1.1 “Applicable Data Law” means all federal, provincial, state, and local laws, statutes, regulations, codes, ordinances, orders, rules, executive orders, regulatory guidance, and industry self-regulations and codes of practice, as amended, applicable to the PetSmart Data, the Agreement, or the parties to the Agreement.
1.2 “Controller” means an entity that, alone or jointly with others, determines the purposes for and means of Processing. “Controller” has the same meaning as “Business,” as that term is defined under Applicable Data Law.
1.3 “Data Subject” means an identified or identifiable person.
1.4 “De-Identified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a Data Subject or as that or similar terms are otherwise defined under Applicable Data Law.
1.5 “PetSmart Data” means, collectively, the following types of data provided to Provider by or on behalf of PetSmart or its affiliates, subsidiaries, customers, users, donors, vendors, contractors, or other third parties, or otherwise accessed by Provider under the Agreement:
1.5.1 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, to a Data Subject, or as that term or a similar term is otherwise defined under Applicable Data Law.
1.5.2 “Payment Data” means “Cardholder Data” and “Sensitive Authentication Data” (each as defined under the Payment Card Industry Data Security Standard (“PCI DSS”) glossary), and any other payment method data, including bank account numbers.
1.6 “Process” or “Processing” means any operation or set of operations performed on PetSmart Data, including without limitation accessing, collecting, using, storing, transferring, retaining, disclosing, selling, sharing, deleting, and destroying PetSmart Data.
1.7 “Processor” means an individual or entity that Processes PetSmart Data on behalf of a Controller. “Processor” has the same meaning as “Service Provider,” as that term is defined under Applicable Data Law.
1.8 “Provider Systems” means the networks, systems, software, equipment, and premises utilized by or on behalf of Provider to provide the services, deliverables, or products or otherwise for Processing.
1.9 “Security Breach” means (i) deliberate or inadvertent Processing in breach of this DPA; (ii) any misuse or unlawful or accidental loss, destruction, alteration, or unauthorized Processing; (iii) an event where the security of the Provider Systems is compromised, including any instance in which there is any unauthorized access, interference or use of the Provider Systems; or (iv) another event in which Provider otherwise compromises the security, confidentiality, or integrity of PetSmart Data.
1.10 “Vendor Risk Assessment” means the questionnaire PetSmart uses, as updated from time to time, to assess Provider’s security controls, policies, procedures, and other factors, which Provider must complete to PetSmart’s satisfaction before Processing PetSmart Data and from time to time upon PetSmart’s request.