Solutions
Extended Workforce Platform

The most trusted platform for your extended workforce.

 Beeline Enterprise

The #1 external workforce management solution for enterprise companies globally.

Beeline Professional

Easy-to-activate VMS with pre-configured templates, workflows, dashboards, and reports modeled after best-in-class programs.

 Shift-based Workforce

The #1 external workforce management solution for managing shift workforces efficiently.

 Beeline Supplier Network

Access tools and proprietary market insights to unlock opportunities, drive efficiencies, and accelerate results for suppliers serving Beeline customers.
Why Beeline
User experience

Efficiency is critical for the success of your business

 Extended workforce connectivity

Go beyond surface-level integrations

 Global solutions

Contingent workforce management worldwide

 Customer success

Your success is the only thing that really matters
Insights
Blogs

Find the latest and greatest trends going on in the extended workforce

 Success stories

Learn how companies are addressing the challenges of managing their contingent workforce

 Analyst reports

Learn how companies are addressing the challenges of managing their contingent workforce

 Fact sheets

Get more details on Beeline products, services and more

 All resources

Explore our library of industry resources
Partners
MSP partners

Partnering with leading MSP's for your success

 Solution partners

An extensive contingent workforce partner network that includes a range of vital services

 Beeline Supplier Network

Whatever your hiring program you'll find a supplier to partner with and drive success

 Become a supplier

Elevate your visibility to hiring managers representing $68B annually in contract workforce spending
About us
Support

    search

    Supplier Data Protection Addendum (Supplier Offerings)

    v.1 November 2024

    I. Introduction

    The undersigned, Beeline.com, LLC for and on behalf of itself and its Affiliates, (collectively, “Beeline”) and you, for and on behalf of yourself and your Affiliates (collectively, “Supplier”), (collectively Beeline and Supplier shall be the “Parties” and each a “Party”), agree to the terms of this Supplier Data Protection Addendum (“DPA”) which sets forth our obligations with respect to the processing and security of User Data, Customer Data and Worker Data in connection with the Supplier Offerings provided by Beeline to Supplier, in conjunction with the terms and conditions entered into between the Parties for the Supplier Offerings. Such terms and conditions and any other terms set out by Beeline in conjunction with the Supplier Offerings, including without limitation any of Beeline’s terms of use, terms of sale or other terms put forth by Beeline in conjunction with the Supplier Offerings, shall be collectively referred to as the “Agreements.” The DPA is deemed incorporated by reference into the Agreements. The provision of Non-Beeline Offerings made available to Supplier are governed by separate terms provided to Supplier, including different privacy and security terms as provided by such third party.

    Under this DPA, Beeline and Supplier shall be independent Controllers of Worker Data, Supplier shall be the controller and Beeline shall be the processor of the User Data, and Beeline shall be the Sub-processor and Supplier shall be the Processor of Customer Data, as further described herein.

    In the event of any conflict or inconsistency between the DPA Terms and any other terms in the Agreements, the DPA Terms shall prevail. The provisions of the DPA Terms supersede any conflicting provisions of the Beeline Privacy Notice that otherwise may apply to processing of Personal Data as defined herein.

    II. Definitions

    The following defined terms are used in this DPA:

    “Affiliate” means, (i) in the case of Beeline, any entity controlled by Beeline.com, LLC, and (ii) in the case of Supplier, any entity controlled by Supplier. For purposes of the preceding sentence, “control” means the direct or indirect ownership of more than 50% of the voting interests of an entity.

    “CCPA” means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act.

    “Customer Data" means the Personal Data of Supplier’s direct customers processed by Beeline on Supplier’s behalf in connection with the Supplier Offerings under the Agreements.

    “Data Protection Requirements” means the GDPR, Local EU/EEA/Switzerland Data Protection Laws, the Swiss Federal Act on Data Protection in effect as of September 1, 2023, the UK Data Protection Act 2018, the UK GDPR, CCPA and any other applicable laws, regulations, and other legal requirements relating to privacy and data security.

    “DPA Terms” means the terms in this DPA.

    “EEA” means the European Economic Area.

    “EU” means the European Union.

    “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

    “GDPR” means the EU GDPR and the UK GDPR.

    “Local EU/EEA/Switzerland Data Protection Laws” means any legislation and regulation implementing the GDPR.

