Last updated February 23, 2023
This Data Processing Agreement (“DPA”) applies to any Vendor that has entered into one or more Agreements with Instacart. Vendor and Instacart are referred to herein as “Party” or “Parties” as the context requires.
1. Key Definitions
1.1 “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with Instacart. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 “Agreement” means one or more agreements between Vendor and Instacart pursuant to which Vendor is provided access to, collects or otherwise processes Covered PI.
1.3 “Covered PI” means any Personal Information provided by or collected on behalf of Instacart to Vendor, collected by Vendor on behalf of Instacart, or otherwise made available to Vendor pursuant to the Agreements.
1.4 “Personal Information” means (a) any information relating to a consumer or household and (b) any information that falls within the scope of “personal data”, “personal information” or “personally identifiable information” (or any materially similar or analogous concept or definition) under any Privacy Laws.
1.5 “Portable Format” means to the extent technically feasible a structured, commonly used, machine readable, readily usable format that allows the consumer to transmit the Covered PI to another entity or controller without hindrance, as further specified in the Privacy Laws.
1.6 “Privacy Laws” mean any and all privacy and data protections laws and regulations applicable to the processing of the Covered PI under the Agreement, including the California Consumer Privacy Act, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act, in each case when and if applicable to the processing of Covered PI by Vendor under this DPA.
1.7 The terms “business,” “business purposes,” “consumer,” “controller,” “processing,” “processor,” “sale,” “sensitive data,” “sensitive personal information,” “service provider,” “sharing,” and “verifiable consumer request” shall have the meanings given to those terms in the Privacy Laws. In the event of a conflict in the meanings of terms in the Privacy Laws, the Parties agree the meanings from each law apply.
1.8 “Services” means the services provided by Vendor to Instacart specified in the Agreements.
2. Terms of Data Processing
2.1 Relationship of the Parties. The Parties agree that Instacart is the sole Party that determines the purposes and means of processing Covered PI as the “business” or “controller;” and Vendor processes Covered PI as the “service provider” or “processor” on behalf of Instacart.
2.2 Compliance with Obligations. Vendor represents and warrants that Vendor, its employees, specialists, subcontractors, and sub-processors (a) will comply with Privacy Laws and this DPA while processing the Covered PI, and (b) will provide Instacart with all reasonably-requested assistance to enable Instacart to fulfill its own obligations under the Privacy Laws. Upon the reasonable request of Instacart, Vendor shall make available to Instacart all information in Vendor’s possession reasonably necessary to demonstrate its compliance with this subsection.
2.3 Deletion or Return of Covered PI. Upon written request by Instacart or termination of an Agreement, Vendor will discontinue processing Covered PI without undue delay. Within sixty (60) days of a written request by Instacart or termination of an Agreement, Vendor will destroy Covered PI unless otherwise instructed by Instacart; provided that prior to such destruction Vendor will return or make available to Instacart for a period of sixty (60) days, for a complete and secure download, all of the Covered PI in Vendor’s possession. Vendor may retain Covered PI to the extent and for such period of time required by Applicable Law provided that Vendor shall (a) notify Instacart of such obligations (unless prohibited from doing so) and (b) ensure the ongoing confidentiality of all such Covered PI. Upon written request by Instacart or within 60 days of the termination of an Agreement, Vendor will provide a written certification to Instacart that it has complied with these deletion obligations.
2.4 Assessments. If applicable, Vendor shall, upon the reasonable request of Instacart, provide Instacart with such assistance and information as is reasonably necessary to enable Instacart to carry out privacy impact assessments under Privacy Laws.
3. Limitations on Use of Covered PI
3.1 Limited Scope of Processing. Vendor will process Covered PI solely as instructed in the Agreements, this DPA and any other written instructions provided by Instacart that are consistent with the terms of the Agreement, in each case for the duration of the provision of the Services to Instacart.
