SiriusXM Dealer Programs

In connection with Dealer’s enrollment in SiriusXM’s Pre-Owned Program and/or Service Lane Program (the “Program”), SiriusXM and Dealer have committed to comply with all applicable legal obligations relating to privacy, security, integrity, and confidentiality of customer data, including personal information, collected by SiriusXM from Dealer. In addition to the parties’ commitments set forth in the enrollment agreement for the Program (the “Agreement”), SiriusXM hereby makes additional commitments to Dealer as set forth in this Data Protection Addendum (“DPA”).

I. Definitions and Interpretation.

1. Definitions. For the purposes of this DPA, the following terms shall have the meanings set forth below:
   
   “Business”, “Collects” (and “collected” and “collection”), “Consumer”, “Process”, “Sell” (and “selling”, “sale”, and “sold”) and “Service Provider” (or the equivalent terms) shall have the meanings set forth under Data Protection Laws.
   
   “Business Purpose” shall have the meaning given in Section III.A of this DPA.
   
   “California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, as amended from time to time.
   
   “Data Protection Laws” means any laws, rules, regulations, and statutes, and any decisions, opinions or other mandatory guidance issued by a court of competent jurisdiction or a regulatory body, which relate to data protection and privacy, including but not limited to, the CCPA, applicable to the processing of information by a party in the exercise of its rights and obligations under the Agreement.
   
   “Data Security Program” shall have the meaning given in Section V.B of this DPA.
   
   “Data Subject” means the individual to whom Personal Information relates.
   
   “Data Subject Request” shall have the meaning given in Section IV of this DPA.
   
   “Ongoing Inspections” shall have the meaning given in Section VI.C of this DPA.
   
   “Personal Information” means, along with substantially similar terms such as “personal data”, with respect to information provided or made available by Dealer to SiriusXM in connection with the Agreement, any information that is linked or reasonably linkable to an identified individual or an identifiable individual.
   
   “Security Audit” shall have the meaning given in Section VI.B of this DPA.
   
   “Security Incident” means a breach of security or any actual or reasonably suspected unauthorized access, use, disclosure, or other unauthorized Processing of Personal Information provided or made available by Dealer to SiriusXM in connection with the Agreement.
   
   “Security Questionnaire” shall have the meaning given in Section VI.B of this DPA.
   
   “System” means any file system, computing system, database, device, equipment, server, website, application, software, storage media, network, infrastructure, networked environment or domain, including, without limitation, all development, quality assurance, staging and production environments.
   
   “Third-Party Recipient” shall have the meaning given in Section III.D of this DPA.
   
2. Interpretation. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement.

II. Scope of this DPA.

This DPA applies only where, and solely to the extent that, SiriusXM Processes Personal Information that is subject to Data Protection Laws in the course of fulfilling its rights and obligations pursuant to the Agreement.

III. Data Processing.

1. Disclosure of Personal Information. In accordance with the terms of the Agreement, Dealer may provide or make available to SiriusXM Personal Information of its customers for the purposes set forth in the Agreement, in each case as detailed in Annex 1 (the “Business Purpose”). SiriusXM shall not Process the Personal Information provided by Dealer for any other purpose, except where and to the extent permitted and required by applicable Data Protection Laws. Specifically, SiriusXM shall not retain, use, or disclose the Personal Information received from Dealer for any purpose other than for the Business Purpose, as defined herein.
2. Privacy Policy. SiriusXM shall maintain a privacy policy that clearly describes its collection, use, sharing, and disclosure practices for Personal Information in accordance with applicable Data Protection Laws. SiriusXM shall handle Personal Information in accordance with its privacy policy and applicable Data Protection Laws.
3. Data Retention and Destruction. SiriusXM shall maintain data retention and destruction policies and procedures with regard to Personal Information that comply with Data Protection Laws.
4. Third-Party Recipients. SiriusXM may disclose Personal Information provided or made available by Dealer to its advisors, consultants or service providers solely for the Business Purpose (each a “Third-Party Recipient”), provided that: (i) SiriusXM has carried out adequate due diligence on each Third-Party Recipient; (ii) SiriusXM has included terms in a written contract with the Third-Party Recipient that are similarly protective to the terms of this DPA; and (iii) SiriusXM remains fully liable and responsible to Dealer for the acts and omissions of the Third-Party Recipient with regard to the Personal Information and any breach by such Third-Party Recipient shall be as a breach of this DPA by SiriusXM.

