Last updated: December 6, 2022
This State Data Privacy & Protection Addendum (“Addendum”) sets forth the terms and conditions, as applicable, relating to the processing of Verisk’s customers’ (hereinafter, “Company”) Personal Information by Insurance Services Office, Inc., a wholly-owned subsidiary of Verisk Analytics Inc., (“ISO”) on behalf of itself, its subsidiaries, and its affiliates (hereinafter, “Service Provider”, or “Processor” or “Verisk”®) in connection with the products, services or activities provided, or to be provided, by Verisk to Company pursuant to agreements, product supplements, and together with any statements of work, purchase orders, or other instruments issued thereunder in effect between the parties (hereinafter collectively, “Agreement(s)”) as of the last updated date indicated above.
In the event of a conflict between any Agreements and this Addendum, the Addendum shall control regarding the subject matter thereof.
Whereas, Company is the Controller of Personal Information and has entered into an Agreement with Service Provider for the Processing of such Personal Information on Company’s behalf;
Whereas, the Agreement identifies the purpose(s) of Processing the Personal Information, the type(s) of Personal Information to be Processed, and the duration of such Processing or such information has otherwise been included in the attached Schedule 1;
Whereas, such Personal Information is necessary for a Business Purpose, or Business Purposes, and for any other purposes as agreed to by Company and Service Provider in the Agreements; and
Whereas, Company and Service Provider have a mutual desire to preserve and maintain the privacy, confidentiality and security of such Personal Information.
Now therefore, in consideration of the mutual covenants and agreements in this Addendum and the Agreements and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Company and Service Provider agree as follows:
“Applicable Law” means statutes, rules, and regulations adopted that are applicable to the Personal Information including, but not limited to the California Consumer Privacy Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act.
“Business Purpose” means the use of Personal Information for the Company’s operational purposes, or other notified purposes, or for Processor’s operational purposes, provided that the use of such Personal Information shall be reasonably necessary and proportionate to achieve the purpose for which the Personal Information was collected or Processed or for another purpose that is compatible with the context in which the Personal Information was collected.
“Commercial Purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
“Controller” means the entity that, alone or jointly with others, determines the purposes and means of Processing Personal Information.
“Cross-context Behavioral Advertising” means the targeting of advertising based on the Personal Information obtained from an individual’s or natural person’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the individual or natural person intentionally interacts.
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, is linked or could reasonably be linked, directly or indirectly, with a particular natural person or household, subject to any exceptions or exclusions under Applicable Law.
“Process” “Processes” or “Processing” means any operation, or set of operations, performed on Personal Information by automated or manual means, including the collection, use, storage, disclosure, analysis, deletion, or modification of such Personal Information.
“Processor” or “Service Provider” means the entity that Processes Personal Information on behalf of the Controller.
“Sell” or “Sale” means selling, renting, releasing, exchanging, disclosing, disseminating, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Information for monetary or other valuable consideration.
“Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Information for Cross-context Behavioral Advertising, whether or not for monetary or other valuable consideration.
“Subprocessor” means any third party engaged by, or on behalf of, Service Provider to Process Personal Information.
II. Obligations applicable to the Processing of Company’s Personal Information
(A) Service Provider shall not Sell or Share Company’s Personal Information.
(B) Service Provider shall not retain, use, or disclose Company’s Personal Information: (i) for any purpose other than for the Business Purpose(s) contemplated by the Agreements, as otherwise agreed to by the Company and Service Provider, or as otherwise permitted by Applicable Law, including retaining, using, or disclosing the Personal Information for Service Provider’s Commercial Purposes; and (ii) outside of the direct business relationship between Service Provider and Company.
(C) Service Provider shall not combine the Personal Information received from, or on behalf of, the Company with Personal Information received from, or on behalf of, another person or persons, or collects from its own interaction with such natural person, except as necessary to perform any Business Purpose or otherwise in accordance with Applicable Law.
(D)Service Provider shall not engage any Subprocessors to Process Personal Information on Service Provider’s behalf without first providing Customer with 30 days prior written notice of any such Subprocessors and an opportunity to object.
(E) Processor’s employees, agents, and contractors who process Personal Information on behalf of Company are subject to a duty of confidentiality with respect to such Personal Information and such persons are contractually obligated to provide comparable privacy protection as required of Processor under this Addendum.
(F) Service Provider shall, as reasonably requested by Company, delete or return all Personal Information at the end of the provision of services contemplated by the Agreement, unless otherwise agreed to by the parties or the retention of the Personal Information is required by Applicable Law.
(G) Service Provider shall reasonably cooperate and assist Company in complying with consumer rights obligations in accordance with Applicable Law.
(H) Service Provider shall make information in its possession available to Company necessary to demonstrate compliance with the obligations of this Addendum and permit Company to take reasonable and appropriate steps to help ensure the Processing of Company’s Personal Information is consistent with the obligations herein. This includes audits or assessments to be conducted by Company or a mutually agreed upon independent assessor to assess Service Provider’s technical and organizational measures in support of the obligations in this Addendum. Any audits or assessments conducted in accordance with this paragraph (H) shall be limited to one per calendar year upon 30 days prior notice to Service Provider.
(I) Service Provider shall promptly notify Company if it determines that it can no longer meet the obligations of this Addendum.
(J) This Addendum may be updated from time to time as necessary to comply with changes in existing Applicable Law, as well as new laws as enacted. Verisk will provide notice when the Addendum has been updated and, if no objection is received from Company within 30 days of such notification, the updated Addendum terms will be deemed effective. The parties also agree to negotiate in good faith to amend this Addendum as necessary, or to enter into any additional agreements or addendums, to maintain compliance with changing laws and regulations and to adapt to changes in industry standards and best practices.