Current FuturaStdLight 13px

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Morbi non consequat quam. Morbi rutrum ipsum libero, et eleifend nunc semper eu. Suspendisse non urna lorem. Aliquam eu quam mi. Fusce sollicitudin turpis non dolor cursus, volutpat molestie lectus ultrices. Duis pulvinar orci et diam tempor, eu venenatis erat aliquam. In ornare, massa nec tempus placerat, turpis erat dictum diam, sit amet finibus tortor urna quis eros. Etiam fringilla ligula vel varius sagittis. Nullam vitae finibus nunc, vel eleifend massa. Cras ut ullamcorper orci.

FuturaStdMedium 15px

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Morbi non consequat quam. Morbi rutrum ipsum libero, et eleifend nunc semper eu. Suspendisse non urna lorem. Aliquam eu quam mi. Fusce sollicitudin turpis non dolor cursus, volutpat molestie lectus ultrices. Duis pulvinar orci et diam tempor, eu venenatis erat aliquam. In ornare, massa nec tempus placerat, turpis erat dictum diam, sit amet finibus tortor urna quis eros. Etiam fringilla ligula vel varius sagittis. Nullam vitae finibus nunc, vel eleifend massa. Cras ut ullamcorper orci.

FuturaStdBook 15px

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Morbi non consequat quam. Morbi rutrum ipsum libero, et eleifend nunc semper eu. Suspendisse non urna lorem. Aliquam eu quam mi. Fusce sollicitudin turpis non dolor cursus, volutpat molestie lectus ultrices. Duis pulvinar orci et diam tempor, eu venenatis erat aliquam. In ornare, massa nec tempus placerat, turpis erat dictum diam, sit amet finibus tortor urna quis eros. Etiam fringilla ligula vel varius sagittis. Nullam vitae finibus nunc, vel eleifend massa. Cras ut ullamcorper orci.

1.        SCOPE

1.1     The following Data Processing Addendum (“DPA”) applies to all transfers of Personal Information (defined below) by and between Psychological Assessment Resources, Inc., PARiConnect, PAR InVista, and/or the Self-Directed Search (collectively, "PAR," “we,” “us,” or “our”) and any entities that provide the Personal Information of their patients, clients, students, or customers to PAR for PAR’s provision of services (these entities are herein referred to as “Customer”). This DPA is effectively incorporated into the agreement (“Agreement”) entered into between PAR and Customer (each a “Party” and collectively the “Parties”). This DPA is effective as of the date of the Agreement. In the event of a conflict between any provisions of the Agreement and the provisions of this DPA, the provisions of this DPA shall govern and control. 

1.2     PAR acknowledges that Customer and/or the data it discloses to PAR may be subject to consumer privacy laws and regulations, as well as common law restrictions and/or obligations (the “Consumer Privacy Laws”). Consumer Privacy Laws may include, but it is not limited to, laws, and associated regulations or guidance, such as pursuant to the Health Insurance Portability and Accountability Act, General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), U.K. General Data Protection Regulation, California Consumer Privacy Act (the “CCPA”) and California Privacy Rights Act (“CPRA”), as codified in California Civil Code sections 1798.100, et seq. (collectively, “CCPA/CPRA”), and other similar foreign or domestic, federal, state, or local privacy statutes, regulations, rules, or guidance, laws currently in effect or that may come into effect during the term of the Agreement, all as applicable and as may be amended from time to time. 

2.       DEFINITIONS 

2.1     Based on Customer’s relationship with PAR, PAR is considered a “service provider,” “contractor,” or “processor” (collectively, “Processor”) under the Consumer Privacy Laws. As a Processor, PAR may process and/or receive “personal information” or “personal data,” as such terms are defined in applicable Consumer Privacy Laws, from, or on behalf of, Customer (such personal information or personal data is herein referred to as “Personal Information”). 

2.2     The term “security incident” means (i) any act or omission that compromises either the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by PAR that relate to the protection of the security, confidentiality, or integrity of Personal Information, or (ii) receipt of a complaint in relation to the privacy and data security practices of PAR or a breach or alleged breach of this DPA. Without limiting the foregoing, a compromise shall include any unauthorized access to or disclosure or acquisition of Personal Information. 