IV. Data Subject Requests.

1. Data Subject Requests. To the extent that Data Protection Laws require a party to comply with requests from individuals to access, delete, modify, or restrict the Processing of their Personal Information (each a “Data Subject Request”), SiriusXM shall work together in good faith with Dealer to (i) implement and maintain a process to pass along and/or receive, as applicable, Data Subject Requests as may be required under applicable Data Protection Laws; and (ii) implement other requirements that may be required under applicable Data Protection Laws in order to maintain the exchange of Personal Information. SiriusXM shall honor such requests as required by applicable Data Protection Laws.
2. CCPA Procedures. With respect to Data Subject Requests from California consumers, SiriusXM has implemented the following procedures:
   1. As an initial matter, SiriusXM requests that Dealer not provide Sirius XM with customer information from California residents that have opted-out of sale to third parties.
   2. SiriusXM has instructed Dealer Management System providers not to share Dealer customer data with SiriusXM where a customer record has an “opt-out” flag or other indication that the consumer does not want his or her data shared with SiriusXM (or any category of parties that would include SiriusXM).
   3. Customers can contact SiriusXM directly to make CCPA requests at: siriusxm.com/ccparequest_ManageInfo.
   4. In the event that the Dealer has already provided SiriusXM with data from a California resident who wishes to opt out of sale or delete their Personal Information in accordance with the CCPA, then Sirius XM will accommodate such requests. Dealers may submit CCPA requests in a password protected file to SiriusXM via the following email address: dealerccpa@siriusxm.com, and provide the password in a separate email. Dealer CCPA requests should include customer first name, last name, full address, submitting Dealer (including Dealer ID, Dealer name and brand, full address). In addition, Dealers may send an email to address above to discuss alternative ways to securely transmit requests.

