Version 2.6 - Effective May 1, 2026
This U.S. Data Processing Addendum ("Addendum") is incorporated into and forms part of the Conveyor Terms of Service or such other written agreement, including a Master Services Agreement, between Conveyor and Customer pursuant to which Customer has purchased Paid Services from Conveyor (the "Agreement"). References to "Customer" have the meaning given in the Agreement. This Addendum is effective as of the date Customer accepted the Agreement (the "Addendum Effective Date")
1. Applicability of this Addendum.
This DPA applies to Conveyor’s Processing of Personal Data on behalf of Customer which is governed by Applicable Laws. Depending on Customer’s circumstances, Customer may either be a Controller or a Processor; as between the parties to this Addendum, Conveyor will act as Customer’s Processor in the event Customer is a Controller, or as Customer’s Subcontractor in the event Customer is a Processor.
To the extent Conveyor processes personal data of individuals located in the European Economic Area, Switzerland, or the United Kingdom on behalf of Customer, the Conveyor EU/UK Data Processing Addendum (available at https://www.conveyor.com/legal/eu-dpa) shall govern with respect to such personal data, and in the event of a conflict between this Addendum and the EU/UK Data Processing Addendum for such personal data, the EU/UK Data Processing Addendum shall control.
2. Definitions.
Terms used but not defined herein shall have the meanings assigned to such terms in the Agreement or under Applicable Laws.
2.1. “Applicable Laws” means U.S. state data privacy, consumer privacy, data security and/or data protection laws and regulations, and binding decisions and rules promulgated by relevant government agencies in relation to such laws and regulations, which are applicable to Customer or Conveyor, including without limitation, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (collectively, “CCPA”), the Virginia Consumer Data Protection Act and its implementing regulations (collectively, “VCDPA”), the Connecticut Data Privacy Act and its implementing regulations (collectively, “CDPA”), the Colorado Privacy Act and its implementing regulations (collectively, “CPA”), the Utah Consumer Privacy Act and its implementing regulations (collectively, “UCPA”), the Oregon Consumer Privacy Act and its implementing regulations (collectively, “OCPA”), the Texas Data Privacy and Security Act and its implementing regulations (collectively, “TDPSA”), the Florida Digital Bill of Rights and its implementing regulations (collectively, “FDBR”), the Montana Consumer Data Privacy Act and its implementing regulations (collectively, “MTCDPA”), the Delaware Personal Data Privacy Act and its implementing regulations (collectively, “DPDPA”), the Iowa Consumer Data Protection Act and its implementing regulations (collectively, “IACDPA”), the Nebraska Data Privacy Act and its implementing regulations (collectively, “NEDPA”), the New Hampshire Privacy Act and its implementing regulations, the New Jersey Data Privacy Act and its implementing regulations (collectively, “NJDPA”), and the Tennessee Information Protection Act and its implementing regulations (collectively, “TIPA”), and the Maryland Online Data Privacy Act and its implementing regulations (collectively, “MODPA”), each of the foregoing as may be amended from time to time.each of the foregoing as may be amended from time to time.
2.2. “Addendum Effective Date” means "Addendum Effective Date" means the date on which Customer accepted the Agreement, as recorded in Conveyor's systems..
2.3. “Business Purpose” and “Commercial Purpose” shall have the meanings assigned to such terms under the CCPA.
2.4. “Controller” shall have the meaning assigned to such term under Applicable Laws and shall include, without limitation, a “business” (as such term is defined under the CCPA).
2.5. “Data Breach” means an incident of unauthorized Processing of Personal Data which is defined or described as a “breach” or similar term under Applicable Laws, including without limitation, a “personal information security breach” as described under California Civil Code §1798.150 and a “breach of the security of the system” as defined under Code of Virginia §18.2-186.6.
2.6.“Personal Data” means all data defined as “personal data”, “personal information” or the like under Applicable Laws, and which are Processed by Conveyor pursuant to the Agreement.
2.7.“Processing” shall have the meaning assigned to such term under Applicable Laws, and shall include, without limitation, any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means.
2.8. “Processor” shall have the meaning assigned to such term under Applicable Laws and shall include, without limitation, a “service provider” (as such term is defined under the CCPA).
2.9.“Security Practices Summary” means summary documentation of Conveyor’s information security management program and related practices (including without limitation third-party security attestations and certifications, as applicable), currently accessible at https://www.conveyor.com/legal/security.
