Alexa U.S. State Law Data Processing Addendum

This Data Processing Addendum (“DPA”) is between Amazon.com Services LLC (“Amazon”) and Developer and supplements and is made a part of the Amazon Developer Services Agreement, available at https://developer.amazon.com/support/legal/da, as updated from time to time (the “Agreement”). All capitalized terms used, but not defined, in this DPA have the meaning given to them in the Agreement.

  1. Definitions. As used in this DPA, the following terms have the meanings below:
    1. “Applicable U.S. State Law” means any data privacy or data protection law enacted by a U.S. state that is in effect and applicable to the processing of personal data of any end user, including (i) the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations (the “CCPA”); (ii) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq; (iii) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq.; (iv) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; (v) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.
    2. “Developer-Controlled Customer Data” means personal data subject to an Applicable U.S. State Law that Developer transmits, or causes to be transmitted, to Amazon (in accordance with the applicable Program Materials) for processing by the Processing Services.
    3. “Processing Services” means services provided by Amazon to Developer under the Agreement that are specifically designated in the Agreement as being subject to this DPA.
  2. Data Processing.

This DPA applies only when Amazon processes Developer-Controlled Customer Data that has been submitted to a Processing Service. In this context, Amazon will act as “processor” to Developer who will act as “controller” with respect to Developer-Controlled Customer Data (as “controller” and “processor” or similar concepts are defined in the Applicable U.S. State Law). This DPA does not apply to any other processing of data by Amazon or its Affiliates in connection with the Agreement, including any circumstance in which Amazon acts as controller with respect to personal data.

 Except as otherwise permitted by the Applicable U.S. State Law, (i) we will process Developer-Controlled Customer Data only in accordance with your Documented Instructions and (ii) we will not (a) retain, use, or disclose Developer-Controlled Customer Data for any purpose, including any commercial purpose, unless permitted by the Documented Instructions; (b) retain, use, or disclose Developer-Controlled Customer Data outside the direct business relationship with you, including by not combining any Developer-Controlled Customer Data with other personal information collected or received from another source; or (c) sell or share Developer-Controlled Customer Data. This Agreement (including all Schedules), the Program Materials, and the configurations and commands you submit to us via the applicable Program Materials (e.g., API calls to delete certain data) constitute your Documented Instructions. Additional instructions outside the scope of these Documented Instructions (if any) require prior written agreement. We will comply with the Applicable U.S. State Law or inform you if we determine that we can no longer meet our obligations under any Applicable U.S. State Law. At your written request, and provided that the we have an applicable nondisclosure agreement in place, we will make available to you commercially reasonable information necessary to demonstrate our compliance with Applicable U.S. State Laws. We will impose appropriate contractual obligations upon our personnel, including relevant obligations regarding confidentiality. Without limiting your obligations under this Agreement, we will maintain reasonable and appropriate technical and organizational measures designed to secure Developer-Controlled Customer Data against accidental or unlawful loss, access or disclosure. You are responsible for using the Processing Services in a way that ensures appropriate security standards apply to Developer-Controlled Customer Data, including by securing any account authentication credentials and devices or other systems you use to access the Processing Services.

You provide general authorization to our use of sub-processors to process Developer-Controlled Customer Data on your behalf. Where we engage a sub-processor, we will (i) restrict the sub-processor’s access to Developer-Controlled Customer Data only to what is necessary to provide or maintain the Program in accordance with the Documented Instructions; (ii) enter into a written agreement with the sub-processor imposing on the sub-processor the same contractual obligations that we have under Applicable U.S. State Law; and (iii) remain responsible for (a) our compliance with the obligations of Applicable U.S. State Law and this Agreement; and (b) any acts or omissions of the sub-processor that cause us to breach any of our obligations under Applicable U.S. State Law or this Agreement.

In our sole discretion, for the purpose of creating reports to be provided to Developers in support of our obligations under the Applicable U.S. State Law, we may arrange for a qualified and independent assessor to perform audits or inspections of our policies and technical and organizational measures. At your written request, and provided that we have an applicable nondisclosure agreement in place with you, we will provide you a report of such assessment in accordance with the Applicable U.S. State Law. If we are engaged in unauthorized use of Developer-Controlled Customer Data, you may, upon reasonable notice to us, take reasonable and appropriate steps to stop and remediate the unauthorized use of Developer-Controlled Customer Data. Upon closure of your Program account, we will return or delete Developer-Controlled Customer Data, at your discretion, as required under the Applicable U.S. State Law.