V. Confidentiality and Security.

1. Confidentiality. SiriusXM shall ensure that its respective employees, officers, representatives and any Third-Party Recipients, have committed themselves to ensuring the confidentiality of the Personal Information that they Process.
2. Data Security Program. SiriusXM shall implement, maintain and comply with comprehensive information and network security programs, practices and procedures (collectively, “Data Security Program”) that: (i) meets current best industry standards; (ii) complies with all Data Protection Laws; (iii) to the extent applicable, complies with the Payment Card Industry Data Security Standards (PCI DSS); and (iv) complies with the ISO 27000, NIST 800-53, or CIS top 20 standard. SiriusXM shall document its Data Security Program in written form and shall make those documents available to Dealer for review upon request. SiriusXM shall keep its Data Security Program current and up-to-date to improve the security of the Data Security Program.
3. Safeguards. Without limitation to the generality of Section V.B, SiriusXM represents, warrants and covenants that it shall, and has adopted and implemented, and will continue to maintain, physical, administrative and technical safeguards and other security measures to: (i) maintain the security and confidentiality of Dealer’s Personal Information and protect it from threats or hazards to its security and integrity, as well as accidental loss, alteration or disclosure; (ii) prevent, detect, contain, recover, remediate and respond to Security Incidents; (iii) enforce the use of secure authentication protocols and devices consistent with best industry standards on any of its Systems that protect, defend, secure or use Dealer’s Personal Information, including, without limitation, through the requiring multi-factor authentication for every System or network that protects, defends, secures or utilizes Dealer’s Personal Information that is accessible from the public Internet, and the use of industry-standard password complexity requirements or password complexity auditing; (iv) enforce secure access control measures consistent with current leading industry standards for access to logical and physical resources on any of its Systems that protect, defend, secure or utilize Dealer’s Personal Information; (v) require the use of then-current best industry standard encryption for all storage and transmission over public or wireless networks of Dealer’s Personal Information; (vi) include industry standard intrusion detection and prevention tools and continuously monitor its Systems for potential areas where security could be breached; (vii) apply all security-related patches and updates promptly; and (viii) include automated security measures, including but not limited to current leading industry standard auditing Systems, firewalls, and endpoint protection software capable of detecting and mitigating threats from viruses, spyware, and other malicious code on any of its Systems that protect, defend, secure or utilize Dealer’s Personal Information or access Dealer’s Systems.
4. Security Manager. SiriusXM shall designate an individual as its primary security manager under the Agreement. SiriusXM’s security manager shall be responsible for managing and coordinating the performance of its privacy and data security obligations under this DPA and shall be made available to Dealer upon request in order to coordinate, investigate or verify its compliance with this DPA and the security of Personal Information.
5. Personnel. SiriusXM shall ensure all personnel having access to Dealer’s Personal Information have (i) undergone, and passed to its reasonable satisfaction, background checks consistent with applicable law; and (ii) completed appropriate privacy and information security training. SiriusXM shall make reasonable efforts to limit access to Dealer’s Personal Information to personnel who have a need to know the Personal Information for the Business Purpose.
6. Systems. SiriusXM shall be solely responsible for security of its Systems and facilities used by or for it to access Dealer’s Systems or otherwise in connection with the Agreement. SiriusXM shall prevent unauthorized access to Dealer’s Systems through its Systems.
7. Security Incident.
   1. Notification. SiriusXM shall maintain a Security Incident management procedure and shall notify Dealer without undue delay (and in time to fulfill any Security Incident reporting obligations) after becoming aware of a Security Incident and provide timely information relating to the Security Incident as it becomes known or is reasonably requested by Dealer. At Dealer’s written request, SiriusXM will promptly provide Dealer with such reasonable assistance as necessary to enable Dealer to notify relevant Security Incidents to competent authorities and/or affected Data Subjects, if required to do so under Data Protection Laws.
   2. Remediation. SiriusXM shall detect, respond to and contain all vulnerabilities, activities or other circumstances that caused or gave rise to the Security Incident as soon as reasonably possible after discovery of the Security Incident. SiriusXM shall promptly and without unreasonable delay take all necessary and advisable corrective actions, and will reasonably cooperate with the other party in all reasonable and lawful efforts to prevent, eradicate, mitigate and rectify such Security Incident.
   3. Investigation. SiriusXM shall investigate the causes of each Security Incident at its own expense. Upon request, SiriusXM shall provide Dealer with an in-depth supplementary reports regarding its investigation of the Security Incident and results of findings, including without limitation a root cause assessment and future incident mitigation plan.
   4. Protection Measures. Dealer shall have the right to implement and enforce protection measures as deemed reasonable to mitigate any Security Incident or any cybersecurity threat to or associated with its Systems, or its Personal Information.

