1. Definitions.

   1.1 “Applicable Data Law” means all federal, provincial, state, and local laws, statutes, regulations, codes, ordinances, orders, rules, executive orders, regulatory guidance, and industry self-regulations and codes of practice, as amended, applicable to the PetSmart Data, the Agreement, or the parties to the Agreement.

   1.2 “Controller” means an entity that, alone or jointly with others, determines the purposes for and means of Processing. “Controller” has the same meaning as “Business,” as that term is defined under Applicable Data Law.

   1.3 “Data Subject” means an identified or identifiable person.

   1.4 “De-Identified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a Data Subject or as that or similar terms are otherwise defined under Applicable Data Law.

   1.5 “PetSmart Data” means, collectively, the following types of data provided to Provider by or on behalf of PetSmart or its affiliates, subsidiaries, customers, users, donors, vendors, contractors, or other third parties, or otherwise accessed by Provider under the Agreement:

   1.5.1 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, to a Data Subject, or as that term or a similar term is otherwise defined under Applicable Data Law.

   1.5.2 “Payment Data” means “Cardholder Data” and “Sensitive Authentication Data” (each as defined under the Payment Card Industry Data Security Standard (“PCI DSS”) glossary), and any other payment method data, including bank account numbers.

   1.6 “Process” or “Processing” means any operation or set of operations performed on PetSmart Data, including without limitation accessing, collecting, using, storing, transferring, retaining, disclosing, selling, sharing, deleting, and destroying PetSmart Data.

   1.7 “Processor” means an individual or entity that Processes PetSmart Data on behalf of a Controller. “Processor” has the same meaning as “Service Provider,” as that term is defined under Applicable Data Law.

   1.8 “Provider Systems” means the networks, systems, software, equipment, and premises utilized by or on behalf of Provider to provide the services, deliverables, or products or otherwise for Processing.

   1.9 “Security Breach” means (i) deliberate or inadvertent Processing in breach of this DPA; (ii) any misuse or unlawful or accidental loss, destruction, alteration, or unauthorized Processing; (iii) an event where the security of the Provider Systems is compromised, including any instance in which there is any unauthorized access, interference or use of the Provider Systems; or (iv) another event in which Provider otherwise compromises the security, confidentiality, or integrity of PetSmart Data.

   1.10 “Vendor Risk Assessment” means the questionnaire PetSmart uses, as updated from time to time, to assess Provider’s security controls, policies, procedures, and other factors, which Provider must complete to PetSmart’s satisfaction before Processing PetSmart Data and from time to time upon PetSmart’s request.

2. Roles; Third Party Beneficiaries. As between PetSmart and Provider, PetSmart is the Controller and Provider is the Processor. The parties agree that PetSmart’s subsidiaries, affiliates, and related parties are intended third-party beneficiaries of this DPA; except for the foregoing, this DPA does not confer any third-party beneficiary rights.

3. Standard of Care. Provider agrees to the following:

   1. Provider will comply with the terms set forth in this DPA in its Processing and will be fully responsible for any authorized or unauthorized Processing.

   2. Provider will Process PetSmart Data solely as described in the Agreement and Provider’s responses to the Vendor Risk Assessment. If there is a conflict between the Agreement and Provider's responses to the Vendor Risk Assessment, the terms of the Agreement control.

   3. Provider will not Process or otherwise disclose or make available PetSmart Data for Provider’s own purposes or for the benefit of anyone other than PetSmart, its wholly owned subsidiaries, affiliates, or related parties without PetSmart’s prior written consent, including by combining or updating PetSmart Data with information received from or on behalf of another source or collected from Provider’s own interactions with a Data Subject.

   4. Provider will not “sell” or “share” PetSmart Data, as those terms are defined under Applicable Data Law.

   5. Provider will ensure that all personnel who Process PetSmart Data have undergone commercially reasonable data protection training and are bound by obligations of confidentiality no less stringent than those set forth in the Agreement. Provider will periodically provide additional training to its personnel as may be appropriate to help ensure that Provider’s information security program meets or exceeds prevailing industry standards and complies with Applicable Data Law.

   6. Provider will, at its sole cost and expense, cooperate with and assist PetSmart in complying with Applicable Data Law, including assisting with data protection impact assessments, audits, and consultations with regulatory bodies.