    “Non-Beeline Offerings” shall mean any third-party products or services made available to Supplier ancillary to the Supplier Offerings and are subject to the third-party’s terms of use, data protection terms and privacy policy, where such third-party products or services are selected by Supplier or Beeline and Supplier accepts such third-party terms.

    “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Worker Data or Supplier Data. Security Incident also includes any personal data breach as defined by the GDPR. A Security Incident does not include any activity which does not result in unauthorized access to such data including without limitation, denial of service and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful login attempts, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

    “Sub-processor” means other processors used by Beeline to process Personal Data, as described in Article 28 of the GDPR.

    “Supplier Data” means collectively User Data and Customer Data.

    “Supplier Offerings" means any products and/or services made available to you under the Agreements excluding Non-Beeline Offerings

    “UK GDPR” means the General Data Protection Regulation as incorporated into UK law by the UK Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, (each as amended, replaced, or superseded).

    “User” means an employee or agent of Supplier that accesses and uses the Supplier Offerings on Supplier’s behalf and excludes Workers.

    “User Data" means the Personal Data of a User.

    “Worker” means any individual providing or which is offered as a candidate to provide services to Supplier customers on behalf of Supplier. Worker excludes any Users.

    “Worker Data” means all information, including Personal Data, entered into or otherwise provided in conjunction with any Supplier Offering under the Agreements.

    Lower case terms used but not defined in this DPA, such as “processing”, “controller”, “independent controller”, “processor”,  and “data subject” will have the same meaning as set forth in Article 4 of the GDPR, and “adequacy decision” will be subject to the requirements of Article 45(s) of the GDPR, irrespective of whether the GDPR applies.

    III. SCOPE
     

    The DPA Terms apply to all Supplier Offerings except as described in this Section.

    The DPA Terms will not apply to any Non-Beeline Offering which shall instead be governed by the privacy and security terms in the applicable Non-Beeline Offering-specific terms.

    For clarity, the DPA Terms apply only to the processing of Personal Data in environments controlled by Beeline and Beeline’s Sub-processors. This includes Personal Data processed by Beeline as a processor or independent controller when providing the Supplier Offerings but does not include Personal Data that remains on the premises or systems of Supplier or its agents or in any Supplier selected third-party operating environments.

    The DPA Terms do not apply to Supplier’s use of other Beeline services and platforms that are designed for Supplier’s end user customers of its vendor management services. In such instances, Supplier’s Personal Data is processed under the terms of a data protection agreement between Supplier and the Beeline customer to which Supplier is providing its Workers.

    IV. DPA Terms – Worker Data and User Data where Beeline is an independent controller

    A. Roles of the Parties

    For the purpose of this DPA, the Parties acknowledge and confirm that: i) each Party acts as an independent and separate controller for the processing of Worker Data for its own purposes in the context of the Supplier Offerings; and 2) each Party acts as an independent and separate controller of User Data except where Beeline is acting as a processor or Sub-processor as set forth in Section V below.

    B. Obligations of the Parties

    Each Party shall, in relation to the Processing of Personal Data for its own purposes in the context of the Supplier Offerings:

    1. Comply in all material respects with the Data Protection Requirements.
    2. Rely on a valid legal ground under Data Protection Requirements for its processing of Personal Data, including obtaining data subjects’ consent if required under Data Protection Requirements.
    3. Provide appropriate notice to the data subjects in a timely manner, and at a minimum with the elements required under Data Protection Requirements.
    4. Maintain appropriate records to demonstrate that the processing of Personal Data in the context of the Supplier Offerings is performed in accordance with this DPA and Data Protection Requirements.
    5. To the extent required in connection with the Agreements, reasonably cooperate with the other Party to allow the other Party to comply with their data protection compliance obligations as an independent and separate controller under Data Protection Requirements.
    6. Take reasonable steps to ensure the reliability of personnel who have access to the Personal Data processed in the context of the Supplier Offerings.
    7. Take reasonable steps to ensure that such Personal Data: is accurate, complete and current; is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data is processed unless a longer retention is required or allowed under applicable law.

