Data Processing Annex

1. GENERAL

This Data Processing Annex ("DPA) serves as a foundational set of terms and conditions to be incorporated by reference into agreements, statements of work, work orders or analogous documents (individually, "Agreement") between Altisource and its customers (individually, "Customer"). Capitalized terms not expressly defined in this Data Processing Annex shall have the same meanings as in the corresponding Data Protection Regulations. In the event of any conflict between this DPA and any Agreement, this DPA will govern and control.

2. DEFINITIONS

  • a. "CPA" as used in this DPA, means the Colorado Privacy Act.

  • b. "CPRA" as used in this DPA, means the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

  • c. "Data Protection Regulations" as used in this DPA, means the CPA, CPRA, GDPR, VCDPA and any other data privacy and data protection laws or regulations that may enter into effect in the future (e.g., Connecticut Data Privacy Act, Iowa Data Protection Act, Indiana Consumer Data Protection Act, Montana Consumer Data Privacy Act, Utah Consumer Privacy Act, Tennessee Information Protection Act).

  • d. "GLBA" as used in this DPA means the Gramm Leach Bliley Act of 1999, and its implementing regulations.

  • e. "GDPR" as used in this DPA, means the EU General Data Protection Regulation.

  • f. "Personal Data" as used in this DPA, means any information relating to an identified or identifiable natural person; an "identifiable natural person" is an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier (including but not limited to a screen name, username or social media handle) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. For avoidance of doubt, Personal Data includes any data covered by the definition of "Personal Information" as the term may be defined in the Data Protection Regulations.

  • g. "Services" as used in this DPA, means the services and or products provided by Altisource to Customer under the Agreement.

  • h. "VCDPA" as used in this DPA means the Virginia Consumer Data Protection Act.

3. OBLIGATIONS

Each party is solely responsible for its compliance with Data Protection Regulations applicable to it and for fulfilling any of its related obligations to third parties, including data subjects and supervisory authorities. Customer is solely responsible for the accuracy of Customer personal data / personal information and the legality of the means by which Customer acquires, discloses, and processes such data.

4. CPA

The following obligations apply to the extent the processing of Personal Data contemplated in the Agreement is subject or otherwise covered by the CPA.

  • a. Altisource will maintain appropriate technical and organizational security measures to protect Personal Data against: (i) unauthorized or unlawful processing; (ii) accidental or unlawful destruction; (iii) accidental loss or alteration; and (iv) unauthorized disclosure or access.

  • b. Upon Customer's reasonable request, Altisource will make available all information in its possession necessary to demonstrate Altisource's compliance with its obligations under the CPA.

  • c. Altisource will allow, and cooperate with, reasonable assessments by Customer or Customer's designated assessor; alternatively, Altisource may arrange for a qualified and independent assessor to conduct an assessment of Altisource's policies and technical and organizational measures in support of the obligations under the CPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The parties will mutually agree on the timing and scope of these exercises, which will be carried out in such a way as to mitigate any disruption to Altisource's business.

  • d. Altisource will require that any agent, including a subcontractor, to whom it provides such Personal Data agrees in writing to appropriate protections with respect to such Personal Data. Customer remains entitled to object to the use of any particular subcontractor.

  • e. Upon the termination of the Agreement, upon the written request of Customer, Altisource agrees to promptly delete or return to Customer all copies of such Personal Data. Notwithstanding the foregoing, this requirement shall not apply to the extent Altisource is required by applicable law to retain some or all of the Personal Data.

5. CPRA

The following obligations apply to the extent the processing of Personal Information contemplated in the Agreement is subject or otherwise covered by the CPRA.

  • a. The limited and specific purpose for Customer to disclose, transmit, or otherwise make available Personal Information under the Agreement is to procure Services from Altisource.

  • b. Altisource will comply with the applicable sections of the CPRA, including with respect to the Personal Information Altisource collected under the Agreement, providing the same level of privacy protection required by the CPRA.