2.3     The term “Model Clauses” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. 

2.4     The term “U.K. Addendum” means the template U.K. Information Commissioner’s Office Addendum to the Model Clauses for international data transfers, issued under Section 119A of the U.K. Data Protection Act 2018, and including both tables and mandatory clauses. 

3.       PAR COMMITMENTS 

3.1     PAR will comply with Customer’s instructions regarding the processing of Personal Information, including but not limited to instructions regarding amending, transferring, or deleting Personal Information. 

3.2     PAR shall not “sell” or “share” Personal Information it collects pursuant to the Agreement, as those terms are defined by applicable Consumer Privacy Laws. 

3.3     Customer is providing PAR access to Personal Information for the limited and specific purposes provided in the Agreement, as described in section 5 herein, and/or as otherwise expressly permitted by Consumer Privacy Laws. PAR shall not retain, use, or disclose Personal Information for any purpose(s) other than those specified in section 5 herein or otherwise permitted by the Consumer Privacy Laws. Such purposes are incorporated by reference herein. 

3.4     PAR shall not retain, use, or disclose Personal Information that it collects pursuant to the Agreement for any “commercial purpose,” as defined by applicable Consumer Privacy Laws, other than the business purposes specified in section 5 herein, including in the servicing of any entity other than Customer. 

3.5     PAR shall not retain, use, or disclose Personal Information it collects pursuant to the Agreement outside of the direct business relationship between PAR and Customer. 

3.6     PAR shall not combine or update Personal Information with any other information, except to perform a business purpose defined in Consumer Privacy Laws, such as regulations adopted pursuant to Cal. Civ. Code § 1798.185(a)(10), except as provided by Consumer Privacy Laws. 

3.7     PAR shall comply with all applicable laws and obligations regarding the use and protection of Personal Information, including all Consumer Privacy Laws, as applicable. PAR certifies that it understands these restrictions, including pursuant to the CCPA/CPRA, and shall comply with them. 

3.8     PAR shall provide the same level of privacy protection as required by Customer, and shall assist the Customer in meeting the Customer’s obligations in relation to the Personal Information. These privacy protections and obligations include, but are not limited to: 

1. collecting and processing Personal Information solely to the extent the processing is necessary, reasonable, and proportionate to the specific purpose(s) listed in section 5 herein or otherwise permitted by Consumer Privacy Laws. 
2. cooperating with Customer in responding to and complying with consumer requests made pursuant to Consumer Privacy Laws. PAR shall without undue delay notify Customer, and provide Customer with copies, of all communications from, or requests made by (i) consumers in relation to their rights under any Consumer Privacy Laws; and (ii) any state or government regulators related to Personal Information. 
3. implementing reasonable security procedures and practices to protect the Personal Information from unauthorized or illegal processing, access, copying, storage, reproduction, display, loss, destruction, damage, use, modification, or disclosure in accordance with California Civil Code section 1798.81.5 and other Consumer Privacy Laws’ similar requirements, including but not limited to technical and organizational measures appropriate to the nature of the Personal Information and risk to the same. PAR shall be responsible for implementing and maintaining such measures on systems PAR uses for processing Personal Information. 
4. providing notification of any security incident related to any system, platform, or process that PAR, its employees, agents, subprocessors, or representatives use to process Personal Information. PAR shall report any such security incident to Customer without undue delay. PAR shall follow Customer’s instructions regarding security incidents to enable Customer to perform a thorough investigation into the incident, formulate a response, and take further steps in respect to the incident

3.10   PAR shall ensure that each person processing Personal Information is subject to a duty of confidentiality with respect to such Personal Information. The termination or expiration of this DPA shall not discharge PAR from its confidentiality obligations pursuant to the Agreement and this paragraph. PAR shall process Personal Information until the date of expiration or termination of the Agreement, unless instructed otherwise by Customer, or until such data is returned, de-identified, or destroyed on instruction of Customer. 

3.11    If PAR engages any other person or entity to assist it in processing Personal Information for purposes of providing the services enumerated in the Agreement, PAR shall: 

1. notify Customer of that proposed engagement in advance; 
2. provide Customer at least five (5) business days to object to such engagement; and 
3. ensure that the engagement complies with all Consumer Privacy Laws and is pursuant to a written contract binding such party to observe all material requirements regarding Personal Information and Customer’s rights in relation to the same, as laid out herein. PAR remains responsible for any acts or omissions committed by itself, its representatives, agents, employees, officers, subcontractors, or any person or entity to which it or they provide access to Personal Information. 

