Data Processing Addendum

  • Home
  • Data Processing Addendum
Document: Data Processing Addendum | Effective Date: February 1, 2026 | Version: v1.0 Rev. 02-2026 | View All Legal Documents
Effective Date: February 1, 2026  |  Version: v1.0 Rev. 02-2026  | 

DOVE COMMUNICATIONS, INC.

Data Processing Addendum

CCPA / CPRA Service Provider Terms • February 2026

To the extent applicable under the CCPA/CPRA, references to Service Provider in this Addendum include Dove acting as a “contractor” as defined by applicable law, and Dove agrees to comply with applicable obligations for service providers and contractors.

Document Data Processing Addendum (DPA)
Version 1.0 | Effective Date: February 1, 2026
Applies To Clients for whom Dove processes Personal Information as a Service Provider under CCPA / CPRA, or as a Processor under other applicable privacy laws.
Relationship To MSA This DPA is incorporated into and supplements the Master Services Agreement. In the event of conflict between this DPA and the MSA regarding processing of Personal Information, this DPA controls.

SECTION 1 — DEFINITIONS

For purposes of this Addendum:

CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CPRA), and as implemented by CPPA regulations.

Personal Information or PI means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined under applicable privacy law.

Business means Client, in its capacity as a business that determines the purposes and means of processing Personal Information.

Service Provider means Dove, in its capacity as a service provider that processes Personal Information on behalf of Client pursuant to a written contract.

Business Purpose means the specific, limited, and disclosed purposes for which Dove processes Client’s Personal Information as described in Section 2 of this Addendum.

Client’s processing instructions are documented in the MSA, Quote, Service-Specific Terms, this DPA, support tickets, authorized-user instructions, and other written directions accepted by Dove.

Sub-Processor means any third party engaged by Dove to process Personal Information in connection with the Services.

Data Subject means any individual whose Personal Information is processed under this Addendum.

Processing means any operation or set of operations performed on Personal Information, including collection, recording, organization, storage, retrieval, use, disclosure, transfer, or deletion.

SECTION 2 — BUSINESS PURPOSE AND SCOPE OF PROCESSING

Dove processes Personal Information solely to provide, support, secure, administer, improve, and transition the Services described in the applicable Quote and Master Services Agreement (Business Purpose). The Business Purpose includes:

• Delivering, activating, provisioning, and operating the Services;

• Providing technical support, troubleshooting, and incident response;

• Monitoring service performance, security, and availability;

• Processing billing, invoicing, payment, and collections;

• Administering accounts, credentials, and access controls;

• Complying with applicable law, regulatory requirements, and lawful government requests;

• Enforcing Dove’s contracts, policies, and acceptable use requirements;

• Transitioning services at the end of the contract period.

Dove will not process Personal Information for any purpose outside the Business Purpose without Client’s prior written authorization, except as required by applicable law.

SECTION 3 — SERVICE PROVIDER RESTRICTIONS

Dove hereby agrees, as a Service Provider under CCPA/CPRA and applicable law, to the following restrictions:

3.1. No sale or sharing. Dove will not sell Personal Information received from Client or share it for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA.

3.2. Purpose limitation. Dove will not retain, use, or disclose Personal Information for any commercial purpose other than the Business Purpose, except as permitted by applicable law.

3.3. No combining. Dove will not combine Personal Information received from Client with Personal Information received from other clients or independent sources, except as permitted by CCPA/CPRA or as otherwise authorized by Client in writing.

3.4. Confidentiality. Dove will ensure that all personnel authorized to process Personal Information are subject to appropriate confidentiality obligations.

3.5. Compliance certification. Dove certifies that it understands and will comply with the restrictions and requirements of this Addendum and applicable privacy law applicable to its role as a Service Provider.

SECTION 4 — DATA MINIMIZATION AND RETENTION

Dove will process Personal Information only as reasonably necessary and proportionate to fulfill the Business Purpose. Dove will retain Personal Information only for the period necessary to fulfill the Business Purpose, comply with applicable law, resolve disputes, and enforce agreements, after which Dove will delete or de-identify Personal Information in accordance with Dove’s standard retention and deletion practices, unless law requires longer retention.

Dove may retain Personal Information where required or permitted by law, court order, legal hold, audit obligation, insurance requirement, dispute, backup retention, security logging, or standard archival systems, subject to continued protection under this Addendum.

Upon termination of the Services, and upon Client’s written request, Dove will use commercially reasonable efforts to delete or return Client’s Personal Information within a reasonable timeframe, subject to applicable legal retention obligations and the limitations described in the Master Services Agreement.

SECTION 5 — DATA SUBJECT RIGHTS ASSISTANCE

Upon Client’s written request and at Client’s expense, Dove will provide commercially reasonable assistance to Client in responding to verifiable requests from Data Subjects exercising rights under applicable privacy law (including rights to access, correct, delete, or obtain a copy of Personal Information), to the extent that such assistance requires access to Dove’s systems or records. Dove is not responsible for directly responding to Data Subject requests directed to Dove unless required by applicable law.

Client remains responsible for verifying the identity and authority of requestors and for determining the appropriate response to each request.

SECTION 6 — SUB-PROCESSORS

Dove may engage Sub-Processors to assist in providing the Services. Dove will ensure that Sub-Processors are subject to data protection obligations no less protective than those in this Addendum. Dove remains responsible to Client for Sub-Processors’ compliance with this Addendum.

