California Service Provider Agreement

Pursuant to the CCPA as defined below, Agiliti Health, Inc. and its subsidiaries and affiliates (“Customer”) and Service Provider enter into this California Service Provider Agreement to address CCPA compliance for the services provided by Service Provider.

1. Definitions. The following definitions and rules of interpretation apply in this Agreement:

         (a)     “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199.100), the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 999.300 to 999.337), and any related regulations. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this Agreement.

          (b)     “Contracted Business Purposes” means the services for which the service provider receives or accesses personal information.

          (c)     “Authorized Persons” means the persons or categories of persons that the Customer authorizes to provide the Service Provider with personal information processing instructions.

          (d)     As used herein, “service provider” shall include a Contractor as applicable.

          (e)     “Security Breach” means [(i)] any act or omission that compromises either the security, confidentiality, availability, or integrity of personal information or the physical, technical, administrative, or organizational safeguards put in place by Service Provider, or by Customer should Service Provider have access to Customer’s systems, that relate to the protection of the security, confidentiality, availability, or integrity of personal information, or (ii) receipt of a complaint in relation to the privacy and data security practices of Service Provider or a breach or alleged breach of this Agreement relating to such privacy and data security practices. Without limiting the foregoing, a compromise shall include any unauthorized access to or disclosure or acquisition of personal information.

2. Service Providers CCPA Obligations.

          (a)     Service Provider will only collect, use, retain, or disclose personal information for the Contracted Business Purposes for which Customer provides or permits personal information access in accordance with the Customer’s instructions from Authorized Persons.

          (b)     Service Provider will not collect, use, retain, disclose, sell, share or otherwise make personal information available for Service Provider’s own commercial purposes or in a way that does not comply with the CCPA. If a law requires the Service Provider to disclose personal information for a purpose unrelated to the Contracted Business Purpose, the Service Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

          (c)     Service Provider will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.

          (d)     Service Provider will not retain, use, or disclose personal information outside of the direct business relationship between the Service Provider and the Customer.

          (e)     Service Provider will not combine personal information 1) that it receives pursuant to the underlying agreement with personal information collected from or on behalf of another person, or 2) collected hereunder with personal information collected from its own interaction with a consumer; unless a specific statutory or regulatory exception applies.

          (f)     Service Provider must promptly comply with any Customer request or instruction from Authorized Persons requiring the Service Provider to provide, amend, transfer, or delete the personal information, or to stop, mitigate, or remedy any unauthorized processing.

          (g)     If the Contracted Business Purposes require the collection of personal information from individuals on the Customer’s behalf, Service Provider will always provide a CCPA-compliant notice at collection that the Customer specifically pre-approves in writing. Service Provider will not modify or alter the notice in any way without the Customer’s prior written consent.

3. Assistance with Customer’s CCPA Obligations.

          (a)     Service Provider will reasonably cooperate and assist Customer with meeting the Customer’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, providing responsive personal information in its possession, correcting inaccurate personal information, fulfilling any valid deletion requests and notifying Service Provider’s subcontractors about the deletion request, limiting sensitive personal information use upon the Customer’s instruction, and providing a copy of the personal information Service Provider retains in a portable and readily usable format on request, taking into account the nature of the Service Provider’s processing and the information available to the Service Provider.

          (b)     Service Provider must notify Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to either party’s compliance with the CCPA. Specifically, the Service Provider must notify the Customer within three (3) working days if it receives a verifiable consumer request under the CCPA.

4. Subcontracting.

          (a)     If Service Provider engages any other person to assist it in processing personal information for a business purpose on behalf of the Customer, or if any other person engaged by the Service Provider engages another person to assist in processing personal information for that business purpose, it shall notify Customer of that engagement, the engagement shall be pursuant to a written contract binding the subcontractor to observe all the requirements of a service provider under the CCPA, and Service Provider shall not make any disclosures to the subcontractor that the CCPA would treat as a sale or share.

          (b)     For each subcontractor used, Service Provider will give Customer an up-to-date list disclosing:

          1. The subcontractor’s name, address, and contact information.
          2. The type of services provided by the subcontractor.
          3. The personal information categories disclosed to the subcontractor in the preceding 12 months.

          (c)     Service Provider remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.

          (d)     Upon the Customer’s written request, Service Provider will audit a subcontractor’s compliance with its personal information obligations and provide the Customer with the audit results.

5. CCPA Warranties and Certification.

          (a)     Service Provider understands and will comply with all applicable requirements of the CCPA, including the requirements of a service provider, when collecting, using, retaining, or disclosing personal information.

          (c)     Service provider will provide the same level of privacy protection as the CCPA requires, and notify the Customer if it determines it can no longer meet its obligations under the CCPA.

          (c)     Service Provider certifies that it understands this Agreement’s and the CCPA’s restrictions and prohibitions on selling or sharing personal information, and retaining, using, or disclosing personal information outside of the parties’ direct business relationship or for any purpose other than for the business purpose specified in the contact, and it will comply with them.

          (d)     Service Provider warrants that it has no reason to believe any CCPA requirements or restrictions prevent it from providing any of the Contracted Business Purposes or otherwise performing under this Agreement. Service Provider must promptly notify the Customer of any changes that may adversely affect its performance under the Agreement or its ability to comply with the CCPA.

6. Audit and Remediation Right. Customer may take reasonable and appropriate steps to help ensure that Service Provider uses the transferred Personal Information in a manner consistent with the Customer’s CCPA obligations, including:

          (a)     monitoring Service Provider’s compliance with this Agreement through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months; and

          (b)     taking reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

7. Data Security. Service Provider will:

          (a)     implement and maintain administrative, physical, and technical safeguards to protect Personal Information from unauthorized access, acquisition, disclosure, destruction, alteration, or use, and accidental loss or damage, that are no less rigorous than accepted industry practices and shall ensure that all such safeguards, including the manner in which Personal Information is created, collected, accessed, received, used, stored, processed, disposed of, and disclosed, comply with applicable data protection and privacy laws;

          (b)     notify Customer of a suspected or known Security Breach as soon as practicable, but no later than twenty-four (24) hours after Service Provider becomes aware of it;

          (c)     immediately following Service Provider’s notification to Customer of a Security Breach, coordinate with Customer to investigate the Security Breach and fully cooperate with Customer in Customer’s handling of the matter;

          (d)    at its own expense use best efforts to immediately contain and remedy any Security Breach and prevent any further Security Breach, including, but not limited to taking any and all action necessary to comply with applicable privacy rights, laws, regulations, and standards; and

          (e)     at any time during the term of this Agreement at Customer’s written request or upon the termination or expiration of this Agreement for any reason, Service Provider shall, and shall require any subcontractors to, promptly return to Customer all copies, whether in written, electronic, or other form or media, of Personal Information in its possession or the possession of subcontractors, or securely dispose of all such copies, and certify in writing to Customer that such Personal Information has been returned to Customer or disposed of securely, unless otherwise required by law.

8. Conflict. In the event of a conflict between the provisions of the underlying agreement or agreements (each a “Contract” and collectively the “Contracts”) and this California Service Provider Agreement, the provisions of this California Service Provider Agreement shall control.

9. Termination. In the event of a material breach of this agreement by Service Provider, Customer may terminate the Contract if Service Provider doesn’t cure the breach or end the violation within the reasonable time specified by Customer.

9. Survival. This California Service Provider Agreement will survive termination or expiration of the Contract so long as Service Provider accesses, maintains, receives, or transmits personal information.