  • c. Altisource shall not: (i) Sell or Share the Personal Information; (ii) retain, use, or disclose the Personal Information for any purpose other than for performing the Services, including to retain, use, or disclose the Personal Information for a commercial purpose other than providing its Services; (iii) retain, use, or disclose the Personal Information outside of the direct business relationship between the Altisource and Customer; or (iv) combine the Personal Information with Personal Information received from other businesses or Collected directly from consumers, provided that Altisource retains the ability to combine Personal Information to perform any business purpose authorized by the CPRA. Altisource certifies that it understands and acknowledges the obligations included in this section and will comply with them.

  • d. Altisource will permit Customer, subject to previous agreement, to monitor Altisource's compliance with the Agreement through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months. The parties will mutually agree on the timing and scope of these exercises, which will be: (i) carried out in such a way as to mitigate any disruption to Altisource's business; and (ii) performed at Customer's sole expense.

  • e. Altisource will require that any agent, including a subcontractor, to whom it provides such Personal Information agrees in writing to appropriate protections with respect to such Personal Information.

  • f. Altisource grants Customer the right, upon reasonable written notice, to take reasonable and appropriate steps to ensure that Altisource uses the Personal Information consistent with the CPRA.

  • g. Altisource will promptly notify Customer if Altisource makes a determination that it can no longer meet its obligations under the CPRA.

  • h. Altisource grants Customer the right, upon reasonable written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of its Personal Information.

  • i. Upon the termination of the Agreement, upon the written request of Customer, Altisource agrees to promptly delete or return to Customer all copies of such Personal Information. Notwithstanding the foregoing, this requirement shall not apply to the extent Altisource is required by applicable law to retain some or all of the Personal Information.

6. GLBA

The following applies to the extent the processing of Consumer Information contemplated in the Agreement is subject or otherwise covered by the GLBA. Each party may from time to time provide the other party hereto with information or access to information concerning consumers' nonpublic personal and financial information (the "Consumer Information"). Each party acknowledges its use and disclosure of such Consumer Information may be limited by the Gramm Leach Bliley Act Financial Services Modernization Act, Title V of the Financial Services Modernization Act of 1999, P.L. 106-102, 133 Stat, 1138 (15 U.S.C. §§ 6801, 6809, 6821 and 6827) and its implementing regulations (16 C.F.R. Part 313) (the "GLBA") an other federal and state laws and regulations regarding the privacy and the confidentiality of consumer applicable to such Consumer Information. To protect the privacy of the Consumer Information, each party shall, to the extent required as a result of the Services:

  • a. Limit access to Consumer Information to individuals who have a need to know, but only to the extent such disclosure is reasonably necessary of the performance of such party's duties and obligations and the Agreement;

  • b. Use information concerning consumers' nonpublic personal and financial information solely to carry out the purpose under the Agreement for which the information was disclosed and for no other purpose; and,

  • c. Use reasonable standards to maintain the confidentiality of the Consumer Information to not directly or indirectly disclose same to any person or entity in violation of: (i) the GLBA; and (ii) applicable regulations regarding privacy. Altisource further acknowledges that Customer shall no be required to provide to Altisource any Consumer Information for use in telemarketing, direct mail marketing or other marketing through electronic mail to any consumer in violation of Section 502(d) of the GLBA, as the same may be amended from time to time, or in violation of any other applicable federal or state law regulation regarding the privacy of account or access numbers or codes.

7. GDPR

The following obligations apply to the extent the processing of Personal Data contemplated in the Agreement is subject or otherwise covered by the GDPR.

  • a. Customer will provide Personal Data to Altisource, or instruct Altisource to collect or generate Personal Data, only to the extent permitted by, and in compliance with, the Agreement. To the extent the Services involve processing of Personal Data under relevant GDPR, then the parties agree that: (i) Customer is the data controller; and (ii) Altisource is the data processor and will comply in all material respects with its obligations as a data processor under the GDPR Customer notes that, in certain instances, Altisource will act as an independent controller, in particular for Services with specific local licensing requirements (the "Recipients"), this section will not apply to these situations.