2.10.“Sell”, “sale” or “sale of personal data” shall have the meanings assigned to such terms under Applicable Laws, including without limitation, under California Civil Code §1798.140(ad) and Code of Virginia §59.1-575.
2.11.“Share” shall have the meaning assigned to such term under the CCPA.
2.12.“Subcontractor” shall have the meaning as defined or described under Applicable Laws and shall include a person or entity that Processes Personal Data on behalf of a Processor.
3. Processing Details.
The details concerning the nature and purpose of Conveyor’s Processing, the types of Personal Data subject to such Processing and the duration of such Processing are set forth in Attachment 1, attached hereto and incorporated herein. The parties acknowledge and agree that this Addendum and the Agreement constitute Customer’s instructions to Conveyor regarding the Processing of Personal Data.
4. Compliance with Applicable Laws.
Each party shall comply with all Applicable Laws. Furthermore, to the extent the CCPA is applicable, Conveyor will comply with all applicable sections of the CCPA, including, with respect to Personal Data it collects pursuant to the Agreement, providing the same level of privacy protection as required of Businesses by the CCPA.
5. Security Measures.
Conveyor will implement reasonable security procedures and practices appropriate to the nature of the Personal Data received from, or on behalf of, Customer to protect such Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure. The parties acknowledge and agree such security procedures and practices are set forth in Conveyor’s Security Practices Summary. Taking into account the nature of Processing and the information available
to Conveyor, Conveyor will also assist Customer in meeting Customer’s obligations under Applicable Laws in relation to the security of Processing of Personal Data.
6. Conveyor Obligations.
With regard to its Processing of Personal Data pursuant to the Agreement, Conveyor agrees as follows:
6.1. Conveyor will not Sell or Share Personal Data it collects pursuant to the Agreement;
6.2. Customer is disclosing Personal Data to Conveyor only for the Business Purposes set forth in Attachment 1, and Conveyor will not retain, use, or disclose Personal Data it collects pursuant to the Agreement for any purpose other than: (a) the Business Purposes specified in Attachment 1 or (b) as otherwise expressly permitted by Applicable Laws;
6.3. Conveyor will not retain, use, or disclose the Personal Data it collects pursuant to the Agreement for any Commercial Purpose other than the Business Purposes specified in Attachment 1, unless expressly permitted by Applicable Laws;
6.4. Conveyor will not retain, use, or disclose Personal Data it collects pursuant to the Agreement outside the direct business relationship between Conveyor and Customer, unless expressly permitted by Applicable Laws;
6.5. Conveyor will not combine or update Personal Data it collects pursuant to the Agreement with personal data or personal information it receives from another source or collects from its own interaction with a Consumer, unless expressly permitted by Applicable Laws;
6.6. Conveyor will notify Customer if it makes a determination that it can no longer meet its obligations under Applicable Laws;
6.7. Conveyor will ensure that each person Processing Personal Data is subject to a duty of confidentiality with respect to the Personal Data;
6.8. Conveyor will grant Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Conveyor;
6.9. Conveyor will reasonably assist Customer, upon Customer’s request, to enable Customer to comply with Consumer requests made pursuant to Applicable Laws, and will implement appropriate technical and organizational measures, insofar as this is reasonably practicable, to provide such assistance to Customer. Conveyor will promptly notify Customer upon Conveyor’s or its Subprocessors’ receipt of any request, dispute or claim directly from a data subject (including, without limitation, requests related to the exercise of that data subject’s rights under Applicable Laws with respect to Personal Data), and to refrain from responding to such request, dispute, or claim unless and until Customer provides written consent to such response to Conveyor; Conveyor will cooperate as reasonably requested by Customer to enable Customer to respond to such data subject requests;
6.10. Conveyor will notify Customer, without undue delay (and in no case later than the statutory maximum for notification under Applicable Laws), if Conveyor or its Subcontractors reasonably suspects or has reason to know of a Data Breach and taking into account the nature of Processing and the information available to
Conveyor, Conveyor will reasonably assist Customer, upon its request, in meeting Customer’s obligations under Applicable Laws in relation to a Data Breach;
6.11. Upon Customer’s request, Conveyor will provide information in its possession to enable Customer to conduct and document data protection assessments in the event such assessments are required under Applicable Laws; and
6.12. At Customer’s direction, Conveyor will delete or return all Personal Data to Customer, as requested, at the end of the provision of services pursuant to the Agreement, unless retention of the Personal Data is required by law.
