Personal Information Processing Agreement

Last updated: July 15, 2021

This agreement is between you, the user of the Kroma App and, including any content, functionality and services offered on or through such application or website (the “Customer”), and Kroma Superfoods, PBC, a Delaware public benefit corporation, with offices located at 2683 Via de la Valle, Suite G254, Del Mar, CA 92014, the owner and operator of the Kroma App and (the “Provider”).


WHEREAS, the Customer and the Provider entered into Website Terms of Use (the “Master Agreement”) that may require the Provider to process Personal Information provided by or collected from the Customer; and


WHEREAS, this Personal Information Processing Agreement (the “PIPA”) sets out the additional terms, requirements and conditions on which the Provider will obtain, handle, process, disclose, transfer, or store Personal Information when providing services under the Master Agreement;


NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:


1.  Definitions and Interpretation.


    1.1  The following definitions and rules of interpretation apply in this PIPA.


“Authorized Persons” means the persons or categories of persons that the Customer authorizes to give the Provider personal information processing instructions.


“Business Purpose” means the services described in the Master Agreement.


“Data Subject” means an individual who is the subject of Personal Information.


“Personal Information” means any information the Provider processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider’s possession or control or that the Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.


“Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.


“Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.


“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.


“Standard Contractual Clauses (SCC) means the European Commission’s Standard Contractual Clauses for the transfer of Personal Information from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.



    1.2  This PIPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this PIPA.


    1.3  The Appendices form part of this PIPA and will have effect as if set out in full in the body of this PIPA. Any reference to this PIPA includes the Appendices.


    1.4  A reference to writing or written includes faxes and email.


    1.5  In the case of conflict or ambiguity between:


(a)  any provision contained in the body of this PIPA and any provision contained in the Appendices, the provision in the body of this PIPA will prevail;


(b)  the terms of any accompanying invoice or other documents annexed to this PIPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail;


(c)  any of the provisions of this PIPA and the provisions of the Master Agreement, the provisions of this PIPA will prevail; and


(d)  any of the provisions of this agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.


2.  Personal Information Types and Processing Purposes.


    2.1  The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.


    2.2  Appendix A describes the general Personal Information categories and Data Subject types the Provider may process to fulfill the Business Purposes of the Master Agreement.


3.  Provider’s Obligations.


    3.1  The Provider will only process the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions. The Provider will not process the Personal Information for any other purpose or in a way that does not comply with this PIPA or the Privacy and Data Protection Requirements. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Privacy and Data Protection Requirements.


    3.2  The Provider must promptly comply with any Customer request or instruction requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.


    3.3  The Provider will maintain the confidentiality of all Personal Information and will not disclose Personal Information to third parties unless the Customer or this PIPA specifically authorizes the disclosure, or as required by law. If a law requires the Provider to process or disclose Personal Information, the Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.


    3.4  The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider’s processing and the information available to the Provider.


    3.5  The Provider must promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect the Provider’s performance of the Master Agreement.


    3.6  The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from Authorized Persons or the Personal Information other than as required under the Privacy and Data Protection Requirements.


    3.7  The Provider will only collect Personal Information for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer’s identity, the purpose or purposes for which their Personal Information will be processed, and any other information that is required by applicable Privacy and Data Protection Requirements. The Provider will not modify or alter the notice in any way without the Customer’s prior written consent.


4.  Provider’s Employees.


    4.1  The Provider will limit Personal Information access to:


(a)  those employees who require Personal Information access to meet the Provider’s obligations under this PIPA and the Master Agreement; and


(b)  the part or parts of the Personal Information that those employees strictly require for the performance of their duties.


    4.2  The Provider will ensure that all employees:


(a)  are informed of the Personal Information’s confidential nature and use restrictions;


(b)  have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and


(c)  are aware both of the Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this PIPA.


    4.3  The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Provider’s employees with access to the Personal Information.


5.  Security.


    5.1  The Provider must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage.


    5.2  The Provider will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.


    5.3  The Provider must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.


6.  Security Breaches and Personal Information Loss.


    6.1  The Provider will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Information at its own expense.


    6.2  The Provider will notify the Customer within 72 hours of the time Provider becomes aware of:


(a)  any unauthorized or unlawful processing of the Personal Information; or


(b)  any Security Breach.


    6.3  Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:


(a)  assisting with any investigation;


(b)  providing the Customer with physical access to any facilities and operations affected;


(c)  facilitating interviews with the Provider’s employees, former employees and others involved in the matter; and


(d)  making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.


    6.4  The Provider will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent, except when law or regulation requires it.


    6.5  The Provider agrees that the Customer has the sole right to determine:


(a)  whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and


(b)  whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.


    6.6  The Provider will cover all reasonable expenses associated with the performance of the obligations under Clause 6.2 and 6.3, unless the matter arose from the Customer’s specific instructions, negligence, willful default, or breach of this PIPA, in which case the Customer will cover all reasonable expenses.


    6.7  The Provider will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in Clause 6.5.


7.  Cross-Border Transfers of Personal Information.


    7.1  Appendix A lists all of the countries where the Provider may receive, access, transfer, or store Personal Information. The Provider must not receive, access, transfer, or store Personal Information outside the countries listed on Appendix A without the Customer’s prior written consent.


