Data Privacy Supplement

eNotary On Call's Data Privacy Supplement (DPS) is an extension of eNotary On Call's General Terms. The platform collects data of the users' willingly shared information. This document explains how and where we use the information along with records and requests maintained.

“Personal Information” is information that is processed for Business by Provider that (a) identifies or relates to an individual who can be identified directly or indirectly by that data alone or in combination with other information that Provider has or is likely to have access to, or (b) is otherwise defined as protected personal information by the Privacy and Data Protection Requirements.

“Privacy and Data Protection Requirements” refers to all applicable federal laws, state laws, municipal laws, and foreign laws governing the processing, protection, and privacy of Personal Information, including guidelines and codes of practice issued by regulatory bodies.

“Processing, processes, or process” means an operation or set of operations which are performed on Personal Information or on sets of Personal Information, whether or not by automated means or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. Examples include collecting, receiving, recording, storing, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

"Provider" means the corporate entity that processes personal information on behalf of the Business

1. Business & Personal Information

Personal Information remains in the control of the Business and it remains responsible for implementing the Privacy and Data Protection Requirements, including providing any notice required and obtaining any consents that may be required.

When requested, Provider will provide the general categories of Personal Information and Data Subject types that Provider may process to fulfill their Business Purpose.

2. Obligations

(2.1) Provider shall only process Personal Information to the amount and in the manner required for the Business Purpose, in compliance with Authorized Persons' explicit instructions. Provider will not use Personal Information for any other purpose or in a manner that is inconsistent with this DPS or the Privacy and Data Protection Requirements. If Provider believes that Business's instructions might violate the Privacy and Data Protection Requirements, Provider shall quickly tell Business.

(2.2) All reasonable Business requests or instructions requiring the Provider to stop, mitigate, or remedy unauthorized processing must be promptly implemented by the Provider.

(2.3) Provider will keep all Personal Information confidential, will not sell it, and will not disclose it to third parties unless it is necessary to fulfill the Business Purpose, the Business directs Provider to make the disclosure, this DPS expressly authorizes the disclosure, or the disclosure is required by law.

(2.4) Given the nature of Provider's processing and the information available to Provider, Provider will reasonably assist Business in achieving Business's compliance requirements under the Privacy and Data Protection Requirements.

(2.5) Any modifications to the Privacy and Data Protection Requirements that may have a detrimental effect on Provider's execution of the Agreement must be promptly communicated to Business.

(2.6) Unless otherwise required by the Privacy and Data Protection Requirements, Provider is not responsible for investigating the completeness, accuracy, or sufficiency of any specific Business instructions or Personal Information.

3. Employees

(3.1) Personal Information will only be accessible to those employees of Provider who need it to meet Provider's obligations under this DPS and the Agreement;

(3.2) Provider will ensure that all employees:

A. are informed of Personal Information’s confidential nature and use restrictions;

B. have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and

C. are aware of Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPS.

4. Subcontractors

(4.1) Provider may authorize a subcontractor to process Personal Information only:

A. When Provider provides Business with full details about the subcontractor, Business is given a chance to object;

B. Business receives a copy of the subcontractor's written agreement with the Provider that contains terms substantially the same as those in this DPS, upon Business's written request

C. Under Provider's authority, Subcontractor is responsible for protecting all Personal Information

(4.2) Provider must provide a list of all approved subcontractors and include any subcontractor’s name, location, and contact information for the subcontractor personnel responsible for privacy and data protection compliance.

(4.3) If a subcontractor fails to fulfill its obligations under a written agreement with Provider, Provider remains fully liable to Business for the subcontractor’s performance of its obligations under this DPS.

(4.4) Provider is deemed to control any Personal Information controlled by or in the possession of its subcontractors.

5. Data Subject Requests

(5.1) When Business receives a request from a Data Subject for access to or deletion of Personal Information, Provider will notify Business as soon as possible. Upon receiving notification from Provider, Business must comply with Privacy and Data Protection Requirements.

(5.2) If Business initiates a complaint, notice, or request from a Data Subject, Provider will cooperate with Business in addressing the matter.

6. Aggregate and De-identified Data.

Notwithstanding anything in this DPS to the contrary, Provider retains the right to Process De-Identified Data for its own purposes, provided the processing is consistent with applicable law.

7. Terms & Termination

(7.1) This DPS will remain in full force and effect so long as the Agreement remains in effect, and thereafter so long as Provider possesses or controls Personal Information related to the Agreement.

(7.2) Any provision of this DPS that should come into or continue in force on or after the termination of the Agreement in order to protect Personal Information will remain in full force and effect.

(7.3) If a change in Privacy and Data Protection Requirements precludes either party from carrying out any of its obligations under the Agreement, the parties will halt active Personal Information Processing until the new requirements are met. If the parties are unable to bring Personal Information Processing into conformity, each party may terminate the Agreement by giving the other party written notice of its intent to do so.

8. Data Return and Destruction

(8.1) Provider will provide a copy of, or access to, all or part of the Business Personal Information in its custody or control, upon Business's request.

(8.2) If the Agreement is terminated for any reason, Provider will securely destroy or return all Personal Information in its possession or control that is related to the Agreement, with the exception of Personal Information that Provider is permitted to keep under the Agreement or is required to keep to comply with legal obligations or industry standards.

9. Records

Provider will keep detailed, accurate, and up-to-date records about any Processing of Personal Information it performs for Business, including but not limited to the access, control, and security of the Personal Information, approved subcontractors and affiliates, processing purposes, and any other records required by the Privacy and Data Protection Requirements ("Records"). Provider shall ensure that Records are adequate to allow the Business to verify the Provider's compliance with the DPS's requirements.

10. Audit

Provider will provide information relevant to Provider's handling of Personal Information and Provider's compliance with this DPS upon Business' reasonable request.

11. Warranties

(11.1) Provider represents and warrants that:

A. its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf have received the required training on the Privacy and Data Protection Requirements relating to the Personal Information; and

B. it and anyone operating on its behalf will process Personal Information in compliance with the terms of this DPS, the Privacy and Data Protection Requirements, and other applicable laws, enactments, regulations, orders, standards, and other similar instruments; and

C. it understands this DPS’s restrictions and prohibitions on selling Personal Information and retaining, using, or disclosing Personal Information outside of the parties’ direct business relationship, and it will comply with them.

(11.2) Business represents and warrants that Provider’s use of the Personal Information for the Business Purpose and as specifically instructed by Business will comply with all Privacy and Data Protection Requirements.

12. Indemnification.

Provider will indemnify, defend, and hold eNotary On Call, its affiliates and their officers, directors, employees, agents and representatives harmless from and against any and all costs, damages, liabilities or expenses (including reasonable attorneys’ fees) arising from any third-party claims resulting from (a) the use or possession by any person of User Data or the User System in accordance with the Agreement, (b) breach of the Agreement by Subscriber, or any third party acting on Subscriber’s behalf. Any limitation of liability in the Agreement applies to the foregoing indemnity and reimbursement obligations.