This Data Processing Addendum (the “DPA”) covers the Services (as further described below) provided by CivicPlus, LLC (“CivicPlus”) to the Customer specified in the Master Service Agreement (“Customer”) under a respective end user services agreement or similar contract (“Agreement”). This DPA is entered into by CivicPlus and the Customer.
Customer enters into this DPA on its own behalf and, to the extent required under applicable Data Protection Laws, in the name and on behalf of any third party on whose behalf Customer is authorized to act. In providing the Services to Customer, CivicPlus may Process Personal Information on behalf of Customer, and the parties agree to comply with the following provisions with respect to any Personal Information.
1. Definitions
In this DPA, the following terms shall have the meanings set out below. Undefined terms shall have the meanings ascribed to them in the Master Service Agreement.
“CivicPlus” means CivicPlus, LLC, a limited liability company organized in Kansas, with its primary address at 302 S 4th Street, Manhattan, Kansas 66501, USA.
“Co-Controlled Data” means Resident Account Data that CivicPlus discloses to a Customer at the direction of a Consumer for the purpose of enabling access to municipal services.
“Consumer” means the identified or identifiable person to whom Personal Information relates.
“Controller” also known as a “Business” under California Data Protection Law, means ‘controller’ or ‘data controller’ as defined in US State Privacy Laws or as analogously defined in other applicable Data Protection Laws.
“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Information under the Agreement, including – where applicable – but not limited to US State Privacy Laws (as further defined herein and which include, but are not limited to, the applicable laws of California, Colorado, Connecticut, Utah, and Virginia) and the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”).
“Independent Controller Data” means Resident Account Data Processed by CivicPlus in its independent capacity as Controller, separate from Customer’s instructions.
“Personal Information” also known as “Personal Data” under US State Privacy Laws, means all data that may be defined as ‘Personal Information,’ ‘personal information,’ ‘personally identifiable information,’ or an analogous term as defined in US State Privacy Laws or other applicable Data Protection Laws that is subject to the Services under Customer’s Agreement.
“Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” also known as a “Service Provider” or “Contractor” under California Data Protection Law, means ‘processor’ or ‘data processor’ as defined in US State Privacy Laws or as analogously defined in other applicable Data Protection Laws.
“Product Notice” means the notice describing the privacy-related characteristics of the Services, as available on CivicPlus’s website and marked as the “Privacy Product Notice.”
“Resident Account Data” means Personal Information collected, maintained, or controlled by CivicPlus in connection with the creation and administration of a resident’s CivicPlus account, including profile information, authentication credentials, account preferences, device and usage data, and AI interaction logs, but excluding Service Data submitted directly to a Customer in connection with a specific municipal transaction.
“Service Data” means Personal Information submitted by or on behalf of a Consumer to a Customer through the Services in connection with a municipal function, including applications, permits, payments, registrations, communications, and official records.
“Services” means the services provided by CivicPlus to Customer as agreed in the Agreement.
“Subprocessor” means any Processor engaged by CivicPlus.
“Supervisory Authority” means an independent public authority established under US State Privacy Laws or other applicable Data Protection Laws.
