Data Processing Addendum

This Data Processing Addendum (“Addendum”) and the terms herein supplement and are made a part of each agreement between CCC Intelligent Solutions Inc. or its Affiliate (as applicable “CCC”) and its customer which incorporates this Data Processing Addendum by reference (the “Agreement”). Terms used herein shall have the meaning set forth in the Glossary attached hereto (regardless of how those terms may be defined in the Agreement).

1. General Rights and Obligations

‍As between the Parties, Customer owns all rights in and to the Customer Personal Data and CCC shall have no rights to the Customer Personal Data except as expressly granted under the Agreement or this Addendum. Nothing in the Agreement or this Addendum will restrict or limit in any way Customer’s rights as owner (as between it and CCC) of Customer Personal Data or in either Party’s rights as owner (as between each other) of their Personal Data. ‍

2. Processing Instructions

a. With respect to Customer Personal Data, CCC and Customer agree that CCC is acting as a Processor to provide Services to Customer and Customer is a Controller. The parties agree to comply with all Applicable Privacy Laws, including providing the level of privacy protection as required of Controllers under Applicable Privacy Laws. CCC will Process Customer Personal Data in accordance with the instructions set forth in the Agreement and this Addendum. Customer’s written instructions for the Processing of Customer Personal Data shall comply with Applicable Privacy Laws. Customer is responsible for determining whether the Services are appropriate for storage and Processing of data subject to any Applicable Law and for using the Services in a manner consistent with Customer’s legal and regulatory obligations. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and how Customer acquired Customer Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any individual, including those that have opted-out from the sale, share, or other disclosure of Customer Personal Data, under Applicable Privacy Laws.

b. Customer is disclosing Customer Personal Data to CCC and CCC is Processing Customer Personal Data for the following purpose: providing the Services, including as described in the table below, and related services, as set forth in the Agreement (the “Purpose”). As may be set forth in more detail in the Agreement, CCC will Process Customer Personal Data regarding data subjects as listed in the table below for the duration of time listed in the table below. The Parties anticipate that CCC will Process Customer Personal Data in the categories listed in the table below and any other categories of Customer Personal Data that are reasonably necessary for CCC to perform the Services under the Agreement. CCC may Process Aggregate Data and De-identified Data for any purpose, commercial or otherwise in accordance with the Agreement ([section 7(c)]), provided such Processing complies with Applicable Privacy Law.

Describe specific business purpose, of Personal Data Processing:  For Customer’s internal business for the evaluation, processing and settling of claims and damage and repair estimates and/or such other permitted purposes as set forth in the Agreement. ‍

Duration of Processing: the duration of the Agreement.‍

Categories of data subjects/consumers: customers, consumers, and employees or contractors and/or such other categories as expressly set forth in the Agreement.‍

Categories of Personal Data being Processed: name, email address, home address, and license plate number and/or such other categories as expressly set forth in the Agreement.

3. Restrictions on Use of Customer Personal Data

‍Except as otherwise permitted by Applicable Privacy Law or set forth in this Agreement, CCC will not retain, use, disclose Customer Personal Data (i) for any purpose (commercial or otherwise) other than the Purpose, (ii) outside of the direct business relationship between CCC and Customer. CCC will not sell or share Customer Personal Data for monetary or other valuable consideration.

4. Subcontracting and Sub-Processing

a. Sub-Processors.  Customer agrees that CCC may subcontract the processing of Customer Personal Data to its Sub-Processors. A current list of CCC Sub-Processors can be found at: https://cccis.com/subprocessors. CCC will inform Customer of any intended changes concerning the addition or replacement of other Sub-Processors by updating its Sub-Processor list referenced above and will allow Customer 10 days to object to such change. If Customer has legitimate objections to the appointment of any new Sub-Processor related to data protection, CCC will work with Customer in good faith to resolve the grounds for the objection. If the objection cannot be resolved, Customer’s sole remedy is termination of the Agreement.

b. Responsibilities. Where CCC engages Sub-Processors, it will impose data protection terms on the Sub-Processors that provide at least the level of protection for Personal Data required or provided for under Applicable Law to the extent such protections are applicable to the nature of the services provided by such Sub-Processors.  

5. Data Subject Requests

CCC will notify Customer promptly if it receives any inquiry, complaint, request or claim that identifies Customer (collectively, “Requests”) from an individual relating to their Customer Personal Data, including any individual’s request to exercise rights under Applicable Privacy Law with respect to Customer Personal Data. CCC will not respond to any such Requests without Customer’s prior written consent except to the extent required by Applicable Privacy Law or as necessary to confirm that the Request relates to Customer. CCC will (a) reasonably assist Customer in timely responding to such Requests; and (b) reasonably cooperate with Customer in resolving such Requests. CCC will promptly provide any information reasonably requested by Customer relating to CCC’s and Services and/or Processing of Customer Personal Data that is reasonably necessary for Customer to respond to such Request.