    7.2  If any Personal Information transfer between the Provider and the Customer requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses, and take all other actions required to legitimize the transfer, including, if necessary:


(a)  co-operating to register the Standard Contractual Clauses with any supervisory authority in any European Economic Area country;


(b)  procuring approval from any such supervisory authority; or


(c)  providing additional information about the transfer to such supervisory authority.


    7.3  The Provider will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements.


8.  Subcontractors.


    8.1  The Provider may only authorize a third party (subcontractor) to process the Personal Information if:


(a)  the Customer is given an opportunity to object within five (5) days after the Provider supplies the Customer with full details regarding such subcontractor;


(b)  the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this PIPA and, upon the Customer’s written request, provides the Customer with copies of such contracts;


(c)  the Provider maintains control over all Personal Information it entrusts to the subcontractor; and


(d)  the subcontractor’s contract terminates automatically on termination of this PIPA for any reason.


    8.2  The Provider must list all approved subcontractors in Appendix A and include any subcontractor’s name and location and contact information for the person responsible for privacy and data protection compliance.


    8.3  Where the subcontractor fails to fulfill its obligations under such written agreement, the Provider remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.


    8.4  The Parties consider the Provider to control any Personal Information controlled by or in the possession of its subcontractors.


    8.5  Upon the Customer’s written request, the Provider will audit a subcontractor’s compliance with its obligations regarding the Customer’s Personal Information and provide the Customer with the audit results.


9.  Complaints, Data Subject Requests, and Third Party Rights.


    9.1  The Provider must notify the Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements.


    9.2  The Provider must notify the Customer within five (5) working days if it receives a request from a Data Subject for access to their Personal Information.


    9.3  The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.


    9.4  The Provider must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s request or instruction, permitted by this PIPA, or is otherwise required by law.


10.  Term and Termination.


    10.1  This PIPA will remain in full force and effect so long as:


(a)  the Master Agreement remains in effect; or


(b)  the Provider retains any Personal Information related to the Master Agreement in its possession or control (the “Term”).


    10.2  Any provision of this PIPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Information will remain in full force and effect.


    10.3  The Provider’s failure to comply with the terms of this PIPA is a material breach of the Master Agreement. In such event, the Customer may terminate any part of the Master Agreement authorizing the processing of Personal Information effective immediately upon written notice to the Provider without further liability or obligation.


    10.4  If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement within a reasonable time, they may terminate the Master Agreement upon written notice to the other party.


11.  Data Return and Destruction.



    11.1  At the Customer’s request, the Provider will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format and on the media reasonably specified by the Customer.


    11.2  On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control, except for one copy that it may retain and use for audit purposes only.


    11.3  If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Provider may only use this retained Personal Information for the required retention reason or audit purposes.


    11.4  The Provider will certify in writing that it has destroyed the Personal Information within thirty (30) after it completes the destruction.


12.  Records.


    12.1  The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).


    12.2  The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this PIPA.


    12.3  The Customer and the Provider must review the information listed in the Appendices to this PIPA once a year to confirm its current accuracy and update it when required to reflect current practices.


13.  Audit.


       13.1  At least once per year, the Provider will conduct site audits of its Personal Information processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this PIPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.


    13.2  Upon the Customer’s written request, the Provider will make summaries of the relevant audit reports available to the Customer for review, including as applicable: The Provider’s latest Payment Card Industry (PCI) Compliance Report, Statement on Standards for Attestation Engagements (SSAE) No. 16 audit reports for Reporting on Controls at a Service Organization, reports relating to its ISO/IEC 27001 certification and other audit reports as applicable. The Customer will treat such audit reports as the Provider’s confidential information under this Agreement.


    13.3  The Provider will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management.


    13.4 If a Security Breach occurs or is occurring, or the Provider becomes aware of a breach of any of its obligations under this PIPA or any Privacy and Data Protection Requirements, the Provider will:


(a)  within thirty (30) days of the triggering event, conduct its own audit to determine the cause;


(b)  produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;


(c)  provide the Customer with a copy of the written audit report; and


(d)  remedy any deficiencies identified by the audit within thirty (30) days of the audit’s completion.





14.  Warranties.


    14.1  The Provider warrants and represents that:


(a)  its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Information; and


(b)  it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this PIPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and


(c)  it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Master Agreement’s contracted services; and


(d)  considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:


(i)  the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and


(ii)  the nature of the Personal Information protected; and


(iii)  comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in Clause 5.1.


    14.2  The Customer warrants and represents that the Provider’s expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.


15.  Indemnification.


    15.1  The Provider agrees to indemnify, keep indemnified, and defend at its own expense the Customer against all costs, claims, damages, or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Provider or its employees, subcontractors, or agents to comply with any of its obligations under this PIPA or applicable Privacy and Data Protection Requirements.


16.  Notice.


    16.1  Any notice or other communication given to a party under or in connection with this PIPA must be in writing and delivered to:


For the Customer:


For the Provider:


    16.2  Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.


IN WITNESS WHEREOF, the Parties hereto have executed this Agreement as of the date set forth above.