   7. Upon Provider’s receipt of a request for access to PetSmart Data from a public authority, immediately notify PetSmart of the request with all applicable information so as to provide PetSmart the opportunity to comply with its notice and consent obligations as to affected Data Subjects or oppose the disclosure and obtain a protective order or seek other relief.

   8. As to any De-Identified Data that Provider Processes, Provider will: (i) take commercially reasonable measures to ensure that this data cannot be associated with a Data Subject; (ii) Process this data only in a de-identified fashion and only for PetSmart’s purposes; (iii) not attempt to re-identify this data; and (iv) publicly commit to de-identifying obligations at least as stringent as those in this section, such as through a prominent disclosure in its privacy policy, on its website, or similar means.

   9. Provider will Process PetSmart Data in accordance with Applicable Data Law and provide the same level of privacy protection as Applicable Data Law requires PetSmart to provide.

   10. Provider will treat all PetSmart Data as the confidential information of PetSmart and acknowledges and agrees that all PetSmart Data is the sole property of PetSmart.

   11. If PetSmart discloses Personal Information to Provider for the purpose of deidentifying, anonymizing, aggregating, pseudonymizing, or similar terms regarding the masking of Personal Information, Provider will prevent and prohibit, through technical, contractual, and other measures, the reidentification or unmasking of the Personal Information by any third party, including Provider’s customers.

   12. Provider will cease all Processing upon the expiration or termination of the applicable Agreement.

   13. Provider will implement, maintain, monitor, and comply with a comprehensive written information security policy that contains appropriate administrative, technical, and organizational safeguards to ensure the confidentiality, integrity, and availability of PetSmart Data and prevent any unauthorized or unlawful Processing of PetSmart Data. The safeguards implemented and maintained by Provider will be appropriate to the nature of the PetSmart Data, meet or exceed prevailing industry standards, and comply with Applicable Data Law and, as applicable, the requirements set forth in Attachment 1.

4. Records; Audits; Monitoring Compliance.

   1. Provider will maintain accurate and up-to-date records of all Processing activities in compliance with its requirements under Applicable Data Law. Upon PetSmart’s request, Provider will make available to PetSmart all information necessary to demonstrate its compliance with Applicable Data Law and this DPA.

   2. Provider will procure annual Service Organization Control (SOC) 2 Type II audits conducted by an independent third party. If Provider Processes Payment Data, Provider will additionally procure annual SOC 1 Type II audits conducted by an independent third party. Provider will promptly provide the results of these audits to PetSmart. Provider will inform PetSmart of any material findings discovered by the audit and the nature of each finding. If the audit reveals one or more material findings, Provider will promptly correct each finding at its sole cost and expense and will certify in writing to PetSmart that it has corrected all these findings.

   3. PetSmart has the right to take reasonable and appropriate steps to ensure that Provider Processes PetSmart Data in a manner consistent with PetSmart’s obligations under Applicable Data Law, including but not limited to conducting ongoing manual reviews and automated scans of Provider Systems, and regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months.

5. Data Subject Requests. PetSmart will inform Provider of any Data Subject request that it must comply with, including requests to access, update, correct, delete, or transfer Personal Data, restrict, or stop certain Processing, or obtain additional details about how Personal Data is Processed. PetSmart will provide the information necessary for Provider to comply with these requests, and Provider will cooperate at its sole cost and expense, and follow any instructions issued by PetSmart, in responding to these requests in a timely and lawful manner. In the event Provider receives a request directly from a Data Subject relating to Personal Data, Provider will immediately notify PetSmart and, at PetSmart’s direction, act on behalf of PetSmart in accordance with PetSmart’s instructions for responding to these requests, all at the sole cost and expense of Provider.

6. Representations and Warranties. In addition to the representations and warranties in the Agreement, Provider represents and warrants:

   1. Provider is not aware of any prior Security Breaches impacting Provider Systems or, if a Security Breach has occurred previously, Provider has disclosed the breach to PetSmart in writing, remedied all related security vulnerabilities, and taken appropriate measures to prevent similar Security Breaches from recurring;

   2. Provider is not, and has not been, a party to any current, pending, threatened, or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency, private person, or entity, regarding a Security Breach or other privacy or security-related concern, or if it has been a party to any action, consent decree, or settlement, Provider has disclosed this to PetSmart in writing and taken appropriate measures to comply with any requirements imposed in connection therewith; and

   3. Provider will promptly inform PetSmart if it becomes aware or reasonably suspects that PetSmart’s instructions regarding the Processing of PetSmart Data may violate any Applicable Data Law.