    C. Data Transfers

    In relation to the processing of Personal Data in the context of the Supplier Offerings:

    1. The Parties shall comply with the requirements of Data Protection Requirements in relation to the international transfer or export of Personal Data processed in the context of the Service Offerings.
    2. The Parties may transfer the Personal Data processed in connection with the Supplier Offerings which is subject to the GDPR outside of the EU and the UK in accordance with the GDPR, provided that the Personal Data are transferred: (a) to a country or territory which has been deemed to provide an adequate level of protection under the GDPR, or (b) to a data recipient with which it has implemented adequate safeguards under the GDPR such as (where relevant and applicable): (i) approved binding corporate rules; or (ii) the standard contractual clauses.
    3. If, for whatever reason, the transfers of Personal Data under this section cease to be lawful or require any additional actions to perfect them, the Parties shall use all reasonable endeavors to promptly implement an alternative lawful transfer mechanism under Data Protection Requirements or take such actions to perfect the lawfulness of the transfers.

    D. Data Disclosures

    Each Party shall only disclose Personal Data processed in the context of the Supplier Offerings in accordance with Data Protection Requirements, including as regards the engagement of processors and/or Sub-Processors of Personal Data in the context of the Supplier Offerings, and/or as reasonably necessary for the purposes or applicable law.

    E. Data Protection; Security of the Processing; Confidentiality; and Security Incidents

    1. The Parties must implement and maintain a written information security program with appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data in the context of the Supplier Offerings appropriate to the risk. In assessing the appropriate level of security, the Parties must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks that are presented by the processing of Personal Data in the context of the Supplier Offerings, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed in the context of the Supplier Offerings.
    2. The Parties must take steps to ensure that any person acting under their authority who has access to Personal Data is subject to a duly enforceable contractual or statutory confidentiality obligation, and if applicable process Personal Data in accordance with the controller’s instructions.
    3. Each Party must notify the other of any Security Incident that relates to Personal Data processed in the context of the Supplier Offerings, without undue delay, and no later than 48 hours after having become aware of a Security Incident.

    F. Security Audit

    Upon prior written request, each Party agrees to cooperate and within reasonable time provide the requesting Party with: (i) a summary of any audit reports or other information demonstrating its compliance with Data Protection Regulation obligations as relating to the Supplier Offering, after redacting any confidential and commercially sensitive information; and (ii) confirmation that an audit has not revealed any material vulnerability in the context of the Supplier Offerings, or to the extent that any such vulnerability was detected, that such vulnerability has been remedied.

    V. DPA Terms – Supplier Data where Beeline is a Processor or Sub-Processor

    A. Roles of the Parties

    Beeline is a processor and Supplier is a controller of User Data except: (a) when Supplier acts as a processor of User Data, in which case Beeline is a Sub-processor. Beeline is a Sub-processor of Customer Data. When Beeline acts as the processor or Sub-processor of Supplier Data, it will process Personal Data only on documented instructions from Supplier. Supplier agrees that its Agreements (including the DPA Terms and any applicable updates), are Supplier’s complete documented instructions to Beeline for the processing of Supplier Data. Any additional or alternate instructions must be agreed to by the Parties according to the process for amending Supplier’s Agreements. In any instance where the GDPR applies and Supplier is a processor, Supplier warrants to Beeline that Supplier’s instructions, including appointment of Beeline as a processor or Sub-processor, have been authorized by the relevant controller.

    B. Transfers and Processing Activity

    Transfers and processing activity for Supplier Data are as set out here.

    C. Nature of the Processing

    Beeline will use and otherwise process Supplier Data only as described and subject to the limitations provided below: (1) to provide Supplier the Supplier Offerings in accordance with Supplier’s documented instructions, (2) for business operations incident to providing the Supplier Offerings to Supplier; or (3) as required to meet its legal obligations.

    1. Processing to provide the Supplier Offerings.

      For purposes of this DPA, “to provide” the Supplier Offerings consists of:
      • Delivering functional capabilities as licensed, configured, and used by Supplier and its users, including providing personalized features;
      • Troubleshooting (preventing, detecting, and repairing problems (including Security Incidents);
      • Ongoing improvement (installing the latest updates if and when available and making improvements to User productivity, reliability, efficacy, quality, and security); and
      • Providing services ancillary to the Supplier Offerings.
    1. Processing for Business Operations

      For purposes of this DPA, “business operations” consist of the following, each as incident to delivery of the Supplier Offerings to Supplier: (a) billing and account management; (b) internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, product strategy); (c) combatting fraud and cybercrime; (d) improving functionality of the Supplier Offerings and the Supplier experience; and (e) financial reporting and compliance with legal obligations (subject to the limitations on disclosure of Supplier Data outlined below). Beeline will comply with its obligations, as an independent and separate controller, under the GDPR for such use subject to Section IV above.