“US State Privacy Laws” means the applicable privacy laws enacted by a state of the United States of America, including, but not limited to, the following:
Californiathe California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or supplemented from time to time (the “CCPA”), and the California Privacy Rights Act of 2020 (Proposition 24 (2020), codified at California Civil Code §§ 1798.100 et seq.) and its implementing regulations, as amended or supplemented from time to time (the “CPRA”);
Colorado the Colorado Privacy Act, C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments thereto (the “CPA”);
Connecticut the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto (the “CTDPA”);
Delaware the Delaware Personal Data Privacy Act (House Bill 154 (2023)), including any implementing regulations and amendments thereto (the “DPDPA”);
Florida the Florida Digital Bill of Rights (Senate Bill 262 (2023)), including any implementing regulations and amendments thereto (the “FDBR”);
Indiana the Indiana Consumer Data Protection Act (Senate Bill 5 (2023)), including any implementing regulations and amendments thereto (the “Indiana CDPA”);
Iowa the Iowa Consumer Data Protection Act (Senate File 262), including any implementing regulations and amendments thereto (the “Iowa CDPA”);
Montana the Montana Consumer Data Privacy Act (S.B. 384), including any implementing regulations and amendments thereto (the “MCDPA”);
New Jersey New Jersey Senate Bill 332, An Act concerning commercial Internet websites, online services, consumers, and personally identifiable information, including any implementing regulations and amendments thereto (the “NJDPA”);
Oregon the Oregon Consumer Privacy Act (Senate Bill 619), including any implementing regulations and amendments thereto (the “OCPA”);
Tennessee the Tennessee Information Protection Act (Public Chapter No. 408), including any implementing regulations and amendments thereto (the “TIPA”);
Texas the Texas Data Privacy and Security Act, including any implementing regulations and amendments thereto (the “TDPSA”);
Utah the Utah Consumer Privacy Act, Utah Code § 13-61-101 et seq. (SB 0227), including any implementing regulations and amendments thereto (the “UCPA”); and
Virginia the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq. (SB 1392), including any implementing regulations and amendments thereto (the “VCDPA”).
2. Data Processing
2.1 Scope and Roles. This DPA applies when Personal Information is Processed by CivicPlus as part of CivicPlus’s provision of Services as agreed in the Agreement and the applicable service order. Except where Section 3 provides otherwise, Customer is the Controller (or, as the case may be, a Processor Processing Personal Information on behalf of a third-party Controller) and CivicPlus is the Processor (or Subprocessor) with respect to Personal Information. The respective roles of the parties with respect to Service Data, Resident Account Data, and Co-Controlled Data are further described in Section 3.
2.2 Customer’s Processing of Personal Information. Customer shall, in its use of the Services, Process Personal Information in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Information shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Information and the means by which Customer acquired Personal Information.
2.3 CivicPlus’s Processing of Personal Information. With respect to Personal Information for which CivicPlus acts as Processor, CivicPlus shall treat such Personal Information as Confidential Information and shall Process it only on behalf of and in accordance with Customer’s documented instructions as set forth in this Section 2.
2.4 Details of the Processing. The subject matter of the Processing of Personal Information by CivicPlus is the performance of the Services pursuant to the Agreement. CivicPlus will Process Personal Information as necessary to perform the Services pursuant to the Agreement and for the term of the Agreement. The types of Personal Information and categories of Consumers, and the nature and purpose of the Processing, are further specified in the respective Product Notice incorporated herein.
2.5 Compliance with Laws. Each party will comply with all applicable laws, rules, and regulations, including the Data Protection Laws.
3. Customer Instructions
3.1 The parties acknowledge that the Services involve multiple data governance relationships depending on the category of Personal Information at issue.
3.2 Service Data - Processor Relationship. With respect to Service Data, Customer acts as Controller and CivicPlus acts solely as Processor. CivicPlus shall Process Service Data only on the documented instructions of Customer as set forth in the Agreement and this DPA.
3.3 Resident Account Data – Independent Controller Relationship. With respect to Resident Account Data maintained within the CivicPlus account system, CivicPlus acts as an independent Controller, and such data constitutes Independent Controller Data. Customer acknowledges that CivicPlus determines the purposes and means of Processing Independent Controller Data for account administration, authentication, platform analytics, fraud prevention, AI system functionality, and cross-Customer interoperability.
3.4 Resident-Directed Data Sharing – Co-Controller Relationship. When a Consumer affirmatively links or connects their CivicPlus account to a Customer in order to access municipal services, CivicPlus and Customer shall act as independent Controllers with respect to the Resident Account Data shared for that purpose. The parties acknowledge that each determines its own purposes and means for subsequent Processing of such Co-Controlled Data.
3.5 Except as expressly set forth herein, nothing in this DPA shall be construed to create a joint venture or joint controllership beyond the limited circumstances described above.
3.6 CivicPlus shall notify the Customer if, in CivicPlus’s opinion, any instruction CivicPlus receives pursuant to this Section 3 breaches (or causes either party to breach) any Data Protection Laws.
