Data Processing Addendum

This Addendum comprises a variation, and is supplemental to, the End User License EULA (the “EULA”) for the provision of Software as set out in the EULA (the “Services”). In the event of any conflict between the EULA and this Addendum, the terms and conditions of this Addendum shall control. Except to the extent expressly superseded or modified in this Addendum, the terms and conditions of the EULA will apply to this Addendum and remain in full force and effect.

1. Definitions

1.1 “Applicable EU Law” means any applicable law of the European Union (or the law of one or more of the Member States of the European Union).

1.2 “California Privacy Law” means, as applicable, the California Consumer Privacy Act and related regulations and, when effective, the California Privacy Rights Act and related regulations.

1.3 “CPA” means, when effective, the Colorado Privacy Act and related regulations.

1.4 “Data Processing Particulars” means in relation to any Processing under this Addendum:

1. the subject matter and duration of the Processing;
2. the nature and purpose of the Processing;
3. the type of the Personal Information being Processed; and
4. the categories of Data Subjects.

1.5 “PIPEDA” means the Personal Information Protection and Electronic Documents Act, SC 2000, c.5.

1.6 “Privacy Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, theft, or unauthorized access to or disclosure of Personal Information.

1.7 “Privacy Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation or other binding restriction (as amended, consolidated or re-enacted from time to time) governing the Processing or protection of Personal Information, including for example, and without limitation, EU GDPR and Directive 2002/58/EC, UK GDPR, PIPEDA, California Privacy Law, the VCDPA, and the CPA.

1.8 “Processing”, “Processed” or “Process” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as but not limited to collection, use, modification, retrieval, disclosure, retention, storage, deletion and/or management of Personal Information.

1.9 “Supervisory Authority” means an independent public authority that is established by an EU Member State to monitor the application of the EU GDPR or by the United Kingdom to monitor the application of the UK GDPR.

1.10 “UK GDPR” means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) and the UK Data Protection Act 2018 (as amended).

1.11 “VCDPA” means, when effective, the Virginia Consumer Data Protection Act.

1.12 Unless otherwise provided a capitalised term that is not defined in this Addendum shall have the meaning given to it in the EULA and the words and expressions in, and the rules of interpretation of, the EULA shall have the same meaning in this Addendum.

2 Data Processing and Security Responsibilities

2.1 Customer and Service Provider shall each comply with all Privacy Laws that apply to it in relation to any Personal Information Processed in connection with this Addendum, as set out in the Data Processing Particulars at Annex A to this Addendum.

2.2 Customer agrees that it has:

1. made and shall maintain all necessary registrations and notifications as required in order to permit Service Provider to perform its obligations and exercise its rights under this Addendum;
2. obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit Service Provider to perform its obligations and exercise its rights under this Addendum, and shall inform Service Provider immediately if any such consents are withdrawn;
3. ensured and shall continue to ensure that all Personal Information Processed by Service Provider is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Service Provider to perform its obligations and exercise its rights under this Addendum;
4. ensured and shall continue to ensure that there are valid legal bases to enable Service Provider to Process Customer's Personal Information;
5. Processed and will continue to Process the Personal Information in accordance with all applicable Privacy Laws.

2.3 In the course of Processing Personal Information on behalf of Customer as detailed in Annex A to this Addendum, Service Provider shall:

