Data processing addendum

This DPA applies to Processor's Processing of Personal Data on behalf of Controller. This DPA shall govern the Processing of Personal Data through the parties' performance of the Agreement in compliance with Data Protection Laws.

Processor shall act as a processor of Personal Data in compliance with Data Protection Laws and this DPA. Processor shall comply with Data Protection Laws during the course, scope, and performance of the Agreement.

Processor shall Process Personal Data in accordance with Controller's documented instructions, for the limited purpose of providing the services, solely to the extent necessary to provide the services, and in a manner in accordance with applicable Data Protection Laws. Processor shall promptly notify Controller if, in Processor's commercially reasonable opinion, Processor is unable to comply with such instruction, or Processor is required by applicable law or order to Process the Personal Data, provided that Processor is not prohibited by law from notifying Controller.

Processor shall limit disclosure or access to Personal Data to any employee, agent, or contractor who need to know or have access to the Personal Data for Processor's provision of the Service and performance of the Agreement and direct its sub-processors to undertake the same.

Processor shall, to the extent permitted by applicable law, promptly notify Controller if Processor receives a request from a Data Subject to exercise the Data Subject's rights of access, rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, or objection to the Processing. Processor shall cooperate with Controller in responding to such Data Subject requests, subject to Section 2.5.

Processor shall promptly notify Controller of any request, complaint, or inquiry received directly by Processor. Processor shall cooperate with Controller in the response to such request, complaint, or inquiry. If Controller seeks a protective order against such request, complaint, or inquiry, Processor shall cooperate with Controller, to the extent permitted by applicable law.

Processor shall maintain a written record of Processing including the name and contact details of Controller and sub-processors, Processor's data protection officer or representative, categories of Processing, transfers of Personal Data, and, as practicable, a general description of appropriate safeguards. Processor shall make such written records available to a Supervisory Authority or the Controller upon request.

Processor shall not combine Personal Data with other personal data received from, or on behalf of, other persons or collected form its own interaction with a consumer, except as permitted by applicable Data Protection Laws.

Controller has the right to monitor Processor's compliance with this DPA and, upon notice, to take reasonable and appropriate steps to stop and remediate Processor's unauthorized use of Personal Data.

Controller shall export, transfer, and otherwise manage the provision of Personal Data to Processor in compliance with Data Protection Laws, the instructions of the Controller, and this DPA. Controller shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

As between Controller and Processor, Controller shall have sole responsibility for obtaining any and all relevant agreements, authorizations, consents, instructions or Comilies for the Procesing of Personal ata for Pucessor to Pruess Personal Dation

Controller shall limit the transfer to Personal Data that is necessary for Controller to provide the services for which Controller has contracted.

Processor shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Processor agrees to implement, maintain, and document an information security program that includes appropriate administrative, technical and physical safeguards designed to protect Personal Data from unauthorized access, use, modification, disclosure, or destruction.

Processor agrees to hold, maintain, and manage Personal Data in strictest confidence and use due care to prevent any unauthorized or inappropriate use or disclosure. Processor shall limit access to Personal Data on a strict "need to know" basis; ensure that all of Processor's personnel comply with the provisions of this DPA regarding the Processing of Personal Data; ensure that all Processor personnel involved in processing Personal Data are subject to a duty of confidentiality with respect to Personal Data; exercise the necessary and appropriate supervision over personnel to ensure the privacy, confidentiality, and security of Personal Data; and ensure that Processor's personnel receive appropriate training regarding the privacy, confidentiality, and security requirements set forth in this DPA.

Prior to Processor appointing any Processor Affiliates or third parties to Process Personal Data as sub-processors, Processor shall provide Controller with thirty (30) days' notice of such appointment. Controller must grant Processor written authorization for Processor to be able to appoint such additional sub-processors. If Controller fails to grant such written authorization, Processor may not use the additional sub-processors.

Sub-processors shall Process Personal Data for Processor under a written contract executed by Processor and sub-processor that includes: (i) materially similar data protection obligations as set out in in this DPA; and (ii) the implementation of appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Laws.

Processor shall be liable for the Processing of Personal Data by its sub-processors to the same extent Processor would be liable under this DPA for Processing Personal Data itself.

Processor will take action promptly, to investigate a confirmed or reasonably suspected Personal Data Breach, to identify, prevent and mitigate the effects of any such Personal Data Breach.

Processor shall notify Controller of a Personal Data Breach affecting Personal Data processed on behalf of Controller, without undue delay and, where feasible, not later than forty-eight (48) hours after becoming aware of the Personal Data Breach. Said notification by Processor to Controller shall, to the extent the available to Processor, include the following: (i) the number of Data Subjects and categories of Personal Data affected by the Personal Data Breach; (ii) a point of contact for Controller to receive further information from Processor about the Personal Data Breach; (iii) the likely consequences of the personal data breach; and (iv) the measures taken or proposed to be taken by Processor to investigate and remediate the Personal Data Breach. After providing the initial notice to Controller, Processor shall continue to provide updated information relating to the Personal Data Breach as it becomes aware of such information.

Processor will maintain a documented incident response plan designed for managing Personal Data Breaches. This plan must at minimum include notifications, points of tact, backup procedures, and all relevant actions that are required to recover from an incident. Processor will regularly test its incident response plan.

Processor shall provide assistance to Controller to carry out, upon Controller's written request and with reasonable prior notice, a Data Protection Impact Assessment.