3.7 Customer acknowledges that once Resident Account Data is disclosed to Customer at the direction of a Consumer, such data may become part of Customer’s official records and subject to applicable public records, archival, and retention laws. Customer assumes sole responsibility for compliance with such obligations.
3.8 If Customer is a Processor, Customer warrants to CivicPlus that Customer’s instructions and actions, including electing CivicPlus as a (sub-)Processor, have been authorized by the relevant third-party Controller.
3.9 Allocation of Responsibilities for Co-Controlled Data. Where CivicPlus and Customer act as independent Controllers with respect to Co-Controlled Data:
(a) Each party shall be independently responsible for its own compliance with Data Protection Laws.
(b) Customer shall be solely responsible for: (i) providing legally sufficient privacy notices to Consumers regarding its Processing activities; (ii) establishing a lawful basis for its Processing; (iii) responding to Consumer Requests relating to municipal services or Service Data; (iv) compliance with public records, records retention, and open government laws; (v) determining retention periods for data incorporated into municipal systems; and (vi) conducting any required data protection impact assessments relating to its municipal uses.
(c) CivicPlus shall be responsible only for compliance obligations arising from its Processing of Independent Controller Data within its own account system.
(d) Nothing in this DPA requires CivicPlus to obtain authorization from Customer to determine the purposes and means of Processing Resident Account Data within the CivicPlus account environment.
(e) Customer shall not represent CivicPlus as acting under Customer’s exclusive control with respect to Resident Account Data.
(f) Each party shall be individually liable for its own acts and omissions as Controller.
4. CivicPlus Personnel
4.1 Limitation of Access. CivicPlus shall ensure that CivicPlus’s access to Personal Information is limited to those personnel who require such access to perform the Services.
4.2 Confidentiality. CivicPlus shall ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. CivicPlus shall ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
4.3 Reliability. CivicPlus shall take commercially reasonable steps to ensure the reliability of any CivicPlus personnel engaged in the Processing of Personal Information.
4.4 Data Protection Officer. CivicPlus shall have appointed, or shall appoint, a data protection officer if Data Protection Laws require such appointment. Any such appointed person may be reached at privacy@civicplus.com.
5. Technical and Organizational Measures, Certifications, and Audits
CivicPlus has implemented and will maintain the technical and organizational measures for the protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, or damage, and unauthorized disclosure of or access to Personal Information), confidentiality, and integrity of Customer Data as described in the CivicPlus Security Annex (available online and incorporated herein). CivicPlus regularly monitors compliance with these measures. CivicPlus has obtained the third-party certifications and audits set forth in the CivicPlus Security Annex. In addition, the CivicPlus Security Annex specifies how CivicPlus allows for, and contributes to, audits.
6. Subprocessors
6.1 Subprocessors. Customer acknowledges and agrees that CivicPlus may engage third-party Subprocessors in the performance of the Services. CivicPlus has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Information, to the extent applicable to the nature of the Services provided by such Subprocessor. Customer hereby consents to CivicPlus’s use of Subprocessors as described in this Section.
6.2 List of Current Subprocessors and Information about New Subprocessors. CivicPlus shall make available to Customer a current list of Subprocessors for the Services. Customer may subscribe to receive notifications of new Subprocessors on the aforementioned website.