Dove will notify Client of any material changes to Sub-Processors that process Client’s Personal Information by updating its Sub-Processor list or by written notice. Client may object on reasonable, documented data-protection grounds to a new Sub-Processor within fifteen (15) business days after notification; if Client timely objects and Dove cannot reasonably accommodate the objection, either party may terminate the affected Services on thirty (30) days’ written notice. Failure to object within fifteen (15) business days is deemed approval of the new Sub-Processor.

SECTION 7 — SECURITY MEASURES

Dove will implement and maintain commercially reasonable administrative, technical, and physical security measures appropriate to the nature of the Personal Information and the Services, designed to protect Personal Information against unauthorized access, use, disclosure, alteration, or destruction.

Client acknowledges that no security measure is completely effective and that Dove does not guarantee absolute security of Personal Information. Dove’s security obligations under this Addendum are consistent with the security obligations stated in the Master Services Agreement.

SECTION 8 — PERSONAL DATA BREACH NOTIFICATION

If Dove becomes aware of a confirmed security incident that results in unauthorized access to, disclosure of, or destruction of Client’s Personal Information (Data Breach), Dove will:

• Notify Client of the Data Breach without undue delay, and in any event within the timeframe required by applicable law or, if no specific timeframe is required by law, within five (5) business days after Dove confirms the Data Breach;

• Provide Client with reasonably available information about the nature, scope, and impact of the Data Breach to assist Client in meeting any applicable breach notification obligations;

• Cooperate with Client’s reasonable investigation of the Data Breach, at Client’s expense.

Client remains solely responsible for determining whether any notification to Data Subjects, regulators, or other parties is required and for providing any required notifications. Dove’s notification to Client does not constitute an admission of fault or liability.

SECTION 9 — AUDIT RIGHTS

Client may, no more than once per calendar year and upon at least thirty (30) days’ prior written notice, request documentation, completed security questionnaires, or third-party audit reports (such as SOC 2 reports, where available) to verify Dove’s compliance with this Addendum. Dove will respond to such requests within a commercially reasonable time.

On-site audits of Dove’s facilities, systems, or records are subject to mutual written agreement, reasonable notice, non-disclosure obligations, and Client’s payment of all associated costs. Dove may deny or limit audit requests that would unreasonably disrupt operations, compromise security, or violate obligations to other clients.

SECTION 10 — COMPLIANCE NOTIFICATION

Dove will notify Client in writing as soon as reasonably practicable, and in any event within five (5) business days, if Dove determines that it can no longer meet its obligations under this Addendum or applicable privacy law with respect to Client’s Personal Information.

SECTION 11 — HIPAA / REGULATED DATA

This Addendum does not constitute a Business Associate Agreement (BAA) for purposes of HIPAA. If Client’s use of the Services requires Dove to create, receive, maintain, or transmit Protected Health Information subject to HIPAA, Client must disclose that requirement in writing before the Services begin, and the parties must execute a separate written BAA before any such processing occurs. Dove has no obligation to process Protected Health Information in a HIPAA-regulated capacity without a separately executed BAA.

SECTION 12 — CALIFORNIA-SPECIFIC PROVISIONS

This Addendum is intended to satisfy applicable written-contract requirements for service providers and contractors under the CCPA/CPRA and applicable regulations. The parties acknowledge that:

• Client is acting as a Business that determines the purposes and means of processing Personal Information;

• Dove is acting as a Service Provider processing Personal Information on behalf of Client;

• Dove will not process Personal Information in a manner inconsistent with Client’s instructions, except as required by law;

• Dove will notify Client if Dove determines it can no longer comply with applicable privacy obligations;

• Client has the right to take reasonable and appropriate steps to remediate unauthorized use of Personal Information by Dove.

SECTION 13 — CONFLICT; ENTIRE AGREEMENT

This Addendum supplements and is incorporated into the Master Services Agreement between Dove and Client. In the event of a conflict between this Addendum and the MSA solely with respect to the processing of Personal Information, this Addendum controls. In all other respects, the MSA governs. Capitalized terms used but not defined in this Addendum have the meanings given in the MSA.

SECTION 14 — SIGNATURES

By signing below, the parties agree to the terms of this Data Processing Addendum.

SECTION 12A — DEIDENTIFIED AND AGGREGATED INFORMATION

Dove may create and use deidentified or aggregated information derived from Personal Information for security, analytics, service improvement, benchmarking, and operational purposes, provided Dove does not attempt to reidentify such information except as permitted by law.

SECTION 12B — PROCESSING LOCATIONS

Personal Information may be processed in the United States and other jurisdictions where Dove or its Sub-Processors operate, subject to applicable law and the safeguards in this Addendum.

DOVE COMMUNICATIONS, INC.:

Printed Name: _____________________________________________

Title: _____________________________________________

Signature: _____________________________________________

Date: _____________________________________________

CLIENT:

Client Legal Name: _______________________________________________________

Printed Name: _____________________________________________

Title: _____________________________________________

Signature: _____________________________________________

Date: _____________________________________________

Dove Communications, Inc. | BSIS ACO #8206 | BSIS QM: Ofir Yungman #8030 | CSLB #715876 | CPUC U-1772-C / DVF | 1374 E. 41st St., Los Angeles, CA 90011 | service@dovecommunications.com