  • b. Customer hereby instructs Altisource to collect and process the Personal Data in accordance with the Agreement or the instructions provided by Customer. Altisource will process the Personal Data only: (i) in accordance with the terms of the Agreement or such instructions; (ii) as needed to provide the Services; or (iii) as needed to comply with applicable law. Customer represents and warrants that it is authorized to enter into the Agreement and give its instructions to Altisource under the GDPR.

  • c. Altisource has implemented and will maintain appropriate technical and organizational security measures to protect Personal Data against: (i) unauthorized or unlawful processing; (ii) accidental or unlawful destruction; (iii) accidental loss or alteration; and (iv) unauthorized disclosure or access. Customer has the ability to view information on the security measures used by Altisource.

  • d. Altisource employees or representatives with access to the Personal Data will be subject to statutory or contractual obligations to protect, and keep confidential, such Personal Data.

  • e. Customer authorizes Altisource to: (i) commission the delivery of the Services, including the processing of Personal Data to its affiliates and/or third-party contractors ("Subprocessors"), (ii) revoke or appoint new Subprocessors; and (iii) transfer Personal Data to the United States and to other countries where Subprocessors or Recipients are established, including the United States. Customer also authorizes Altisource to transfer Personal Data based on Customer's instructions or as necessary to deliver the Services. Whenever possible, Altisource will secure such transfers through contractual data transfer instruments aligned on model clauses validated by the European Commission or by other lawful means, Customer (i) may be a beneficiary to such instruments; and (ii) authorizes Altisource to enter into such data transfer instruments with Subprocessors. Altisource can make available a list of Subprocessors to Customer, which list Customer understands is subject to change.

  • f. Upon termination or expiration of the Agreement, at Customer's written request, Altisource will delete or return the Personal Data to Customer. Notwithstanding the foregoing, Customer hereby authorizes Altisource to retain back-up copies of Personal Data for Altisource's archival, back-up and compliance purposes.

  • g. Altisource will provide Customer with reasonable access to its documentation in the event of an audit required by a government regulator, to the extent the audit is required for compliance with the GDPR. Additionally, Customer may exercise its audit rights under applicable GDPR. The parties will mutually agree on the timing and scope of these audits, which will be: (i) carried out in such a way as to mitigate any disruption to Altisource's business and (ii) performed at Customer's sole expense.

8. VCDPA

The following obligations apply to the extent the processing of Personal Data contemplated in the Agreement is subject or otherwise covered by the VCDPA.

  • a. Altisource will require each person processing Personal Data to be subject to a duty of confidentiality with respect to the Personal Data.

  • b. Upon Customer's reasonable request, Altisource will make available the information in its possession necessary to demonstrate Altisource's compliance with its obligations under the VCDPA.

  • c. Altisource will allow, and cooperate with, reasonable assessments by Customer or Customer's designated assessor; alternatively, Altisource may arrange for a qualified and independent assessor to conduct an assessment of Altisource's policies and technical and organizational measures in support of the obligations under the VCDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The parties will mutually agree on the timing and scope of these exercises, which will be: (i) carried out in such a way as to mitigate any disruption to Altisource's business; and (ii) performed at Customer's sole expense.

  • d. Altisource will require that any agent, including a subcontractor, to whom it provides such Personal Data agrees in writing to appropriate protections with respect to such Personal Data.

  • e. Upon the termination of the Agreement, upon the written request of Customer, Altisource agrees to promptly delete or return to Customer all copies of such Personal Data. Notwithstanding the foregoing, this requirement shall not apply to the extent Altisource is required by applicable law to retain some or all of the Personal Data.

9. Data Protection Laws Updates

In the event that any modification is required to this DPA as a result of a change in or subsequently applicable Data Protection Regulations, then Altisource may adjust and/or amend this DPA in its reasonable discretion in order to achieve compliance with the same. Any such modifications shall be communicated in writing and shall be implemented within a reasonable timeframe.

Last Updated March 1, 2024