1. except as otherwise permitted herein, only use, disclose, transfer, retain, and otherwise Process Personal Information as reasonably necessary for the purposes of rendering the Services and as otherwise instructed by Customer in writing from time to time or as otherwise required or permitted by applicable Privacy Law, and not Process any Personal Information in any other manner without the express prior written authorization of Customer unless required to do so by applicable law;
2. as soon as reasonably practicable, inform the Customer if, in Service Provider’s opinion, any instruction received from the Customer infringes Applicable EU Law;
3. not disclose any Personal Information to any third party without the prior written authorization of Customer (under this Addendum or otherwise) unless required to do so under applicable law (in which case clause e) below shall apply);
4. not “sell” the Personal Information within the meaning of California Privacy Law, the VCDPA, or the CPA, and not “share” the Personal Information within the meaning of the California Consumer Rights Act;
5. where any disclosure, transfer or other Processing of Personal Information is required by applicable law, promptly notify Customer in writing before complying with any such requirement (unless prohibited by applicable law, such as on important grounds of public interest);
6. promptly notify Customer in writing of any (i) enquiry received from individuals relating to the individual’s rights under Privacy Laws, and provide reasonable assistance to Customer with respect to any obligations Customer has to respond to such requests, such as by an obligation to provide access to Personal Information, or to correct, rectify, erase or restrict the processing of Personal Information; (ii) complaint received by Service Provider either from an individual or a Supervisory Authority relating to the Processing of Personal Information, and (iii) order, demand or warrant purporting to compel the production of any Personal Information;
7. implement reasonable and appropriate physical, technical, administrative and organizational security procedures and practices appropriate to the sensitivity of the Personal Information, to protect the Personal Information against loss, theft, destruction, alteration and unauthorized or unlawful access, use or disclosure, as would allow Service Provider to ensure the ongoing confidentiality, integrity and availability of Processing systems and services (the “Security Measures”). The parties acknowledge and agree that the Security Measures are set out in Annex B. Service Provider shall not materially lower the standard of the Security Measures without the prior approval of Customer;
8. limit access to Personal Information only to those employees and authorized agents of Service Provider who need to have access to the Personal Information and solely for the purposes set out in this Addendum;
9. ensure or cause each of the employees and permitted contractors of Service Provider to agree to protect the confidentiality and security of the Personal Information in accordance with the terms of this Addendum;
10. provide reasonable assistance, at Customer’s cost and request, to Customer in connection with Customer’s obligations under Privacy Laws, including:
11. obligations relating to ensuring the security and integrity of Personal Information;
1. obligations relating to notifications and communication of Privacy Breaches as required by Privacy Laws to the Supervisory Authority and /or any affected individuals; and
2. undertaking any Data Protection Impact Assessments that are required by Privacy Laws and, where necessary, consulting with the relevant Supervisory Authority in respect of any such Data Protection Impact Assessments;
12. aggregate and/or anonymize the Personal Information in order to use such aggregated and/or anonymized information for its own purposes, provided that such aggregated or anonymized data, as the case may be, is non-identifiable as to Customer and otherwise no longer constitutes Personal Information under applicable Privacy Laws;
13. otherwise comply with Privacy Laws applicable to the Processing by Service Provider; and
14. notify Customer if Service Provider determines it can no longer meet its obligations under applicable Privacy Laws.

3 Third-Party Certifications

Service Provider shall provide, and Customer agrees to accept, Service Provider’s most current third-party certifications as may be relevant and available in respect of the Services.

4 Sub-processing

Subject to Clause 6, Customer acknowledges and agrees that Service Provider shall use sub-processors (including Service Provider affiliates) to provide the Services, including the Processing activities set out in Annex A. Service Provider shall enter into a written contract with each such sub-processor that imposes obligations on the sub-processor that are sufficient to permit Service Provider to comply with its obligations under this Addendum. Prior to appointing any new sub-processor in addition to or in lieu of those listed in Annex C, Service Provider shall notify Customer of such sub-processors, whereupon Customer shall have ten (10) days to object to such appointment by providing detailed reasons in writing for such objection to Service Provider, at which point Customer will be deemed to have given written consent to appoint and use such sub-processor if Service Provider has not received an objection from Customer. If Customer objects in writing to the proposed appointment, the Parties shall work together in good faith to resolve Customer’s reasonable concerns.

5 Security Breach Notification

Service Provider shall notify Customer without undue delay upon Service Provider becoming aware of a Privacy Breach.

6 Data Transfers

Customer acknowledges and agrees that in the course of providing the Services to Customer, Service Provider may transfer Personal Information that is subject to Applicable EU Law to sub-processors in countries outside of the European Economic Area (“EEA”). Subject to section 4 of this Addendum, Service Provider shall ensure that appropriate transfer mechanisms are in place within the meaning of Applicable EU Law.

7 Termination

7.1 This Addendum shall come into force on the Effective Date and shall remain in force until the termination or expiry of the EULA.

7.2 Upon the termination of the EULA or at such other times as instructed by Customer in writing, Service Provider shall either return or securely dispose of the Personal Information and all existing copies, subject to Service Provider’s requirements to retain certain Personal Information in order to comply with its legal and regulatory obligations and applicable law or as otherwise necessary in the context of any disputes or litigation. In the event applicable law does not permit Service Provider to comply with the delivery or destruction of the Personal Information, Service Provider warrants that it shall ensure the confidentiality of the Personal Information in accordance with applicable law.

8 Governing Law and Jurisdiction of Addendum

8.1 This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws specified in the EULA.

8.2 The Customer and Service Provider agree that the courts specified in the EULA shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Addendum or its subject matter or formation (including non-contractual disputes or claims).