VI. Recordkeeping; Verification and Compliance.

1. Recordkeeping. SiriusXM shall maintain records and information in accordance with applicable Data Protection Laws to demonstrate its compliance with this DPA. SiriusXM shall create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity and ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
2. Verification Requirements. Upon Dealer’s written request, no more than once annually, SiriusXM shall demonstrate compliance with this DPA and Data Protection Laws, and shall cooperate with verification, including, by example, providing documentation of compliance by certified third party auditors (“Security Audit”), completing a written questionnaire (“Security Questionnaire”) regarding its storage, processing and use of Personal Information provided or made available by Dealer pursuant to the Agreement, or self-certifying compliance with this DPA and Data Protection Laws.
3. Ongoing Inspections. SiriusXM shall, consistent with industry practices, continuously monitor and inspect all Systems that it uses to protect, secure, defend or Process Dealer’s Personal Information to identify security vulnerabilities (“Ongoing Inspections”).
4. Remediation. If during any Ongoing Inspection or Security Audit, or as a result of any Security Questionnaire, any material security vulnerability is discovered or identified, SiriusXM shall promptly remediate those vulnerabilities. Notwithstanding anything to the contrary in this DPA or the Agreement, if and to the extent SiriusXM fails to timely cooperate with verification requirements, or the results of any such Security Audit or Security Questionnaire reveal non-compliance with this DPA and/or the associated Agreement or that SiriusXM is Processing the Personal Information in a manner inconsistent with applicable Data Protection Law, then Dealer may at its sole option by written notice to SiriusXM (email sufficient) immediately suspend the provision of Personal Information to SiriusXM until such time as SiriusXM is able to remedy the non-compliance with this DPA, the associated Agreement and/or applicable Data Protection Laws.
5. Data Protection Law Compliance. . In the event that SiriusXM is unable to comply with any Data Protection Laws with regard to the Processing of Personal Information made available to SiriusXM by Dealer, it shall: (i) notify Dealer within five (5) business days of such inability, in writing (email sufficient), providing a reasonable level of details as to the reasons it cannot comply and the reason why, unless the applicable Data Protection Law prevents it from providing such information; and (ii) where necessary, cease Processing of the affected Personal Information (other than merely storing and maintaining the security of the affected Personal Information) until such time the parties are able to amend the method of Processing or the Business Purpose to comply with applicable Data Protection Law.
6. Response. SiriusXM will, upon receipt of written request from Dealer, provide reasonable assistance to enable Dealer to respond to any correspondence, inquiry or complaint received from any Attorney General or other enforcement body in connection with the Collection and Processing of the Personal Information.

VII. Miscellaneous.

1. This DPA supersedes any conflicting or inconsistent provisions in the Agreement related to data protection and, in the event of ambiguity, this DPA will prevail. The Agreement, as amended and modified by this DPA, otherwise remains in full force and effect.
2. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
3. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
4. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
5. This DPA shall terminate simultaneously and automatically with the termination or expiration of the Agreement, except that terms governing the security and restrictions on use of Personal Information shall continue to apply for so long as a party continues to Process Personal Information of the other party.
6. This DPA shall be interpreted in favor of the parties’ intent to comply with Data Protection Laws, and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the applicable Data Protection Law.
7. This DPA shall be binding upon SiriusXM upon SiriusXM’s posting of this DPA to SiriusXMDealerPrograms.com or upon Dealer’s receipt, whichever is earlier. Dealer’s continued participation in the Program shall constitute Dealer’s acceptance of this DPA.

Annex 1

Processing Instructions.

1. SiriusXM shall Process Personal Information provided or made available by Dealer for the following Business Purposes:
   1. to activate SiriusXM Trial Subscriptions for customers on vehicles with factory-installed satellite radios or other eligible equipment (“Equipped Vehicles”);
   2. to create SiriusXM Trial Subscription accounts for customers (including, at Sirius XM’s discretion, Trial Subscriptions to SiriusXM Streaming or other qualified services for customers with non-Equipped Vehicles or non-qualifying Equipped Vehicles);
   3. to deliver SiriusXM services to customers;
   4. to communicate with customers regarding their Trial Subscriptions and options to extend their SiriusXM services following the end date of such Trial Subscriptions; and
   5. other purposes as may be agreed in writing between SiriusXM and Dealer.
2. Duration. The Processing shall occur for the duration of the Agreement.
3. Categories of Personal Information. SiriusXM shall Process the following types of Personal Information in connection with the Program:
   1. Customer contact information, such as name, email address, phone number, postal address and zip code.
   2. Vehicle details, such as vehicle identification number (VIN), make, model, year, and new/used.
   3. Transaction/event details, such as sold date, repair order date and dealer ID. No financial details are Processed.