6.3 Objection Right for New Subprocessors. Customer may object to CivicPlus’s use of a new Subprocessor by notifying CivicPlus promptly in writing within ten (10) business days after CivicPlus’s update in accordance with the mechanism set out in Section 6.2 above. In the event Customer objects to a new Subprocessor: (i) Customer may immediately terminate the Master Service Agreement on giving written notice to CivicPlus; or (ii) where that objection is not unreasonable, CivicPlus will use reasonable efforts to make available to Customer a change in the Services, or recommend a commercially reasonable change to Customer’s configuration or use of the Services, to avoid Processing of Personal Information by the objected-to new Subprocessor without unreasonably burdening Customer. If CivicPlus is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, then, without prejudice to Section 6.3(i), Customer may terminate the applicable service order in respect only of those Services that cannot be provided by CivicPlus without the use of the objected-to new Subprocessor, on the condition that Customer provides such termination notice within sixty (60) days of being informed of the engagement of the Subprocessor as described in Section 6.2 above. If Customer terminates the Master Service Agreement under this Section 6.3, CivicPlus will then refund Customer any prepaid fees covering the remainder of the term of such terminated service order following the effective date of termination with respect to such terminated Services. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
6.4 CivicPlus’s Liability for Subprocessors. CivicPlus shall be liable for the acts and omissions of its Subprocessors to the same extent CivicPlus would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise agreed.
7. Rights of Consumers
7.1 CivicPlus shall, to the extent legally permitted, promptly notify Customer if CivicPlus receives a request from a Consumer to exercise the Consumer’s right of access, right to rectification, restriction of Processing, erasure, data portability, objection to the Processing, the right not to be subject to automated individual decision-making, or any other right set forth in the Data Protection Laws (a “Consumer Request”). Considering the nature of the Processing, CivicPlus shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, in the fulfillment of Customer’s obligation to respond to a Consumer Request under Data Protection Laws.
7.2 With respect to Service Data, CivicPlus shall forward Consumer Requests to Customer and shall not independently respond unless required by law. With respect to Resident Account Data maintained by CivicPlus, CivicPlus shall respond directly to Consumer Requests relating solely to account-level data. Where a Consumer Request relates to Co-Controlled Data, the parties agree:
(a) the party receiving the request shall promptly notify the other where necessary;
(b) each party shall remain responsible for responding to requests relating to its own Processing activities; and
(c) neither party shall be required to take action that would require disproportionate effort or that would conflict with its independent legal obligations.
7.3 Customer shall indemnify CivicPlus for claims arising from Customer’s failure to respond appropriately to Consumer Requests relating to Service Data or municipal Processing activities.
8. Personal Information Incident Management and Notification
CivicPlus maintains a security incident management policy and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Personal Information transmitted, stored, or otherwise Processed by CivicPlus or its Subprocessors of which CivicPlus becomes aware (a “Personal Information Incident”), as required to assist Customer in ensuring compliance with its obligations to notify the Supervisory Authority in the event of a Personal Information breach. CivicPlus shall make reasonable efforts to identify the cause of such Personal Information Incident and take those steps as CivicPlus deems necessary and reasonable in order to remediate the cause of such a Personal Information Incident to the extent the remediation is within CivicPlus’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users.
9. Data Protection Impact Assessment and Assistance
Upon Customer’s request, CivicPlus shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation to carry out a data protection impact assessment related to Customer’s use of the Services. CivicPlus shall provide reasonable assistance to Customer in cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section.
10. Return or Deletion of Personal Information
CivicPlus shall (at the Customer’s sole option) return Personal Information to Customer and/or delete Personal Information after the end of the provision of Services relating to Processing, in accordance with the timeframe specified in the Master Service Agreement, unless applicable law requires storage of the Personal Information. This Section applies to Personal Information for which CivicPlus acts as Processor and does not apply to Independent Controller Data.
11. Data Production Requests and Additional Safeguards
11.1 If CivicPlus receives a mandatory request, order, demand, notice, or direction from any government agency or other third party (a “Requestor”) to disclose any Personal Information, whether or not in writing and whether or not referencing any Data Protection Laws or identifying any specific Consumers (a “Data Production Request”), CivicPlus shall deal with the Data Production Request in accordance with the following terms:
(a) CivicPlus shall use every reasonable effort to redirect the Requestor to make the Data Production Request directly to the Customer.
(b) CivicPlus shall not disclose any Personal Information to any person in response to a Data Production Request unless either it is under a compelling statutory obligation to make such disclosure, or (having regard to the circumstances and the rights and freedoms of any affected Consumers) there is an imminent risk of serious harm that merits disclosure in any event (for example, to protect individuals’ vital interests).