7. Subcontractors.
To the extent Conveyor engages any Subcontractor in providing services to Customer, Conveyor will (a) only engage such Subcontractor after providing Customer a reasonable opportunity to object; and (b) enter into a written contract with such Subcontractor that complies with Applicable Laws and requires the Subcontractor to meet the obligations of Conveyor with respect to Personal Data. Customer expressly consents to Conveyor’s engagement of the Subcontractors listed under Attachment 2, attached hereto and incorporated herein. Conveyor will provide notice to Customer of any additional proposed Subcontractor(s) (i.e., other than those listed in Attachment 2) and Customer will have ten (10) days after receipt of such notice to object, on reasonable grounds, to Conveyor’s engagement of such Subcontractor(s). If Customer does not object in such time frame, Customer will be deemed to have consented to Conveyor’s engagement of such Subcontractor(s). If Customer objects within such time frame, the parties will cooperate in good faith to resolve the objection as soon as practicable.
8. Audits.
8.1. Conveyor uses external auditors to verify the suitability, adequacy, and effectiveness of its information security management program. This audit: (a) will be performed at least annually; (b) will be performed according to AICPA Trust Services Criteria for Security (SOC 2) standards or such other alternative standards that are substantially equivalent to SOC 2; (c) will be performed by independent third-party security professionals at Conveyor’s selection and expense; and (d) will result in the generation of an audit report (“Report”) which will be Conveyor’s confidential information. Upon written request by Customer, and subject to Customer’s execution of Conveyor’s standard non-disclosure agreement, Conveyor will make available to Customer (or Customer’s independent, third-party auditor) a copy of the Report, so that Customer can reasonably verify Conveyor’s compliance with the security obligations under this Addendum.
8.2. To the extent Customer requires information which is not included in a Report (as defined above in Section 8.1) in order to verify Conveyor’s compliance with Applicable Laws or ensure that Conveyor uses Personal Data that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under Applicable Laws, Conveyor agrees (a) upon Customer’s written request, Customer may review records in Conveyor’s possession directly relating to its use of Personal Data that it collected pursuant to the Agreement, or (b) upon Customer’s written request, Conveyor will allow and cooperate with reasonable assessments by Customer or Customer’s designated assessor of Conveyor’s policies and technical and organizational measures in support of its obligations under Applicable Laws. Customer must provide reasonable advance notice (of no less than 30 days) to Conveyor of any such review or assessment described in (a) or (b). Customer may request such review or assessment no more than once annually. In advance of any
review or assessment, the parties shall mutually agree upon the scope, timing, and duration of the review or assessment. To the extent Customer or its designated assessor will require access to any of Conveyor’s confidential information as part of the review or assessment, Customer or its designated assessor (as the case may be) shall be required to execute and abide by Conveyor’s standard non-disclosure agreement. Any review or assessment described in this Section 8.2 shall be conducted at Customer’s sole expense.
9. Term and Expiration.
This Addendum shall remain in full force and effect until the earlier of: (a) the expiration or termination of the Agreement; or (b) the mutual agreement of the parties to terminate this Addendum.
10. Miscellaneous.
This Addendum reflects the entire agreement and understanding between the parties with respect to the subject matter herein and shall supersede any prior data processing addenda executed by the parties in connection with the Agreement regarding the subject matter herein. For clarity, while in the event of a conflict between the terms of the Agreement and the terms of this Addendum, the terms of this Addendum will apply, this Addendum does not replace or supersede the terms of the Agreement, which remains in full force and effect to the extent described by its terms.
Attachment 1
Processing Details
The details of Conveyor’s Processing of Personal Data are as follows:
• Nature and Purposes (including Business Purposes) of Processing: Performance of vendor management and trust management services via the Conveyor platform pursuant to the Agreement.
• Types of Personal Data subject to Processing, as determined by Customer, may include: name; contact information (such as email, phone number, and physical address); information necessary for an end user to create an account with Customer; information that may identify Consumers based on their interaction with the Customer or the Customer’s products or services; and information that may identify Consumers based on their devices used to interact with the Customer or the Customer’s products or services and information or data generated by such devices that may be linked with Personal Data.
• Duration of Processing: Continuous Processing for the duration of the Agreement.
Attachment 2
Conveyor Subcontractors
List of subprocessors can be found at https://trust.conveyor.com/
