Skip to content
Demo

SOBRIETY HUB DATA PROTECTION ADDENDUM (DPA)

Last Updated: 3.16.2026

This Data Protection Addendum ("DPA") forms part of the Master Services Agreement between Sobriety Hub LLC ("Sobriety Hub") and Customer. It applies when Sobriety Hub processes Personal Information on behalf of Customer and outlines both parties' obligations under applicable privacy laws including the CCPA, CPRA, and others.

1. DEFINITIONS

  • Personal Information: Any data that identifies or can be linked to an individual.
  • Processing: Any operation performed on Personal Information (e.g., storing, analyzing, sharing).
  • Data Protection Laws: CCPA, CPRA, and other U.S. state laws that govern the use and protection of Personal Information.

2. ROLES AND PURPOSE

  • Sobriety Hub is a Service Provider and processes Personal Information solely to provide services under the Agreement. For the avoidance of doubt, this restriction applies only to Personal Information and does not limit Sobriety Hub’s rights with respect to De-Identified or Aggregate Data as described in Section 13.
  • Customer determines the means and purposes of that Processing.

3. SOBRIETY HUB'S COMMITMENTS

  • Process data only as necessary to perform services for Customer.
  • Not Sell or use Personal Information for any purpose beyond service delivery.
  • Implement appropriate security measures to protect Personal Information.
  • Respond to Customer's data subject requests (access, deletion, correction).
  • Delete Personal Information upon Customer request unless prohibited by law.
  • Ensure subcontractors are bound by equivalent data protection obligations.
  • Maintain logs, auditability, and data security documentation.

5. SECURITY MEASURES

  • Access controls, encryption, network safeguards, and employee training.
  • Industry-standard data deletion practices per NIST SP 800-88.
  • Ongoing privacy compliance reviews and monitoring.

Citation: NIST SP 800-88 Guidelines

6. BREACH NOTIFICATION

  • Sobriety Hub will notify Customer of a Data Breach without unreasonable delay and within the timeframes required by applicable law.
  • Sobriety Hub will cooperate with mitigation and remediation efforts.
  • Breach liability will follow the Agreement's limitations unless otherwise required by law.

7. RETENTION AND DELETION

  • Personal Information is retained only as long as necessary to fulfill the Agreement or comply with legal obligations.
  • Upon contract termination, Sobriety Hub will delete or return all Personal Information unless retention is required.

8. INTERNATIONAL DATA TRANSFERS

If Sobriety Hub transfers Personal Information outside the United States, it will implement appropriate safeguards consistent with applicable law to protect such data.

9. CUSTOMER RESPONSIBILITIES

  • Ensure it has legal rights to disclose Personal Information to Sobriety Hub.
  • Inform data subjects of Sobriety Hub's role and usage where required by law.

11. COMPLIANCE STATEMENTS

  • Sobriety Hub certifies compliance with applicable Data Protection Laws.
  • Customer affirms its privacy policy complies with state law requirements.

12. CONFLICTS AND PRECEDENCE

  • If there is a conflict between this DPA and the Master Services Agreement, the terms of this DPA shall govern with respect to data protection and privacy.
  • Notwithstanding Section 9.4 of the MSA, Sobriety Hub’s aggregate liability for claims arising under this DPA shall not exceed the total fees paid by Customer during the twelve (12) months preceding the event giving rise to the claim.

13. DE-IDENTIFIED AND AGGREGATE DATA

  • Sobriety Hub may create, use, disclose, and otherwise process data derived from Customer Data and Resident Data that has been de-identified and/or aggregated such that it does not identify any individual and cannot reasonably be used to re-identify any individual ("Aggregate Data").
  • Customer acknowledges and agrees that Sobriety Hub owns all rights, title, and interest in and to such Aggregate Data and may use such Aggregate Data for any lawful purpose, including but not limited to product development, analytics, benchmarking, research, sale, licensing, commercialization, and publication of industry insights, without obligation to Customer or any third party.
  • Sobriety Hub will implement reasonable safeguards to ensure that Aggregate Data cannot be used to re-identify any individual.

Citation: CCPA § 1798.140(ae): Definition of De-Identified Data

14. CONTACT INFORMATION

To raise privacy concerns or submit requests related to this DPA, email us at customers@sobrietyhub.com.