(c) Where, in accordance with this Section 11, disclosure of the Personal Information is required in response to a Data Production Request, CivicPlus shall notify the Customer in writing in advance (setting out all relevant details) and shall thereafter provide all reasonable cooperation and assistance to the Customer and, if requested by the Customer, assist it with any application, injunction, order, or request to prevent (or, where that is not possible, to delay) the disclosure of any Personal Information.
(d) Except where CivicPlus is prohibited under the law applicable to the Requestor from prior notification, CivicPlus shall use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the Data Protection Laws.
(e) To the extent permitted under the Data Production Request, CivicPlus shall notify and consult with the relevant Supervisory Authority in respect of the Data Production Request, and at all times thereafter cooperate with the Supervisory Authority and the Customer to deal with and address the Data Production Request. CivicPlus shall, if permitted under the law applicable to the Requestor, suspend (or, where not possible, apply to suspend) the Data Production Request so that it can notify and consult with the Customer and the relevant Supervisory Authority.
12. CCPA/CPRA Provisions
12.1 Applicability of the CCPA/CPRA. To the extent CivicPlus Processes Personal Information governed by the CCPA and/or CPRA on behalf of the Customer, this Section 12 shall apply additionally; in the case of any discrepancy between this Section 12 and any other clause of this DPA or the Master Service Agreement, this Section 12 shall prevail.
12.2 Definitions. For this Section 12 of this DPA, the following terms shall have the meanings set out below:
(a) “Business Purpose” has the meaning provided in § 1798.140(e) of the California Civil Code, as amended or supplemented from time to time.
(b) “Consumer Rights Request” means a verified communication from a consumer requesting to exercise their rights under the CCPA.
(c) “Personal Information” has the meaning provided in § 1798.140(v)(1) of the California Civil Code, as amended or supplemented from time to time.
12.3 Relationship of Parties. The parties agree that, in this context, Customer is the ‘business’ and CivicPlus is solely the ‘service provider’ with respect to Service Data, as such terms are defined in the CCPA/CPRA.
12.4 Business Purpose and Data Processing. Customer may disclose Personal Information to CivicPlus when necessary to perform a Business Purpose. Customer represents and warrants to CivicPlus that such disclosures of Personal Information shall be consistent with the requirements set forth in the CCPA/CPRA. CivicPlus shall Process Personal Information on behalf of the Customer in accordance with, and for, the Business Purpose.
12.5 Do Not Sell. CivicPlus shall not sell or share Service Data, nor shall it retain, use, or disclose Service Data, except as necessary to perform the Business Purpose or as otherwise authorized by the CCPA/CPRA. CivicPlus shall not retain, use, or disclose Service Data outside of the direct business relationship between the parties, and shall not combine Service Data with Personal Information received from, or on behalf of, another person, except as permitted by the CCPA/CPRA. CivicPlus certifies that it understands the restrictions set forth in this Section 12.5 and will comply with them.
12.6 Consumer Rights Requests. Subject to Section 7, CivicPlus shall notify Customer promptly if it receives a Consumer Rights Request concerning the Processing of Service Data and, in any event, within a reasonable amount of time for Customer to meet its obligations to respond to such Consumer Rights Request under the CCPA. CivicPlus shall not respond to any Consumer Rights Request concerning Service Data unless expressly instructed to do so by Customer or otherwise required by law. To the extent Customer, in its use of the Services, does not have the ability to address a Consumer Rights Request, CivicPlus shall, upon Customer’s request, assist Customer in responding to such Consumer Rights Request, to the extent CivicPlus is legally permitted to do so and the response to such Consumer Rights Request is required under the CCPA. To the extent legally permitted, Customer shall be responsible for any costs arising from CivicPlus’s provision of such assistance.
12.7 The parties acknowledge that:
(a) with respect to Service Data, Customer is the “Business” and CivicPlus is the “Service Provider”;
(b) with respect to Independent Controller Data maintained within the CivicPlus account system, CivicPlus is an independent “Business”;
(c) with respect to Co-Controlled Data disclosed to Customer at the direction of a Consumer, each party acts as an independent “Business” under the CCPA/CPRA; and
(d) nothing in this DPA restricts CivicPlus from Processing Resident Account Data for its own business purposes consistent with its published privacy notice.