    D. Data Transfers

    Where Beeline is a processor or Sub-processor of Supplier Data, Beeline shall comply with the obligations of Section IV.C. (Data Transfers) above. All transfers of Supplier Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR. Where an adequacy decision does not exist, the Parties agree that Module II of the standard contractual clauses will apply as the approved method of data transfer as set forth here.

    E. Disclosure of Processed Data

    1. Where Beeline is acting as a processor or Sub-processor of Supplier Data, Beeline will not disclose or provide access to any such Supplier Data except: (1) as Supplier directs; (2) as described in this DPA; or (3) as required by law.
    2. Beeline will not disclose or provide access to any Supplier Data to law enforcement unless required by law. If law enforcement contacts Beeline with a demand for Supplier Data, Beeline will attempt to redirect the law enforcement agency to request that data directly from Supplier. If compelled to disclose or provide access to any Supplier Data to law enforcement, Beeline will promptly notify Supplier and provide a copy of the demand where legally required to do so.
    3. Upon receipt of any other third-party request for Supplier Data, Beeline will promptly notify Supplier where required by law. Beeline will reject the request unless required by law to comply. If the request is valid, Beeline will attempt to redirect the third party to request the data directly from Supplier.
    4. Beeline will not provide any third party: (i) direct, indirect, blanket, or unfettered access to Supplier Data; (ii) encryption keys used to secure Supplier Data or the ability to break such encryption; or (iii) access to Supplier Data if Beeline is aware that the data is to be used for purposes other than those stated in the third party’s request.
    5. In support of the above, Beeline may provide Supplier’s basic contact information to the third party.

    F. Use of sensitive or restricted data

    The Supplier Offerings are not designed for use with the Personal Data of minors and do not require the sharing of sensitive Personal Data. Supplier is solely responsible for managing the Personal Data that it provides to Beeline.

    G. Processing of Personal Data; GDPR

    All Supplier Data processed by Beeline in connection with providing the Supplier Offerings is obtained from Supplier or their agents on their behalf or data generated, derived or collected by Beeline or its Sub-processors, including data sent to Beeline as a result of Supplier’s use of service-based capabilities in conjunction with the Supplier Offerings. Pseudonymized identifiers may be included in data processed by Beeline in connection with providing the Supplier Offerings and are also Personal Data. Any Supplier Data pseudonymized, or de-identified but not anonymized, or Personal Data derived from Supplier Data is also Personal Data.

    H. Data Retention and Deletion

    At all times during the term of Supplier’s Agreements, Supplier will have the ability to access, extract and delete Supplier Data stored in the Supplier Offerings, subject to availability as set forth in the Agreements, by use of the provided features and functionality.

    Beeline will return or destroy Supplier Data upon the expiration or termination of and in accordance with the terms of any Agreement, where such Supplier Data is no longer required to be processed, in accordance with Data Protection Requirements.

    The Supplier Offerings may not support retention or extraction of data by third-party software used or provided by Supplier and Beeline has no liability for the deletion of Supplier Data in this manner

    I. Notice and Controls on use of Sub-processors for Supplier Data

    Beeline may hire Sub-processors, including Beeline Affiliates, to provide certain limited or ancillary services on its behalf for the processing of Supplier Data. Supplier authorizes Beeline’s engagement of Sub-processors for Supplier Data.

    Where Beeline is acting as a data processor or Sub-processor of Supplier Data, Supplier hereby gives its general written authorization for the engagement of Beeline’s Sub-processors. Beeline is responsible for its Sub-processors’ compliance with Beeline’s obligations in this DPA. Beeline’s Sub-processors for the Supplier Offerings can be found here. When engaging any Sub-processor, Beeline will ensure via a written contract that the Sub-processor may access and use Supplier Data only to deliver the services Beeline has retained them to provide and is prohibited from using Supplier Data for any other purpose. Beeline will ensure that Sub-processors are bound by written agreements that provide for, in substance, the same data protection obligations as those binding Beeline under the Data Protection Requirements where applicable. Beeline agrees to oversee the Sub-processors to ensure that these contractual obligations are met.

    From time to time, Beeline may engage new Sub-processors. Beeline will give Supplier notice (by updating this link or providing Supplier with a different mechanism to obtain notice of that update) of any new Sub-processor at least thirty (30) days in advance of engaging that new Sub-processor. If Beeline engages a new Sub-processor for a new Supplier Offering that processes Supplier Data, Beeline will give Supplier notice prior to availability of that Supplier Offering.