Processor, its Affiliates and sub-processors shall retain Personal Data for the period of time required by Data Protection Laws, other applicable laws or regulations, and as needed to comply with its legal and contractual obligations.

Upon (i) thirty (30) days following the effective date of termination of the Agreement and cessation of the associated Processing of Personal Data, as applicable; or (ii) the expiration of the retention periods required by Data Protection Laws, other regulations, or legal processes, Processor shall destroy or anonymize all copies of such Personal Data, and direct its sub-processors to undertake the same. Processor shall provide to Controller a written confirmation of the destruction or anonymization of Personal Data upon request. Personal Data contained in backups shall be deleted in accordance with Processor's standard retention policy.

Processor shall make available to Controller information necessary for Processor to demonstrate compliance with its obligations under this DPA. Processor shall provide to Controller information about Processor's technical and organizational measures, including third-party certifications and security documentation, upon the written request of Controller.

Controller may reasonably audit Processor's Processing if: (i) Processor fails to provide the information required under Section 8.1; (ii) an audit is requested by the Controller or a Supervisory Authority; (iii) once every twelve (12) months; or (iv) as otherwise required in accordance with Data Protection Law. Processor will cooperate with Controller, its internal auditors and DPA auditors for the purpose of auditing, inspecting, examining, and assessing Processor's and any of its sub-processors' compliance with the obligations defined in this DPA or the Agreement, as it relates to the services thereunder.

Controller shall give Processor at least thirty (30) days' prior written notice of any audit initiated pursuant to Section 8.2. The date, time, place, and scope of such audits shall be mutually agreed by the parties.

To the extent CCA applies to any Personal Data, such Personal Data will be disclosed by Controller to Processor for a "Business Purpose" and Processor will act as Controller's "Service Provider" as defined by CCPA. Processor will not retain, use, sell, share, rent, or tisclose Personal Data for any purpose other than for the specific purpose of providing Services as described in the Agreement or as permitted or required by CCPA.

Processor shall not combine Personal Data with other personal data received from, or on behalf off, other persons or collected form its own interaction with a consumer, except as permitted by the CCPA.

Controller has the right to monitor Processor's compliance with this DPA and, upon notice, to take reasonable and appropriate steps to stop and remediate Processor's unauthorized use of Personal Information.

Processor may disclose Personal Data to Processor's service providers as needed to provide the Service contracted by Controller.

Processor may engage service providers to fulfill Processor's Processing obligations. In such cases, Processor's service providers may be granted permission to Process Personal Data to the extent needed for Processor to provide Services.

Processor shall bind its service providers to comply with materially similar obligations to those included in this DPA.

"Affiliate" means each legal entity (other than non-operating holding companies) that is controlled by, or is or under common control with Processor on or after the Effective Date and for so long as such entity remains controlled by, or is under common control with Processor or Controller (where "controls", in its various forms herein, means the ownership of, or the power to vote, directly or indirectly, a majority of any class of voting securities of a corporation or limited liability company, or the ownership of any general partnership interest in any general or limited partnership.

"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1978.00 et seq., and its implementing regulations and the California Privacy Rights and Enforcement Act of 2020.

"Data Protection Laws" means any and all legislation protecting the Personal Data of natural persons that is applicable to the processor of Personal Data including, but not limited to, GDPR, UK GDPR, CCPA, the Virginia Consumer Data Protection Act; the Colorado Privacy Act; the Utah Consumer Privacy Act; the Connecticut Data Privacy Act; the Oregon Consumer Privacy Act; the Texas Data Privacy and Security Act; the Florida Digital Bill of Rights; the Montana Consumer Data Privacy Act; the Nebraska Data Privacy Act; the New Hampshire Privacy Act; the Delaware Personal Data Privacy Act; the Iowa Consumer Data Protection Act; the New Jersey Data Privacy Act; the Tennessee Information Protection Act; the Minnesota Consumer Data Privacy Act; the Maryland Online Data Privacy Act; and other states that have enacted data privacy laws, and any legislation that supplements or amends the aforementioned.

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ED (General Data Protection Regulation).

"Personal Data" means any information about an individual that (i) can be used to identify, contact, or locate a specific individual, (ii) can be combined with other information that can be used to identify, contact, or locate a specific individual, or (iii) is defined as "Personal Data" or "Personal Information" by Data Protection Laws or regulations relating to the collection, use, storage, or disclosure of the information about an identifiable individual.

"Restricted International Data Transfer" means a transfer of Personal Data from Controller to Processor where such transfer would be prohibited by Data Protection Laws in the absence of executed Standard Contractual Clauses.

"Standard Contractual Clauses" means the EEA Module 3 Controller to Controller Standard Contractual Clauses established by the Commission Implementing Decision (EU) 2021/915 of 4 June 2021.

"Sub-processor" means Processor Affiliates and third parties engaged by Processor or its Affiliates in connection with the Service and which Process Personal Data in accordance with this DPA.

"UK Data Protection Laws" means United Kingdom General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and any law implementing or supplementing such legislation.

The terms "Business Purpose," "Controller," "Data Exporter," "Data Importer," "Data Protection Impact Assessment," "Data Subject," "Personal Data Breach," "Processing," "Controller," "Service Provider," "Special Categories of Data," and "Supervisory Authority" shall have the meaning described in the Data Protection Laws, and in each case their cognate terms shall be construed accordingly.