7. Return or Destruction. Upon PetSmart’s request, or within 15 days (or the period set forth in the Agreement if different) of termination or expiration of the applicable Agreement, Provider will, all at its sole cost and expense, cease all Processing and, at PetSmart’s direction, either (a) return the PetSmart Data to PetSmart or (b) destroy the PetSmart Data and certify the destruction to PetSmart in writing. For electronic media, “destroy” means degaussing or using a FIPS compliant military-grade wipe program, and for hard-copy material “destroy” means cross-cut shredding or incineration consistent with ISO 9564-1 or ISO 11568-3e. Provider may retain PetSmart Data where it has a legal requirement to do so, only if Provider (y) promptly notifies PetSmart of this in writing, providing details about the PetSmart Data retained and the expected retention period, and (z) promptly destroys the PetSmart Data when the legal retention requirement lapses. Any PetSmart Data retained by Provider remains subject to the terms of this DPA for as long as Provider retains the PetSmart Data.

8. Subcontractors and Third Parties. Provider will not transfer any PetSmart Data to any subcontractor or other third party, or otherwise allow any subcontractor or third party to access PetSmart Data, without the prior written agreement of PetSmart. Provider will be liable for any acts or omissions of its subcontractors or third parties to which it provides access to PetSmart Data to the same extent that Provider is liable for its own performance, acts, or omissions. Provider will limit subcontractors’ and third parties’ access to PetSmart Data to the level required to perform its obligations under this DPA and the Agreement and will require every subcontractor or third party to protect PetSmart Data in accordance with terms at least as restrictive as those contained in this DPA.

9. Transborder Data Flows. Provider Systems and Provider’s Processing will occur only within the United States or Canada. Neither Provider, nor any of its third parties, will transfer any PetSmart Data outside the United States or Canada or across a country border without the prior written agreement of PetSmart.

10. Security Breach.

    1. If Provider discovers, is notified of, or has reason to suspect a Security Breach, Provider will (i) take any necessary action to stop the active breach or similar recurring breaches; (ii) immediately (and in any event within 48 hours); notify PetSmart in writing of the Security Breach and of any third-party legal process relating to the Security Breach; (iii) provide PetSmart with the name and contact information for a primary security contact who will be available to assist PetSmart 24 hours per day, 7 days per week, in resolving obligations associated with any Security Breach; (iv) at its own expense, investigate, remediate, and mitigate the effects of the Security Breach, and upon request and at reasonable recurring junctures, report to PetSmart all relevant information regarding the Security Breach, and help PetSmart provide notice, and take any other action PetSmart deems necessary regarding the Security Breach and any dispute, inquiry, investigation, or claim concerning the Security Breach; and (v) provide PetSmart with assurance satisfactory to PetSmart that a Security Breach will not recur.

    2. To the extent that PetSmart wishes to participate in the investigation, remediation, or mitigation of a Security Breach, Provider agrees to fully cooperate with PetSmart or its designee, including without limitation by: (i) providing PetSmart or its designee with physical access to the facilities and operations affected; (ii) facilitating interviews with Provider’s employees and other relevant parties; (iii) making available all relevant records, logs, files, data reporting, and other materials; and (iv) assisting in obtaining injunctive or other equitable relief against any person(s) who have violated, or attempted to violate, the security of the PetSmart Data.

    3. In the event of a Security Breach, PetSmart has the right to control any breach notification process, including control over notifying any individuals, supervisory authorities, or third parties of the Security Breach, unless Applicable Data Law requires otherwise. Provider will not notify supervisory authorities or media unless: (i) PetSmart provides explicit, written permission; or (ii) Applicable Data Law requires Provider to notify supervisory authorities, in which case Provider will notify and cooperate with PetSmart in advance of making the required notification.