    If Supplier does not reasonably approve of a new Sub-processor, then Supplier may terminate any Agreements for the affected Supplier Offerings for convenience without penalty or termination fee by providing, before the end of the relevant notice period, written notice of termination. Supplier may also include an explanation of the grounds for non-approval together with the termination notice, in order to permit Beeline to re-evaluate any such new Sub-processor based on the applicable concerns.

    J. Data subject rights; Assistance with requests

    Beeline will make available to Supplier, in a manner consistent with the functionality of the Supplier Offerings and Beeline’s role as a processor or Sub-processor of Supplier Data, the ability to fulfill data subject requests to exercise their rights under Data Protection Requirements. If Beeline receives a request from a User or other data subject to exercise one or more of its rights under Data Protection Requirements in connection with the Supplier Offerings for which Beeline is a data processor or Sub-processor, Beeline will promptly redirect the data subject to make its request directly to Supplier or its agents and where the data subject identifies Supplier in the data subject request, Beeline will also promptly notify the Supplier. Beeline will assist Supplier in fulfilling its obligations to respond to data subjects’ requests by implementing technical and organizational measures set out in Section V.K.1. below. Supplier will be responsible for responding to any such request and all communications with the data subject in accordance with Data Protection Requirements including, where necessary, by using the functionality of the Supplier Offerings where available. Beeline shall comply with requests by Supplier to assist with Supplier’s response to such a data subject request where Supplier is otherwise unable to leverage the functionality of the Supplier Offerings as a result of Beeline’s failure to make such functionality available.

    K. Data Security

    1. Security Practices and Policies

      Beeline will implement and maintain appropriate technical and organizational measures to protect Supplier Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Supplier Data transmitted, stored or otherwise processed. Those measures shall be set forth in a Beeline Security Policy. Beeline’s technical and organizational measures can be found here. Beeline will make available to Supplier additional information reasonably requested by Supplier regarding Beeline security practices and policies subject to appropriate obligations of confidentiality.
    1. Data Encryption

      Supplier Data in transit over public networks between Supplier and Beeline, or between Beeline entities, is encrypted by default. Beeline also encrypts Supplier Data stored at rest.
    1. Data Access

      Beeline employs the principles of least privilege access mechanisms to control access to Supplier Data. Role-based access controls are employed to ensure that access to Supplier Data is for an appropriate purpose and approved with management oversight.
    1. Supplier Responsibilities

      Supplier is responsible for making an independent determination as to whether the technical and organizational measures for Supplier Offerings meet Supplier’s requirements, including any of its security obligations under applicable Data Protection Requirements. Supplier acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by Beeline provide a level of security appropriate to the risk with respect to its Personal Data. Supplier is responsible for implementing and maintaining privacy protections and security measures for components that Supplier provides or controls.

    L. Security Incident Notification

    If Beeline becomes aware of a Security Incident regarding Supplier Data while processed by Beeline in the context of providing the Supplier Offerings, Beeline will promptly and without undue delay (1) notify Supplier of the Security Incident; (2) investigate the Security Incident and provide Supplier with detailed information about the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident

    Notification(s) of security Incidents will be delivered to Supplier by any means Beeline selects, including via email. It is Supplier’s sole responsibility to ensure Supplier maintains accurate contact information with Beeline for each applicable Supplier Offering. Supplier is solely responsible for complying with its obligations under incident notification laws applicable to Supplier and fulfilling any third-party notification obligations related to any Security Incident.

    Beeline shall reasonably assist Supplier in fulfilling Supplier’s obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.

    Beeline’s notification of or response to a Security Incident under this section is not an acknowledgement by Beeline of any fault or liability with respect to the Security Incident.

    Supplier must notify Beeline promptly about any possible misuse of its accounts or authentication credentials or any security incident related to the Supplier Offerings at secincident@beeline.com.

    M. Auditing Compliance

    Beeline will conduct audits of the security of the computers, computing environment, physical data centers, and cloud-services that it uses in processing Supplier Data as set forth in the Agreements.

    VI. General DPA Terms

    A. Compliance with Laws

    Beeline will comply with all laws and regulations applicable to its provision of the Supplier Offerings including security breach notification law and Data Protection Requirements. However, Beeline is not responsible for compliance with any laws or regulations applicable to Supplier or Supplier’s industry that are not applicable to Beeline as a provider of the Supplier Offerings. Beeline does not determine whether Supplier Data includes information subject to any such specific law or regulation.