3.2 Data Restrictions. Vendor will not: (a) sell or share Covered PI, (b) collect, retain, use, or disclose Covered PI for any purpose other than the business purposes specified in the Agreements, such as providing the Services to Instacart, (c) retain, use, or disclose Covered PI outside the direct business relationship with Instacart, (d) combine the Covered PI with other Personal Information, including for data augmentation or profiling, unless expressly permitted under Privacy Laws for Vendor functions (such as for fraud prevention purposes, or where required by law), and/or (e) export Covered PI outside the country from which it was provided or collected without Instacart’s prior written consent. Vendor shall have the right to use Aggregate Data (as defined below) for internal business purposes upon the written consent of Instacart (email sufficient) provided that Vendor shall not use or disclose the Aggregate Data for commercial purposes. “Aggregate Data” means Covered PI that is de-identified and aggregated in accordance with Applicable Law such that the information is not linked or reasonably linkable to any of Instacart, its customers, shoppers or retailers.
3.3 Audit Rights. Instacart, or, upon Instacart’s election, a third party reasonably designated by Instacart to act on Instacart’s behalf and acceptable to Vendor, shall have the right to monitor Vendor’s compliance with this DPA through measures that may include manual reviews, automated scans, penetration tests, regular assessments, audits, or technical or operational testing. Vendor shall cooperate fully with any audit initiated by Instacart, provided that such audit will not unreasonably interfere with the normal conduct of Vendor’s business. Vendor shall provide audited results with sufficient detail to understand findings, related risks, and remediation requirements. Unless otherwise required by law, Instacart shall provide Vendor no less than 10 days prior notice of any such audit and shall not audit Vendor more than twice per twelve month period, except that Instacart may audit at any time in the event of a Security Incident, as required by a regulator or in connection with the defense of Instacart’s legal rights. Should the results demonstrate a material failing in Vendor’s compliance with this DPA, Vendor shall work in good faith with Instacart to remediate such issues to Instacart’s satisfaction.
3.4 Compliance Remediation; Termination Rights. Vendor agrees to notify Instacart without undue delay if Vendor determines that it can no longer meet its obligations under Privacy Laws. Upon receiving notice from Vendor pursuant to this subsection, Instacart may direct Vendor to take steps as reasonable and appropriate to remediate unauthorized use of Covered PI or terminate the Agreements.
3.5 Subcontractors; Sub-processors.
- Appointment of Sub-Processors. Vendor shall have the right to engage sub-processors in connection with the performance of its Services hereunder (“Sub-processors”). Prior to the start of any processing of Covered PI by Vendor hereunder, Vendor must provide to Instacart the current list of Sub-processors engaged in processing Covered PI for each applicable Service, including a description of their processing activities and countries of location. Vendor shall notify Instacart in writing (email sufficient) of any changes concerning the addition or replacement of Sub-processors engaged to process Covered PI. Further, Vendor shall ensure that Vendor’s Sub-processors who process Covered PI on Vendor’s behalf agree in writing to the same restrictions and requirements that apply to Vendor in this DPA and the Agreements with respect to Covered PI. Vendor shall remain fully liable to Instacart for the acts and omissions of its Sub-processors.
- Right to Object. Instacart may object in writing to Vendor’s appointment of a new subcontractor or sub-processor on reasonable grounds relating to data protection by notifying Vendor in writing within 30 calendar days of receipt of notice in accordance with Section 3.5. In the event Instacart objects, the Parties shall discuss Instacart’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Vendor will, in its sole discretion, either not appoint the subcontractor or sub-processor or permit Instacart to terminate the Agreements, in such case refunding Instacart for any prepaid unused fees.
3.6 Re-identification. Vendor will not, and will not allow its subcontractors or sub- processors to, re-identify any de-identified, anonymized, or pseudonymized data derived from Covered PI that is processed by Vendor on behalf of Instacart, unless instructed by Instacart in writing (email is sufficient).
