Colorado Privacy Addendum

Version 1.1.0

CDCK and Customer agree to add the following terms to their Agreement:

Compliance

Both sides agree to do their respective parts to comply with the Colorado Privacy Act, consistent with Customer’s role as controller and CDCK’s role as processor.

Cooperation

Whenever it is feasible and legal to do so, each side will give the other prompt Notice of consumer rights requests, regulatory inquiries, and other communications under the Colorado Privacy Act. Both sides agree to cooperate in good faith to respond to and honor such communications.

Security and Breach Response

Taking into account the nature of processing and the information available to CDCK, CDCK will give Customer reasonable assistance in meeting the Customer’s obligations to secure personal data and notify of breaches.

Processor Requirements

CDCK and Customer intend the following terms to meet the requirements of Colorado Revised Statutes subsection 6-1-1305(5):

Processing

CDCK will process personal data on Customer’s behalf and in accordance with Customer’s instructions in order to provide services under the Agreement, for the duration of the Agreement.

Confidentiality

CDCK will ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.

Subcontractors

CDCK will provide Customer the opportunity to object to the engagement of any subcontractor by giving Customer seven calendar days’ advance Notice. CDCK will engage any subcontractor pursuant to a written contract in accordance with Colorado Revised Statutes subsection 6-1-1305(5) that requires the subcontractor to meet the obligations of CDCK with respect to the personal data.

De-Identified Data

If CDCK receives de-identified data from Customer, CDCK will comply with the requirements of subsection 6-1-303(11).

Security

Taking into account the nature of the processing, Customer and CDCK will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The allocation of the responsibilities to implement the measures is established by the terms of the Agreement.

Deletion or Return

At Customer’s choice, CDCK will delete or return all personal data to Customer as requested at the end of the provision of services, unless retention of the personal data is required by law.

Make Available

CDCK will make available to Customer all information necessary to demonstrate CDCK’s compliance with the obligations of the Colorado Privacy Act.

Audits

CDCK will allow for, and contribute to, reasonable audits and inspections by Customer or Customer’s designated auditor. Alternatively, CDCK may, with Customer’s consent, arrange for a qualified and independent auditor to conduct, at least annually and at CDCK’s expense, an audit of CDCK’s policies and technical and organizational measures in support of the obligations under the Colorado Privacy Act using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. CDCK will provide a report of the audit to Customer upon request.

Conflicts

If the terms of this addendum conflict with terms of the Agreement, the terms of this addendum take precedence for personal data subject to the Colorado Privacy Act.

Terminology

  1. This addendum uses the terms consumer, de-identified data, processing, processor, and controller as defined by the Colorado Privacy Act.

  2. This addendum uses the term personal data as defined by the Colorado Privacy Act, limited to consumer personal data processed by CDCK on behalf of Customer.

  3. This addendum uses the term Notice as defined in the Agreement.