3.12   To the extent PAR processes or receives any deidentified personal information, as defined by applicable Consumer Privacy Laws, from, or on behalf of, Customer (“Deidentified Information”), PAR shall comply with all Consumer Privacy Laws concerning the Deidentified Information, including maintaining the information as deidentified personal information. PAR shall take reasonable measures to ensure the Deidentified Information cannot be associated with a consumer or household, publicly commit to maintain and use the Deidentified Information in deidentified form, not attempt to reidentify the information unless solely for the purpose of determining whether the data is deidentified, and contractually obligate any recipient of the Deidentified Information to comply with this DPA and all Consumer Privacy Laws regarding the processing of such Deidentified Information. 

3.13    Unless PAR is otherwise required by law, or if Customer sooner requests PAR return Personal Information to Customer instead, PAR will delete and destroy Personal Information and all copies of the same once the Personal Information is no longer needed to complete the transaction or services requested. 

3.14    Upon the reasonable request of Customer, PAR shall make available to Customer all information in its possession, custody, or control that is necessary to demonstrate PAR's compliance with all Consumer Privacy Laws and the requirements of this DPA or to enable Customer to conduct and document any required data protection assessments. 

3.15    PAR shall notify Customer if PAR determines it can no longer meet its Consumer Privacy Laws obligations. 

3.16    To the extent PAR processes any Personal Information from the European Economic Area (“EEA”) or United Kingdom (“U.K.”), Customer as “data exporter” and PAR as “data importer” hereby enter into the Model Clauses and U.K. Addendum. If required by law or by any agency or regulatory body with jurisdiction, the Parties agree to re-execute the Model Clauses and U.K. Addendum (including Annexes hereto) as a document separate from this DPA. For purposes of the Model Clauses and U.K. Addendum, the Parties hereby agree that: 

1. Module Two of the Model Clauses and the U.K. Addendum are incorporated by reference into this DPA. 
2. Signatures applied to the Agreement will be taken as equally signing and effectuating the Model Clauses and U.K. Addendum where applicable to the underlying Personal Information processed by PAR. 
3. Clause 7 and the optional provision in clause 11 of the Model Clauses are excluded. 
4. With respect to clause 9 of the Model Clauses, the Parties select Option 2. The applicable time period for changes to the sub-processor list shall be at least five (5) business days’ written notice prior to the engagement of the sub-processor. The list of sub-processors already authorized by Customer can be found at Annex III. 
5. With respect to clause 17 of the Model Clauses, the Parties select Option 1 and the governing law is that of Ireland for Model Clause purposes and England and Wales for U.K. Addendum purposes. 
6. With respect to clause 18 of the Model Clauses, the courts of Ireland shall resolve any disputes arising from the Model Clauses; the courts of England and Wales may resolve disputes arising from the U.K. Addendum. 
7. If there is any conflict between the DPA and the Model Clauses and U.K. Addendum, the Model Clauses shall prevail to the extent applicable to the processing at issue. (h) The Parties agree to the U.K. Addendum Tables provided at Annex IV. 4. 

4.       ADDITIONAL RIGHTS AND OBLIGATIONS 

4.1     PAR grants Customer the right to take, and PAR shall allow and contribute to, appropriate and reasonable steps to monitor PAR and ensure PAR’s use of Personal Information is consistent with all applicable privacy rights and obligations, whether statutory, regulatory, based in common law, contractual, or otherwise. These steps may include, but are not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other policy review or technical and operational testing at least once every 12 months. As an alternative to a Customer-requested review, assessment, audit, or testing, PAR may arrange for a qualified and independent assessor, using an appropriate and accepted control standard or framework and assessment procedure, to conduct such review, scan, assessment, audit, or other policy review and testing of PAR’s policies and technical and organizational measures to satisfy its obligations under this DPA. PAR shall provide a report of all such reviews, scans, assessments, audits, or tests to Customer upon request. 

4.2     PAR grants Customer the right, upon notice, to take reasonable and appropriate steps to stop, mitigate, and remediate any and all unauthorized use of Personal Information. 

4.3     Customer is responsible for providing any required privacy notice to data subjects and securing any required consent for PAR’s processing of Personal Information in accordance with Customer’s instructions. 

