California CCPA/CPRA Addendum (Service Provider / Contractor)
Last Updated: February 20, 2026
This California CCPA/CPRA Addendum ("Addendum") is incorporated into and forms part of the DPA and the Agreement between:
Provider (Tyria LLC), and
Customer.
This Addendum applies only to the extent the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") applies to the Parties' processing of Personal Information in connection with the Subscription Services.
Order of precedence. If there is a conflict between this Addendum and the DPA/Agreement regarding CCPA/CPRA obligations, this Addendum controls for those purposes. If there is a conflict between this Addendum and a HIPAA BAA, the BAA controls with respect to PHI.
1. Definitions
Capitalized terms used but not defined in this Addendum have the meanings set forth in the CCPA/CPRA and related regulations.
"Personal Information" includes Sensitive Personal Information as defined by the CCPA/CPRA.
"Business", "Service Provider", "Contractor", "Third Party", "Sell", "Share", "Consumer", "Business Purpose", and "Commercial Purpose" have the meanings given in the CCPA/CPRA.
2. Roles of the Parties
2.1 Customer as Business. Customer is the Business under CCPA/CPRA for Personal Information processed under the Agreement/DPA.
2.2 Provider as Service Provider/Contractor. Provider is a Service Provider and/or Contractor (as applicable) under CCPA/CPRA when processing Personal Information on behalf of Customer to provide the Subscription Services.
2.3 Purpose Limitation. Provider will process Personal Information only for the limited and specified purposes of performing the Subscription Services and the Business Purposes set forth in this Addendum and the Agreement/DPA, and only in accordance with Customer documented instructions, unless required by law.
3. Prohibited Uses and Disclosures
3.1 No Sale or Sharing. Provider will not Sell or Share Personal Information processed on behalf of Customer.
3.2 Restricted Use. Provider will not retain, use, or disclose Personal Information: (a) for any purpose other than performing the Subscription Services and Business Purposes specified in the Agreement/DPA and this Addendum; or (b) outside the direct business relationship between Provider and Customer; except as otherwise permitted by the CCPA/CPRA.
3.3 No Cross-Context Behavioral Advertising. Provider will not use Personal Information processed on behalf of Customer for cross-context behavioral advertising or targeted advertising, nor for marketing unrelated to providing the Subscription Services.
3.4 No Secondary Use. Provider will not use Personal Information to build or augment user profiles for Provider's own purposes, to train advertising models, or for unrelated commercial purposes.
3.5 No Combining (With Limited Exceptions). Provider will not combine Personal Information processed on behalf of Customer with Personal Information received from or on behalf of others, or collected from Provider's own consumer interactions, except as permitted by the CCPA/CPRA (including as needed to perform the Subscription Services, ensure security and integrity, debug, prevent fraud/illegal activity, or comply with law).
4. Sensitive Personal Information
4.1 Limited Processing. Provider will process Sensitive Personal Information only as necessary to provide the Subscription Services and for the Business Purposes described in this Addendum and the Agreement/DPA, in accordance with Customer instructions.
4.2 No Inferences. Provider will not use Sensitive Personal Information to infer characteristics about a Consumer and will not use it for advertising or unrelated marketing.
5. Subprocessors (Subcontractors)
5.1 Authorization and Flow-Down. Customer authorizes Provider to engage subprocessors as described in the DPA. Provider will enter into written agreements with subprocessors imposing obligations consistent with this Addendum, including restrictions on Sell/Share and restricted use.
5.2 Responsibility. Provider remains responsible for subprocessors' performance of applicable obligations to the extent required by CCPA/CPRA and applicable law.
6. Consumer Rights Assistance
6.1 Customer Controls Requests. Customer is responsible for receiving and responding to Consumer requests.
6.2 Assistance. Provider will provide reasonable assistance to Customer to respond to requests, to the extent Customer cannot fulfill requests through self-service functionality, subject to confidentiality and security requirements.
6.3 No Direct Responses Unless Instructed. Provider will not respond directly to Consumers except as instructed by Customer or required by law.
7. Security
Provider will maintain reasonable security procedures and practices appropriate to the nature of the Personal Information.
8. Notice of Non-Compliance
If Provider determines it can no longer meet its obligations under this Addendum, Provider will notify Customer. The Parties will work in good faith to remediate. If remediation is not reasonably possible, Customer may terminate affected Subscription Services consistent with the Agreement/DPA.
9. Verification / Audit Cooperation
Provider will provide information reasonably necessary to demonstrate compliance with this Addendum consistent with the DPA's compliance information and audit provisions. Any audit rights and limitations are governed by the DPA and Agreement.
10. Retention and Deletion
Provider will retain Personal Information only as necessary to provide the Subscription Services, meet Business Purposes, comply with Customer instructions, and comply with legal obligations. Deletion/return is governed by the DPA unless retention is required by law.
11. Term
This Addendum remains in effect for the term of the Agreement/DPA and for as long as Provider processes Personal Information on behalf of Customer.
Schedule A - Permitted Business Purposes (CCPA/CPRA)
Provider may process Personal Information for the following Business Purposes to the extent applicable and necessary:
performing services on behalf of Customer (hosting, processing, storing, transmitting, displaying Customer Data);
account administration, support, and service communications;
security and integrity (detecting incidents, preventing fraud/illegal activity);
debugging;
short-term, transient use necessary to provide the Subscription Services;
quality/safety maintenance and internal testing (not for advertising or unrelated profiling);
legal compliance;
payment processing and billing (if applicable), limited to what is necessary.
Nothing in this Schedule authorizes Provider to Sell or Share Personal Information or use it for cross-context behavioral advertising.