4. Consumer Requests
4.1 Fulfillment of Consumer Requests. Vendor will implement and maintain sufficient processes and procedures to satisfy Instacart’s requests to access, correct, and/or delete Covered PI held by Vendor. Within ten (10) calendar days of a written request from Instacart (email is sufficient), Vendor shall, as applicable: (a) securely erase or destroy, or cause to be erased or destroyed, specific pieces of Covered PI, including any copies of such Covered PI maintained by Vendor’s subcontractor(s) or sub-processor(s); (b) Provide information requested by Instacart about Vendor’s processing of the Covered PI; (c) Provide the specific pieces of Covered PI that Vendor and/or one of its subcontractors or sub-processors has collected or otherwise obtained about the consumer on behalf of Instacart in a Portable Format; (e) modify, and direct its subcontractors or sub-processors to modify, specific pieces of Covered PI; (f) limit processing of Covered PI defined in Privacy Laws as “sensitive personal information” or “sensitive data,” in accordance with the instructions of Instacart.
4.2 Referral of Direct Requests. Vendor must refer to Instacart applicable consumer requests submitted directly to Vendor for Covered PI and not to respond to any such requests other than to notify requester that the request is referred to Instacart.
5. Security Controls
5.1 Duty of Confidentiality. Vendor, its employees, specialists, subcontractors, and sub- processors are subject to a duty of confidentiality with respect to the Covered PI.
5.2 Security Measures. Vendor shall implement and maintain reasonable technical and organizational security measures, procedures, and practices appropriate to the nature of the Covered PI to protect such Covered PI from unauthorized access, destruction, use, modification, or disclosure (“Security Measures”). Such Security Measures shall meet or exceed applicable industry standards (e.g., NIST Cybersecurity Framework) and any obligations set forth in the Agreements or applicable law. Vendor shall comply with the requirements of the Security Exhibit attached hereto.
5.3 Security Incident.
(a) Notification. Vendor will inform Instacart within twenty-four (24) hours of Vendor’s suspected unauthorized access, destruction, use, modification, or disclosure (each, a “Security Incident”) of any Covered PI. Vendor will notify Instacart via email with read-receipt to firstname.lastname@example.org and a copy to email@example.com and Vendor's primary business contact at Instacart. Vendor shall: (i) provide Instacart with the name and contact information for an employee of Vendor who shall serve as Instacart’s primary security contact and shall be available to assist Instacart twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Incident. Written notification provided pursuant to this paragraph will include a brief summary of the available facts, the status of Vendor’s investigation, and if known and applicable, the potential number of persons affected by release of data relating to such person.
(b) Management & Remediation. Vendor will provide Instacart with any information and cooperation reasonably requested by Instacart regarding such Security Incident, including providing Instacart or its designated forensic investigator reasonably acceptable to Vendor with physical access to the facilities and operations affected, facilitating interviews and making available relevant records, logs and other materials reasonably required by Instacart. Vendor shall immediately remedy any Security Incident at its own expense in accordance with applicable laws. Vendor shall reimburse Instacart for actual costs incurred by Instacart in responding to, and mitigating damages caused by, any Security Incident, including all costs of notice and remediation. Unless required by law, Vendor shall not inform any third party of any Security Incident without written approval of Instacart. Further, Vendor agrees that Instacart shall have the sole right to determine whether notice of the Security Incident is to be provided, the contents of such notice, and the nature and extent of any remediation.
5.4 Oversight. Upon request and on an annual basis, Vendor will provide Instacart with the results of any audit(s) performed (e.g., SOC1, SOC2, ISO27001, etc) by or on behalf of Vendor that assesses the effectiveness of Vendor’s information security program as relevant to the security and confidentiality of Covered PI (“Controls Report”). Vendor shall ensure that each subcontractor or sub-processor makes available to Instacart a Controls Report on an annual basis or following a Security Incident.
6.1 Notification of Regulatory Inquiry. Vendor shall notify Instacart of any regulatory inquiry or correspondence regarding Covered PI (an “Inquiry”) within three (3) calendar days of receiving such Inquiry. Vendor shall provide Instacart with all copies of documents and correspondence relating to the Inquiry without unduly delay.