4.4     Customer agrees that PAR may aggregate data and use such data for analytical purposes. In those instances, PAR will ensure that the data is effectively anonymized prior to such use and that no individual is reasonably identifiable from the data once anonymized and aggregated. 

4.5     PAR shall enable Customer to comply with any consumer privacy request made pursuant to Consumer Privacy Laws. 

4.6     The parties will work and communicate with each other in good faith to comply with Consumer Privacy Laws. 

1. From time to time, the parties may amend this DPA to clarify the understanding of the relationship of the parties and to clarify the obligations of each party with respect to current or future privacy laws. Such modifications are effective upon signature by all parties. 
2. Upon the request of a Party (“Requesting Party”), either voluntarily or upon reasonable request, the other Party (“Receiving Party”) shall promptly provide to the Requesting Party relevant and accurate information to facilitate updates to the Requesting Party’s privacy policy or other notice obligation under applicable Consumer Privacy Laws. 

4.7     Indemnification. 

1. Separate and apart from any indemnification provided for in the Agreement, each party to this Agreement (an “Indemnifying Party”) will defend, indemnify and hold the other Party, its parent, subsidiaries and affiliates, and its current and former officers, directors, employees, contractors, agents and representatives (collectively, the “Indemnified Party”) harmless from and against any and all liabilities, losses, damages and costs, including reasonable attorneys’ fees (collectively, “Losses”), resulting from a third party claim connected with (a) any breach by an Indemnifying Party of any commitment contained herein, (b) the failure by an Indemnifying Party or any of its agents, employees or subcontractors to perform its duties or obligations hereunder, or (c) the negligent, wilful, wrongful, or illegal acts or omissions of an Indemnifying Party or any of its agents, employees or subcontractors. 
2. It will be an ongoing condition of the foregoing indemnity that the Indemnified Party give the Indemnifying Party prompt written notice of any actual or threatened claim, and provide the Indemnifying Party with all reasonably accessible information regarding such claims in the Indemnified Party’s possession. The Indemnified Party will promptly notify the Indemnifying Party of any claim, demand, suit or proceeding for which the Indemnifying Party has agreed to indemnify and hold the Indemnified Party harmless, and the Indemnifying Party, upon written request by the Indemnified Party, will promptly defend and continue the defense of such claim, demand, suit or proceeding at the Indemnifying Party’s expense. If the Indemnifying Party fails to undertake and continue such defense, the Indemnified Party will have the right (but not the obligation) to make and continue such defense as it considers appropriate, and the expenses and costs thereof, including but not limited to attorneys’ fees, out-of-pocket expenses and the costs of an appeal and bond thereof, together with the amounts of any judgment rendered against the Indemnified Party, will be paid by the Indemnifying Party. The Indemnifying Party shall not enter into any settlement of an indemnified claim for which the Indemnified Party does not receive a general release without the prior written approval of the Indemnified Party. Nothing herein will prevent the Indemnified Party from defending, if it so desires in its own discretion, any such claim, demand, suit or proceeding at its own expense through its own counsel, notwithstanding that the defense thereof may have been undertaken by the Indemnifying Party. 

4.8     Limitation of Liability. 

EXCEPT WITH RESPECT TO EACH PARTY’S OBLIGATIONS AS TO CONFIDENTIALITY AND INDEMNIFICATION, OR LOSSES ARISING FROM A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT: 

1. UNDER NO CIRCUMSTANCES SHALL EITHER PARTY TO THIS AGREEMENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, OR PUNITIVE DAMAGES WHETHER ARISING OUT OF BREACH OF AGREEMENT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE; AND 
2. IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER ARISING OUT OF OR RELATED TO BREACH OF AGREEMENT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EXCEED THE AMOUNT OF THE TOTAL FEES ACTUALLY PAID TO CONTRACTOR PURSUANT TO THIS AGREEMENT. 

5.     DESCRIPTION OF PROCESSING 

1. Nature and Purpose of Processing. PAR processes Personal Information provided by individuals about themselves to provide psychological and career assessments used by individuals and/or their psychologists, career advisors, or similar professionals to evaluate, diagnose, or otherwise provide guidance or advice to the particular individual. 
2. Type of Data Involved in Processing. This Agreement may involve the processing of the following types of Personal Information: name, demographic data, assessment responses, contact information, and medical information. 

6.     DISPUTES

Any disputes arising from or in connection with this DPA shall be brought as set forth in the Agreement.