    4. In the event of a Security Breach, and regardless of any limitation of liability provisions in the Agreement (if any), Provider will be liable for any costs and expenses incurred by PetSmart in connection with the Security Breach, including: (i) the cost of preparing and delivering notices to affected individuals; (ii) the cost of providing credit monitoring services or other credits or benefits extended to affected individuals; (iii) reasonable attorneys’ fees associated with investigation, evaluation, remediation, response, and resulting litigation; (iv) liability to third parties and penalties from any regulatory authorities that PetSmart incurs in connection with the Security Breach; and (v) labor and subcontractor costs including employee time spent and additional costs incurred in connection with call center support.

11. Insurance Requirements. In addition to the insurance requirements in the Agreement, if Provider has access to Payment Data, Provider will maintain a crime insurance bond with policy coverage limits of not less than $5,000,000 per Occurrence (as defined below) and annual aggregate with the following sublimits: money order and counterfeit paper currency - $250,000; depositors forgery - $1,000,000; and credit forgery - $250,000. For purposes of this crime insurance bond requirement, “Occurrence” will mean each criminal act giving rise to an event of coverage and not to each individual claim based on the criminal act. Provider can satisfy the foregoing insurance requirements through a combination of primary, umbrella and excess umbrella policies, which must include the specific coverages listed without exceptions. The foregoing policies are subject to all relevant terms regarding insurance in the Agreement.

12. Noncompliance; Remedies. Provider will regularly assess its compliance with this DPA and Applicable Data Law and notify PetSmart within 5 business days if Provider can no longer meet its obligations under this DPA or Applicable Data Law. Provider will take commercially reasonable and appropriate steps to stop and remediate, and will cooperate with PetSmart’s reasonable requests regarding, any unauthorized Processing by Provider. PetSmart may take reasonable and appropriate steps to stop and remediate any unauthorized Processing by Provider, up to and including terminating the Agreement. A breach of any provision of this DPA may result in irreparable harm to PetSmart, for which monetary damages may not provide a sufficient remedy, and therefore, PetSmart may seek both monetary damages and equitable relief without the requirement to post bond or other security. Monetary damages for breach of the obligations in this DPA are not subject to any limitation of liability in the Agreement. In the event Provider materially breaches any of its obligations under this DPA, PetSmart will have the right to terminate the Agreement or suspend Provider’s continued Processing of any PetSmart Data, without penalty, immediately upon notice to Provider.

13. Indemnification. In addition to the indemnity obligations in the Agreement, Provider will defend, indemnify, and hold harmless PetSmart, its officers, directors, employees, agents, assigns, successors, and contractors from and against all threatened or actual claims arising out of, related to, or based on a Security Breach or failure by Provider to comply with its obligations set forth in this DPA.

14. Governing Law. This DPA and any action related to it is governed by and construed in accordance with the laws as specified in the Agreement, without giving effect to any conflict of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the Agreement.

ATTACHMENT 1

Security Safeguards. Provider will implement, maintain, monitor, and comply with a comprehensive written information security policy that contains appropriate administrative, technical, and organizational safeguards to ensure the confidentiality, integrity, and availability of PetSmart Data and prevent any unauthorized or unlawful Processing. The safeguards implemented and maintained by Provider will be appropriate to the nature of the PetSmart Data, meet or exceed prevailing industry standards, and comply with Applicable Data Law and the requirements set forth below:

1. Access Controls. Provider will permit access to PetSmart Data by its personnel solely on a need-to-know basis. Provider will promptly terminate its personnel’s access to PetSmart Data when the individual no longer requires access to provide the services, deliverables, or products under the Agreement.

2. Account Management. Provider will use commercially reasonable measures to manage the creation, use, and deletion of all account credentials used to access Provider Systems, including by implementing: (i) a segregated account with unique credentials for each user; (ii) strict management of administrative accounts; (iii) password best practices, including the use of strong passwords and secure password storage; and (iv) periodic audits of accounts and credentials.

3. Vulnerability Management. Provider will: (i) use automated vulnerability scanning tools to scan the Provider Systems; (ii) log vulnerability scan reports; (iii) conduct periodic reviews of vulnerability scan reports over time; (iv) use patch management and software update tools for the Provider Systems; (v) prioritize and remediate vulnerabilities by severity; and (vi) use compensating controls if no patch or remediation is immediately available.