6. Safeguarding

a. General Obligations. CCC will use the same level of care (including both facility physical security and electronic security) designed to prevent misuse, unauthorized access by, storage, disclosure, publication, dissemination to and/or use by third parties of, the Customer Personal Data as it employs to avoid misuse, and unauthorized access to, and storage, disclosure, publication, dissemination or use of its own information of a similar nature, but in no event less than a reasonable standard of care. The concept of a “reasonable standard of care” shall consist of compliance by CCC with all Applicable Privacy Laws and all security requirements contained in the Agreement and this Addendum. Notwithstanding the provisions of this Section 6,  Customer recognizes that in the ordinary course of usage of the Services in commerce by or on behalf of Customer, Customer Personal Data will be shared with third parties involved in (i) the processing of Customer insurance claims or (b) performing motor vehicle repairs in connection with a claim handled by Customer (“Intended Recipients”), and CCC shall not be in breach of the Agreement or this Addendum for such communication or be liable for the acts or omissions of those Intended Recipients with their receipt of, access to, or use of such Customer Personal Data. Customer acknowledges that the provision of the Services to Intended Recipients includes making Customer Personal Data accessible to others via the Collision Industry Electronic Commerce Association Estimate Management System (“EMS”) extract and that provision of access to EMS for such purposes shall not constitute a breach of the Agreement or this Addendum.

b. Data Destruction. Except to the extent prohibited by Applicable Law or as set forth in the Agreement, CCC will destroy all copies of Customer Personal Data maintained by it or its Sub-Processors in accordance with any applicable legal requirements for such destruction upon termination or expiration of the Agreement. If CCC has a legal obligation to retain Customer Personal Data beyond the period otherwise specified by the Agreement, including this Addendum, CCC may retain such Customer Personal Data, to the extent permitted by Applicable Law, provided that CCC will continue to safeguard such Customer Personal Data in accordance with this Addendum for the duration of such retention period. CCC will perform any destruction of Customer Personal Data pursuant to this Addendum in such a manner as to destroy the Customer Personal Data permanently and securely, in accordance with Applicable Laws and industry standards so that the information cannot be read or reconstructed as a practicable matter through forensic or other means. Upon request, CCC will provide a certification signed by an officer or senior manager of its company attesting to such destruction.

7. Audit

Customer may request CCC’s standard privacy and security questionnaires (SIG), third party reports (SOC2 Type II), and documentation to demonstrate compliance with this Addendum. Customer requests will be reasonable and appropriate and submitted at CCC Trust Center (cccis.webflow.io) Upon notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data by CCC.  

8. Cooperation

Upon request, CCC will reasonably cooperate with Customer in conducting privacy or security assessments relating to CCC’s Processing of Customer Personal Data, and in seeking guidance from or consulting with third parties, including governmental authorities or labor bodies. CCC will notify Customer if CCC makes a determination that it can no longer meet its obligations under Applicable Privacy Law.

9. Notification of Claims

CCC will notify Customer promptly if CCC becomes aware it is the subject of any suit or enforcement proceeding arising from or relating to CCC’s Processing of Customer Personal Data.  Upon request, and at Customer’s expense, CCC will reasonably cooperate with Customer and reasonably assist Customer with any claim, investigation, audit, suit or enforcement proceeding arising from or relating to CCC’s Processing of Customer Personal Data.

10. Miscellaneous

a.   Non-Limitation / Conflict. The provisions of this Addendum are in addition to, and without limitation of, any other restrictions, protections or obligations imposed upon CCC with respect to Customer Personal Data under the Agreement. In the event of a conflict between this Addendum and any provisions of the Agreement, this Addendum will prevail to the extent of such conflict.

b.   Compliance with Addendum. Notwithstanding anything to the contrary in the Agreement, in the event of a material breach of this Addendum by CCC, Customer may, in its sole discretion, terminate the Agreement or the applicable Processing, provided Customer gives CCC written notice specifying the material non-compliance and CCC has failed to cure such noncompliance within thirty (30) days of receipt of such written notice. Such right will be without prejudice to any other remedies under the Agreement, this Addendum, at law or in equity. If CCC should breach or threaten to breach any of the provisions of this Addendum then Customer, in addition to any other remedies it may have at law or in equity, will be entitled to seek a restraining order, injunction, or other equitable remedy, to enforce the provisions of this Addendum.

c. Survival. These terms shall survive for so long as CCC Processes or has access to any Customer Personal Data.

d. No Rights Created. This Addendum by itself does not create or vest any rights or obligations in CCC to access, acquire, Process or control any Customer Personal Data, or to access any Customer information systems.

Glossary

“Aggregate Data” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.

“Applicable Privacy Law” means Applicable Law that applies to the Processing of Personal Data under the Agreement. Applicable Privacy Law shall be applied, in each instance, solely to Customer Personal Data to the extent covered by such Applicable Law(s) (e.g., California Applicable Privacy Law only applies to California Personal Information).

"Customer Personal Data” means Customer Data that is Personal Data.

“De-identified Data” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, provided that CCC: (1) takes reasonable measures to ensure that the information cannot be associated with a consumer or household; (2) publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information (except CCC may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this definition); and (3) contractually obligates any recipients of the information to comply with all provisions of this definition.

“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or any other information that is regulated as “personal data,” “personally identifiable information,” or “personal information,” or a similar term as otherwise defined under Applicable Privacy Law. The parties acknowledge and agree that Aggregate Data and De-identified Data are not Personal Data.    

“Process” or “Processing” means any operation or set of operations performed upon data, whether by automatic or manual means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

“Processor” means “processor” or “service provider” as defined under Applicable Privacy Law.

“Sub-Processor” means any Affiliate, temporary workers, or third party engaged by CCC to assist in the Processing of Customer Personal Data under the Agreement.