6.2 Response to Inquiry. Vendor shall not disclose any confidential information of Instacart or any affiliated party to the applicable authority without Instacart’s prior written consent. Vendor shall take all other measures necessary to respond to or otherwise address the Inquiry adequately and in a timely manner.
7.1 Severability. If any provision of this DPA shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this DPA, and the remainder of this DPA shall be given effect, as if the Parties had not included the severed provision.
7.2 Seizure or Confiscation. If any Covered PI may be endangered by seizure or confiscation, insolvency proceedings (including a sale) or composition proceedings, or any other events or measures taken by a third party, Vendor shall inform Instacart with reasonable advance notification. In addition, Vendor shall inform any such third party that sovereignty and ownership of the Covered PI belong to Instacart.
7.3 Survival. All representations, warranties, and indemnities shall survive the termination and/or expiration of this DPA and shall remain in full force and effect. All of a Party’s rights and privileges —to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this DPA — shall survive termination and shall be enforceable by that Party.
7.4 General. Except as expressly set forth herein, the terms of the Agreements shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreements and the terms of this DPA, the terms of this DPA shall control unless the Agreement(s) includes a specific cross-reference to the section of DPA intended to be modified. Headers are for convenience and do not affect the interpretation of the terms of this DPA.
1. Policies and Procedures. Vendor shall maintain and ensure compliance with Vendor’s written security management policies and procedures (“Vendor Policies”) to prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, or availability of Vendor information systems that store, process, transfer or access Instacart’s Confidential Information (“Vendor Systems”). Vendor Policies shall at minimum: (i) to the extent Vendor has access to Covered PI, treat Covered PI at all times as highly sensitive information; (ii) include a formal risk management program, which includes periodic risk assessments; and (iii) provide an adequate framework of controls that safeguard Vendor’s Systems, including without limitation any hardware or software supporting Instacart and Instacart’s Confidential Information.
2. Security Evaluations. Vendor shall annually conduct and document technical security assessment of its Vendor Policies and Vendor Systems to ensure continued compliance with the obligations set forth in this Schedule and as otherwise imposed by law. Such evaluations shall ensure that Instacart’s Confidential Information is stored confidentially and in a secure manner within Vendor Systems and evaluate the maintenance and structure of Vendor’s Systems.
3. Certifications. Upon Instacart’s written request, Vendor shall provide Instacart with the results of any audit performed by or on behalf of Vendor that assesses the effectiveness of Vendor’s information security program as relevant to the security and confidentiality of Covered PI shared during the course of the Agreement (“Controls Report”). Vendor shall ensure that each Sub-processor prepares and makes available to Instacart a Controls Report on an annual basis or following a Security Incident.
4. Physical Security. Vendor shall maintain appropriate physical security controls (including facility and environmental controls) to prevent unauthorized physical access to Vendor Systems.
5. Access Limitation. Vendor shall implement appropriate access controls restricting access to Covered PI to only such employees, specialists, subcontractors, and sub-processors as need to know the information in order to perform their obligations in furtherance of the Agreements.
6. Visitor Access Logs. Vendor shall maintain sign in access logs for visitors and guests (“Vendor Guest Log”) and ensure that such visitors and guests are escorted while in any facility that allows either physical or virtual access to Vendor’s Systems and maintain Vendor Guest Log in a secure location for a minimum of three (3) months.
7. Perimeter Controls. Vendor shall maintain reasonable network perimeter controls such as firewalls at all perimeter connections to Vendor’s Systems.
8. Vulnerability Management and Testing. Vendor shall employ reasonable vulnerability management processes to mitigate data security risks, including, without limitation, mitigation steps to resolve issues identified by Vendor, Instacart, or as required by law. Vendor shall permit security vulnerability testing by Instacart and its approved third parties for the purpose of identifying public facing security vulnerabilities in Vendor’s web functionality used by Instacart, and Instacart’s customers, clients and independent contractors, provided such testing shall be subject to Instacart providing reasonable prior notice and Vendor obtaining any necessary consents from its hosting platform provider.