13. PIPEDA Provisions
13.1 Applicability of PIPEDA. To the extent CivicPlus Processes Personal Information subject to PIPEDA on behalf of Customer, this Section 13 shall apply additionally; in the case of any discrepancy between this Section 13 and any other clause of this DPA or the Master Service Agreement with respect to such Personal Information, this Section 13 shall prevail.
13.2 Accountability. With respect to Service Data subject to PIPEDA, Customer is the organization accountable for the Personal Information under PIPEDA, and CivicPlus Processes such Personal Information for processing on Customer’s behalf. Customer remains responsible for the collection, use, and disclosure of such Personal Information in accordance with PIPEDA, including identifying the purposes of collection and obtaining any required consents. With respect to Independent Controller Data, CivicPlus is independently accountable under PIPEDA for its own Processing.
13.3 Comparable Level of Protection. While Personal Information is being Processed by CivicPlus on Customer’s behalf, CivicPlus shall provide a level of protection comparable to that required under PIPEDA through the commitments set out in this DPA and the technical and organizational measures described in Section 5 and the CivicPlus Security Annex.
13.4 Limiting Use and Disclosure. With respect to Service Data, CivicPlus shall use and disclose such Personal Information only as necessary to provide the Services and as otherwise instructed by Customer, except as required by law.
13.5 Access and Correction. Taking into account the nature of the Processing, CivicPlus shall provide Customer with reasonable assistance, in the manner described in Section 7, to enable Customer to respond to requests from individuals to access or correct their Personal Information in accordance with PIPEDA.
13.6 Breach of Security Safeguards. CivicPlus shall notify Customer without undue delay upon becoming aware of a breach of security safeguards involving Personal Information Processed by CivicPlus on Customer’s behalf, in accordance with Section 8, to enable Customer to meet its obligations under PIPEDA. As between the parties, Customer is responsible, with respect to Service Data, for determining whether such a breach creates a real risk of significant harm to an individual, for making any resulting reports to the Office of the Privacy Commissioner of Canada and to affected individuals, and for maintaining related records.
13.7 Transfers Outside Canada. Customer acknowledges that CivicPlus and its Subprocessors may Process and store Personal Information in the United States and other jurisdictions outside Canada, and that such Personal Information may be subject to lawful access by courts, law enforcement, and governmental authorities in those jurisdictions. Customer is responsible for providing notice of such transfers to individuals to the extent required under PIPEDA or applicable provincial privacy law.
13.8 Retention. CivicPlus shall retain Personal Information Processed on Customer’s behalf only as long as necessary to provide the Services or as required by law, and shall return or delete such Personal Information in accordance with Section 10.
14. Cross-Customer Account Interoperability
Customer acknowledges that CivicPlus operates a unified resident account system designed to permit Consumers to access multiple municipal Customers through a single CivicPlus account. Customer shall not assert that such interoperability constitutes unauthorized disclosure, provided that such sharing occurs at the affirmative direction of the Consumer.
15. Liability
The total and aggregate liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Notwithstanding anything to the contrary, CivicPlus shall have no liability for Customer’s Processing of Co-Controlled Data following disclosure to Customer at the direction of a Consumer. Customer assumes full responsibility for compliance with Data Protection Laws with respect to its municipal Processing activities.
16. Indemnification
To the fullest extent permitted by applicable law, Customer shall defend, indemnify, and hold harmless CivicPlus from and against any claims, regulatory investigations, fines, or penalties arising from Customer’s Processing of Service Data or Co-Controlled Data, except to the extent caused solely by CivicPlus’s breach of its obligations under this DPA.
17. Term and Termination of the DPA
This DPA will become legally binding once CivicPlus has received a countersigned DPA from Customer, in accordance with the instructions set forth below, and the DPA shall continue in force until the termination of the Agreement.