Skip to content
Sobriety Hub

Data Protection Addendum

Sobriety Hub Data Protection Addendum (DPA)

Last Updated: 4.23.2025

This Data Protection Addendum (“DPA”) forms part of the Master Services Agreement between Sobriety Hub, LLC (“Sobriety Hub”) and Customer. It applies when Sobriety Hub processes Personal Information on behalf of Customer and outlines both parties’ obligations under applicable privacy laws including the CCPA, CPRA, and others.

  1. Definitions
  • Personal Information: Any data that identifies or can be linked to an individual.
  • Processing: Any operation performed on Personal Information (e.g., storing, analyzing, sharing).
  • Data Protection Laws: CCPA, CPRA, and other U.S. state laws that govern the use and protection of Personal Information.
  1. Roles and Purpose
  • Sobriety Hub is a Service Provider and processes Personal Information solely to provide services under the Agreement.
  • Customer determines the means and purposes of that Processing.
  1. Sobriety Hub’s Commitments
  • Process data only as necessary to perform services for Customer.
  • Not Sell or use data for any purpose beyond service delivery.
  • Implement appropriate security measures to protect Personal Information.
  • Respond to Customer's data subject requests (access, deletion, correction).
  • Delete Personal Information upon Customer request unless prohibited by law.
  • Ensure subcontractors are bound by equivalent data protection obligations.
  • Maintain logs, auditability, and data security documentation.
  1. Subcontractors
  • Sobriety Hub will maintain a list of subprocessors and notify Customer of any changes.
  • If Customer objects, Sobriety Hub will work in good faith to resolve or allow termination of the Agreement without penalty.
  1. Security Measures
  • Access controls, encryption, network safeguards, and employee training.
  • Industry-standard data deletion practices per NIST SP 800-88.
  • Ongoing privacy compliance reviews and monitoring.

Citation: NIST SP 800-88 Guidelines

  1. Breach Notification
  • Sobriety Hub will notify Customer of a Data Breach within 36 hours of discovery.
  • Sobriety Hub will cooperate with mitigation and remediation efforts.
  • Breach liability will follow the Agreement’s limitations unless otherwise required by law.
  1. Retention and Deletion
  • Personal Information is retained only as long as necessary to fulfill the Agreement or comply with legal obligations.
  • Upon contract termination, Sobriety Hub will delete or return all Personal Information unless retention is required.
  1. International Data Transfers
  • Sobriety Hub does not transfer Personal Information outside the United States without prior written consent from Customer.
  1. Customer Responsibilities
  • Ensure it has legal rights to disclose Personal Information to Sobriety Hub.
  • Inform data subjects of Sobriety Hub’s role and usage where required by law.
  1. Audits
  • Customer may audit Sobriety Hub’s compliance with this DPA once annually with 10 business days’ notice.
  • Both parties must mutually agree on timing and scope of any such audit.
  1. Compliance Statements
  • Sobriety Hub certifies compliance with applicable Data Protection Laws.
  • Customer affirms its privacy policy complies with state law requirements.
  1. Conflicts and Precedence
  • If there is a conflict between this DPA and the Master Services Agreement, the terms of this DPA shall govern with respect to data protection and privacy.
  • Limitation of liability provisions in the MSA do not apply to violations of this DPA.
  1. De-Identified and Aggregate Data
  • Sobriety Hub may create, use, disclose, and otherwise process data derived from Customer Data and Resident Data that has been de-identified and/or aggregated such that it does not identify any individual and cannot reasonably be used to re-identify any individual ("Aggregate Data").
  • Customer acknowledges and agrees that Sobriety Hub owns all rights, title, and interest in and to such Aggregate Data and may use such Aggregate Data for any lawful purpose, including but not limited to product development, analytics, benchmarking, research, and publication of industry insights, without obligation to Customer or any third party.
  • Sobriety Hub will implement reasonable safeguards to ensure that Aggregate Data cannot be used to re-identify any individual.

Citation: CCPA § 1798.140(ae): Definition of De-Identified Data

  1. Contact Information
  • To raise privacy concerns or submit requests related to this DPA, email us at customers@sobrietyhub.com.