    Supplier must comply with all laws and regulations applicable to its use of Supplier Offerings including laws related to biometric data, confidentiality of communications and Data Protection Requirements. Supplier is responsible for determining whether the Supplier Offerings are appropriate for storage and processing of information subject to any specific law or regulation and for using the Supplier Offerings in a manner consistent with Supplier’s legal and regulatory obligations. Supplier is responsible for responding to any request from a third-party regarding Supplier’s use of Supplier Offerings.

    B. Records of Processing Activities

    To the extent the GDPR or any other Data Protection Requirements requires Beeline to collect and maintain records of certain information relating to Supplier, Supplier will, where requested, supply such information to Beeline and keep it accurate and up to date. Beeline may make any such information available to any supervisory or regulatory authority if required by the Data Protection Requirements.

    C. New Features, Supplements, or Related Software

    The DPA Terms may be amended by Beeline at the hosted link upon notice in Beeline’s sole discretion. If those terms include any material adverse changes to the DPA Terms, Supplier may cancel their Agreements for Supplier Offerings for convenience in accordance with the terms set forth therein.

    D. Government Regulation and Requirements

    Beeline may modify or terminate a Supplier Offering in any country or jurisdiction where there is any current or future government requirement or obligation that (1) subjects Beeline to any regulation or requirement not generally applicable to businesses operating there, (2) presents a hardship for Beeline to continue offering the Supplier Offerings without modification, and/or (3) causes Beeline to believe the DPA Terms or the Supplier Offering may conflict with any such requirement or obligation.

    E. Electronic Notices

    Beeline may provide Supplier with information and notices about Supplier Offerings and this DPA electronically, including via email, an RSS Feed, or through a web site that Beeline identifies. Notice is given as of the date it is made available by Beeline.

    F. Limitation of liability

    Except as regards towards data subjects and as otherwise provided by the Data Protection Requirements, either Party’s liability to the other shall be as set forth in the applicable Agreements.

    G. California Consumer Privacy Act (CCPA)

    If Beeline is processing Personal Data within the scope of the CCPA, Beeline makes the following additional commitments to Supplier.

    Beeline will process such Supplier Data on behalf of Supplier and Supplier is disclosing Supplier Data to Beeline for the limited purposes set forth and in accordance with these DPA Terms and Beeline shall not retain, use, or disclose that data for any purpose (including for any commercial purpose), outside of the direct business relationship between the parties and other than for the purposes set out in the DPA Terms and as permitted under the CCPA, including under any “sale” exemption. In no event will Beeline “sell” or “share” any such Supplier Data (as such are defined under the CCPA), to any third party for the purposes of cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

    Beeline will comply with all applicable sections of the CCPA, including (with respect to the Supplier Data that it processes pursuant to the DPA Terms), providing a level of privacy protection no less secure than as set forth hereunder and as required by the CCPA. Beeline grants Supplier the right to take reasonable and appropriate steps to ensure that Beeline uses the Supplier Data that it processes pursuant to this DPA in a manner consistent with Supplier’s obligations under the CCPA as set forth under and in accordance with the DPA Terms.

    Supplier may take reasonable and appropriate steps to stop and remediate Beeline’s unauthorized use of Supplier Data by removing or by requesting the removal of such Supplier Data from Beeline’s Platform. Upon receipt of such written notice, Beeline will promptly, and not later than 30 days from its receipt of such notice, assist Supplier with such removal. Supplier acknowledges and agrees that such removal of Supplier Data from the Beeline Platform shall not constitute a termination for breach by Beeline.

    Beeline shall enable Supplier to comply with consumer requests made pursuant to the CCPA as set forth under Section IV.J. (Data Subject Rights; Assistance with Requests) above and shall contract with its Sub-processors in compliance with the CCPA as set forth under Section V.I (Notice and Controls on use of Sub-processors) above.

    Beeline will notify Supplier where it reasonably determines that it cannot meet its obligations under the CCPA. These CCPA terms do not limit or reduce any data protection commitments Beeline makes to Supplier in the DPA Terms or other Agreements between Beeline and Supplier.

    H. How to Contact Beeline

    If Supplier has any questions regarding this DPA, please contact Beeline at the following mailing address:

    Attn. Legal         Email: legal@beeline.com