9. System Hardening. Vendor’s configuration parameters for Vendor Systems shall include procedures to disable all unnecessary services on devices and servers and shall be applied to all Vendor Systems that access, transmit or store Instacart’s Confidential Information.
10. Patch Management. Vendor shall establish and adhere to Vendor Policies for patching Vendor Systems which ensure all Vendor Systems are maintained at current stable patch level.
11. Virus Detection. Vendor shall install commercially reasonable malicious code detection software, to include virus detection and malware detectors, on all systems vulnerable to malware that are used to access, process or store Instacart’s Confidential Information, and Vendor shall keep antimalware virus signatures up to date.
12. System Logs. Vendor shall maintain system logs that uniquely identify individual users and their access to associated systems and identify the attempted or executed activities of such users. All systems creating system logs shall be synchronized to a central time source. Vendor shall identify, investigate and respond to any suspicious or malicious activity identified in such Vendor System log. Vendor shall preserve a security log audit trail for Vendor System. Vendor shall maintain these logs for the longer of the term of the Agreement or for one (1) year, or as otherwise required by law.
13. Background Checks. Vendor shall require all personnel accessing Instacart’s Confidential Information via Vendor Systems to complete a background check. Vendor shall further ensure that its personnel engaged in the Processing of Instacart Confidential Information are informed of the confidential nature of the Covered PI, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Vendor shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
14. Change Control Process. Vendor shall maintain reasonable change control processes to approve and track changes within Vendor’s computing environment.
15. Protection of Storage Media. Vendor shall ensure that storage media containing Instacart’s Confidential Information is properly sanitized of all Instacart’s Confidential Information or is destroyed prior to disposal or re-use for non-Vendor processing. All media on which Instacart’s Confidential Information is stored shall be protected against unauthorized access or modification. Vendor shall maintain reasonable and appropriate processes and mechanisms to maintain accountability and tracking of the receipt, removal and transfer of storage media used for Vendor information systems or on which Instacart’s Confidential Information is stored.
16. System Accounts. Vendor shall maintain appropriate Vendor Policies for requesting, approving, auditing, and administering accounts and access privileges for Vendor information systems and Instacart’s Confidential Information. Vendor personnel who access systems that store, transmit or process Instacart’s Confidential Information shall be assigned individual system accounts to ensure accountability for access granted.
17. Passwords. Vendor shall implement appropriate password parameters for systems that access, transmit or store Instacart’s Confidential Information (“Related Systems”). Vendor shall implement strong two factor authentication and complex passwords (“Passwords”) for all network and systems access to Related Systems. Vendor shall adhere to industry standard password practices. Default manufacturer passwords used in Vendor’s products shall be changed upon installation.
18. Business Continuity. Vendor shall ensure that it has adequate processes and procedures that will enable a business to sustain the service in the event of a disaster (“Business Continuity Plans”) in place to ensure its compliance with the terms of this DPA and shall review and test plans no less than annually.
19. Data Destruction. All Instacart’s Confidential Information shall be securely destroyed once it is no longer needed via commercially reasonable processes. Vendor’s strategy for data destruction must be documented and include logs for all Instacart’s Confidential Information destroyed, which shall be available for Instacart’s review.
20. Payment Card Industry Data Security Standards (PCI DSS) Compliance. With respect to the Services, to the extent applicable, Vendor shall maintain the required level of PCI DSS compliance and certification, and shall provide related documentation upon Instacart’s request. Vendor is responsible for the security of cardholder data that it encounters, uses and/or maintains pursuant to this DPA or in order to provide the Services. Vendor is required to implement and maintain reasonable security measures. These security measures should be appropriate in light of the sensitivity of the information and should protect the information from unauthorized access, use or disclosure.