “Contractor” (as such term is defined under the CCPA), Supplier certifies that it understands the restrictions on its Processing of Customer Personal Information as set forth in this Section 2 and will comply with them.
2. The parties agree that the specific “business purpose(s)”, as “business purpose” is defined under CCPA, of Supplier’s Processing of Customer Personal Information are in Section 4 below.  Customer is providing Customer Personal Information to Supplier only for the limited and specified purposes listed in Section 4 below. 
3. Supplier will not (i) “sell” or “share” Customer Personal Information, as “sell” and “share” are defined under CCPA; (ii) retain, use, or disclose Customer Personal Information for any purpose other than the specific purpose of performing the Services in the Customer Agreement with Customer, including retaining, using, or disclosing Customer Personal Information for a commercial purpose other than providing the Services or as otherwise permitted by the CCPA; (iii) retain, use, or disclose Customer Personal Information outside of the direct business relationship between Supplier and Customer, unless expressly permitted by CCPA; or (iv) combine Customer Personal Information that Supplier receives from or on behalf of Customer with Personal Information that Supplier receives from or on behalf of another person, or collects from its own interaction with an individual, unless permitted by CCPA.
4. Supplier shall enable Customer to comply with consumer requests made pursuant to CCPA. Supplier will inform Customer of any consumer requests made pursuant to CCPA that Supplier must comply with and provide the information necessary for Customer to comply with the request.
5. Supplier shall comply with all applicable sections of CCPA. 
6. Supplier hereby grants Customer the right to take reasonable and appropriate steps to confirm that Supplier is using Customer Personal Information in a manner consistent with Customer’s obligations under CCPA.
7. Supplier shall notify Customer in the event Supplier determines that it can no longer meet its obligations under CCPA.
8. Supplier hereby grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate any of Supplier’s use of Customer Personal Information 
9. If Supplier subcontracts with another person in providing the services to Customer, then Supplier shall notify Customer of the engagement, and shall have a written contract with such subcontractor that complies with CCPA.  

1. To the extent the VCDPA, CPA, or CTDPA applies to Supplier’s Processing of Customer Personal Information, such Customer Personal Information will be disclosed by Customer to Supplier to perform the Services, and to perform routine debugging and troubleshooting, and Supplier will act as Customer’s “Processor” as such term is defined under VCDPA, CPA, or CTDPA, as applicable, with respect to such information. 
2. The parties agree that the terms of this Statement shall be binding on the parties and shall govern Supplier’s data processing procedures with respect to processing performed on behalf of Customer. 
3. The parties agree that the instructions and details for processing Customer Personal Information are in Section 4 below, and the rights and obligations of the parties with respect to Customer Personal Information are set forth in this Statement and the Customer Agreement. 
4. Supplier shall:  (i) bind each person processing Customer Personal Information to a duty of confidentiality with respect to Customer Personal Information; (ii) at Customer’s direction, delete or return all Customer Personal Information to Customer as requested at the end of the provision of services, unless retention of Customer Personal Information is required by law; (iii) upon the reasonable request of Customer, make available to Customer all information in its possession necessary to demonstrate Supplier’s compliance with the obligations in VCDPA, CPA, or CTDPA (as applicable); (iv) allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor; alternatively, Supplier may arrange for a qualified and independent assessor to conduct an assessment of Supplier’s policies and technical and organizational measures in support of the obligations under VCDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Supplier shall provide a report of such assessment to Customer upon request; and (v) engage any subcontractor pursuant to a written contract in accordance with applicable law that requires the subcontractor to meet the obligations of the processor with respect to Customer Personal Information. 

4. Instructions for Processing Customer Personal Information.  

Subject to the terms and conditions of this Statement, Customer hereby instructs Supplier to Process Customer Personal Information as set forth in this Section 4:  

1. The nature and purpose of Processing (including the business purposes(s)): to provide the Services, provided that the use of Customer Personal Information shall be reasonably necessary and proportionate to achieve the operational purpose for which Customer Personal Information was collected or processed or for another operational purpose that is compatible with the context in which Customer Personal Information was collected
2. The type of data subject to Process: contact information of Customer’s employees 
3. The duration of processing: for the term of the Customer Agreement, subject to its survival terms