4. Security and Data Segmentation. Provider will monitor, detect, and restrict the flow of information on a multilayered basis within the Provider Systems using tools such as firewalls, proxies, and network-based intrusion detection systems. Provider will not commingle PetSmart Data with data from any other source without the prior written agreement of PetSmart.

5. Data Loss Prevention. Provider will use commercially reasonable data loss prevention measures to identify, monitor, and protect PetSmart Data in use, in transit, and at rest. These data loss prevention processes and tools will include but not be limited to: (i) automated tools to identify attempts of data exfiltration; (ii) the prohibition of, or secure and managed use of, portable devices; (iii) use of certificate-based security; (iv) secure key management policies and procedures; and (v) business and service continuity plans to ensure Provider can restore availability and access to PetSmart Data as soon as possible in the event of an incident, including a Security Breach.

6. Encryption. Provider will encrypt, using industry standard encryption tools, all PetSmart Data that Provider: (i) transmits or sends wirelessly or across public networks or within the Provider Systems; (ii) stores on laptops or storage media, or (iii) stores on portable devices or within the Provider System. Provider will safeguard the security and confidentiality of all encryption keys associated with encrypted PetSmart Data.

7. Pseudonymization. Provider will, where possible and consistent with the services, deliverables, or products under the Agreement, use industry standard and appropriate pseudonymization techniques to protect PetSmart Data.

8. Disruption of Software or Resources. Provider’s products, software and resources are free of and sufficiently protected against malware. Provider will prevent insertion of malware to any software or resource and will remove any malware that is inserted, at Provider’s cost and expense. Provider will not place any programming devices on its software or resources that would (i) disrupt the use of the software or resources or any system, equipment or software to which PetSmart’s networks are interfaced or connected, or (ii) destroy or damage PetSmart Data, make PetSmart Data inaccessible or delay access to PetSmart Data, except for file and purge routines necessary to the routine maintenance of the software.

9. Secure Software Development. Provider’s software used in connection with the Processing is or has been developed using secure software development practices, including by: (i) segregating development and production environments; (ii) filtering out potentially malicious character sequences in user inputs; (iii) using secure communication techniques, including encryption; (iv) using sound memory management practices; (v) using web application firewalls to address common web application attacks such as cross-site scripting, SQL injection and command injection; (vi) implementing the OWASP Top Ten recommendations, as applicable; (vii) patching of software; (viii) testing object code and source code for common coding errors and vulnerabilities using code analysis tools; (ix) testing of web applications for vulnerabilities using web application scanners; and (x) testing software for performance under denial of service and other resource exhaustion attacks.

10. PCI Compliance. To the extent any PetSmart Data includes Payment Data, Provider will: (i) comply with the PCI DSS and other applicable PCI and payment card issuer, brand or association rules and requirements (“PCI Rules”); (ii) fully cooperate with any security review or investigation as may be required by PetSmart, any payment card issuer, brand or association, or law enforcement entity, including by providing data security reports; (iii) pay any fines and penalties in the event Provider or any of its subcontractors fail to comply with any PCI Rules; and (iv) on no less than an annual basis, at its own expense, undergo a PCI DSS compliance audit or self-assessment, as applicable, and provide the results of the audit or self-assessment, along with evidence of compliance (in the form of an Attestation of Compliance or ROC), to PetSmart.

11. Physical Safeguards. Provider will maintain all reasonable and appropriate physical access controls that secure Provider Systems used to Process any PetSmart Data.

12. Organizational Safeguards. Provider will maintain and comply with internal policies to (i) limit the retention of PetSmart Data to the minimum amount of time necessary to perform Provider’s obligations under the Agreement; and (ii) provide for meaningful consequences to personnel who breach the obligations set forth in this DPA.

13. Business Continuity and Disaster Recovery. Provider will establish and maintain a commercially reasonable Business Resumption Plan (“BRP”) to ensure continued service during an event that impacts Provider’s data centers or offices providing the contracted services, deliverables, or products under the Agreement, and to provide reasonably adequate backup protection for any PetSmart Data. Whenever there is a material change in its operating environment, and at least every 12 months, Provider will review, and if necessary, update its BRP. Provider will provide its most recent BRP to PetSmart upon request. If requested by PetSmart, Provider will revise its BRP as agreed to by the parties.