Data Processing Agreement

These Terms reflect the parties’ agreement with respect to the terms governing the processing and security of Customer Data under the Agreement.

Supplier agrees to comply with the following provisions with respect to any Personal Data Processed by Supplier in connection with its provision of the Services. References to the Agreement will be construed as including this Data Processing Agreement (“DPA”) and, except as modified below, the terms of the Agreement shall remain in full force and effect. For the purpose of this DPA, Buyer is the Data Controller and Supplier is the Data Processor. Any capitalized terms not defined herein shall have the meanings given to them in the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA will prevail. In consideration of the mutual obligations set out herein and in the Agreement, the Parties hereby agree as follows.

DEFINITIONS

“Affiliates” shall mean subsidiaries and related entities to Buyer.

“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.

“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union (“EU”) and United Kingdom (“UK”), applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the individual to whom Personal Data relates.

“Personal Data” means any information relating to an identified or identifiable person. The types of Personal Data and categories of Data Subjects Processed under this DPA are set forth in Appendix B, Annex I attached hereto.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).

“Security Breach” has the meaning set forth in Section 7 of this DPA.

PROCESSING OF PERSONAL DATA

2.1 The Parties agree that with regard to the Processing of Personal Data, Buyer is the Data Controller and Supplier is the Data Processor.

2.2 Supplier shall process Personal Data in accordance with the requirements of the Data Protection Laws and Buyer will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If Supplier believes or becomes aware that any of Buyer’s instructions conflicts with any Data Protection Laws, Supplier shall inform Buyer immediately at [email protected], or the relevant email address set forth in the Agreement.

2.3 Supplier shall implement technical and organizational measures in such a manner that the Processing of Personal Data complies with the Data Protection Laws.

2.4 During the Term of the Agreement, Supplier shall only Process Personal Data on behalf of and in accordance with Buyer’s written instructions and shall treat Personal Data as confidential information. Buyer instructs Supplier to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and any applicable orders; and (ii) Processing to comply with other reasonable written instructions provided by Buyer where such instructions are consistent with the terms of the Agreement. Supplier may Process Personal Data other than on the written instructions of Buyer if it is required under applicable law to which Supplier is subject. In this situation, Supplier shall inform Buyer at [email protected] or the relevant email address set forth in the Agreement of such requirement before Supplier Processes the Personal Data unless prohibited by applicable law. The objective of Processing of Personal Data by Supplier is the provision of the Services pursuant to the Agreement.

2.5 Supplier shall not engage any further Sub-processors without the prior written consent of Buyer. Supplier agrees that any agreement with an approved Sub-processor shall include no less protective data protection obligations as set out in this DPA. Supplier shall remain responsible for any approved Sub-processor’s compliance with the obligations of this DPA.

RIGHTS OF DATA SUBJECTS

3.1 To the extent Buyer, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Personal Data, as required by Data Protection Laws, Supplier shall promptly comply with reasonable requests by Buyer to facilitate such actions to the extent Supplier is legally permitted and able to do so.

3.2 Supplier shall, to the extent legally permitted, promptly notify Buyer at [email protected] or the relevant email address set forth in the Agreement if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of that person’s Personal Data. Supplier shall not respond to any such Data Subject request without Buyer’s prior written consent except to confirm that the request relates to Buyer. To the extent that Buyer responds to any such Data Subject request, Supplier shall provide Buyer with commercially reasonable cooperation and assistance, including by implementing appropriate technical and organizational measures, in relation to handling of a Data Subject’s request, to the extent legally permitted.

SUPPLIER PERSONNEL

4.1 Supplier shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations shall survive the termination of that individual’s engagement with Supplier.

4.2 Supplier shall ensure that access to Personal Data is limited to those personnel who require such access to fulfill Supplier’s obligations under the Agreement.

INDEMNITY

Supplier shall indemnify and hold harmless Buyer, its officers, directors, employees, contractors, affiliates and agents from and against all claims, liabilities, administrative fines, suits, judgments, actions, investigations, settlements, penalties, fines, damages and losses, demands, costs, expenses, and fees including reasonable attorneys’ fees and expenses, arising out of or in connection with any claims, demands, investigations, proceedings, or actions brought by Data Subjects, legal persons (e.g., corporations and organizations), or supervisory authorities under the Data Protection Laws that apply to the Supplier or any Sub-processor engaged by Supplier in respect of the Personal Data Processed under this DPA. No limitation of liability will apply to the indemnity provided in this DPA.

SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS

6.1 Pursuant to Article 28, Section 3(c) of the General Data Protection Regulation (“GDPR”), Supplier shall take all measures required pursuant to Article 32 of the GDPR.

6.2 Supplier will make available to Buyer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Buyer or another auditor mandated by Buyer.

6.3 Supplier will reasonably cooperate with Buyer to assist Buyer in ensuring compliance with Articles 32 to 36 of the GDPR.

SECURITY BREACH MANAGEMENT AND NOTIFICATION

7.1 If Supplier becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on Supplier’s equipment or in Supplier’s facilities (“Security Breach”), Supplier will promptly: (i) notify Buyer of the Security Breach in accordance with Section 7.2 below; (ii) investigate the Security Breach and provide Buyer with all relevant information about the Security Breach; and (iii) take all steps to mitigate the effects and to minimize any damage resulting from the Security Breach.

7.2 Notification(s) of Security Breaches will be promptly delivered to the following email addresses: [email protected] with subject line to include “ATTN: Security”.

RETURN AND DELETION OF PERSONAL DATA

Upon Buyer’s request, Supplier shall delete or return Personal Data to Buyer and shall delete existing copies unless applicable European Union of Member State law requires storage of such data.

STANDARD CONTRACTUAL CLAUSES

Where Buyer and/or its relevant affiliates are located in the EEA and/or UK and transfer Personal Data to Supplier and/or its relevant sub-processors located in non-adequacy approved third countries, Appendix A to this DPA shall apply. Additionally, where Buyer and its relevant affiliates are located in the UK and transfer Personal Data to Supplier and/or its relevant sub-processors located in non-adequacy approved third countries, Appendix B to this DPA shall also apply. Appendix A to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses. The information required by Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes 1 and 2 of this DPA. Appendix B to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses to transfers from the UK.

PARTIES TO THIS DPA

Nothing in this DPA shall confer any benefits or rights on any person or entity other than the Parties to this DPA.

Appendix A
Applicable Standard Contractual Clauses and Supplemental Terms

Modules. The Standard Contractual Clauses are incorporated by reference into this DPA as follows: where Buyer and/or its relevant affiliates are located in the EEA and/or UK, and Supplier and/or its relevant sub-processors are located in non-adequacy approved third countries, Module 2: Transfer controller to processor, Clauses 1 to 18 apply. Annexes I-II to the Standard Contractual Clauses are attached hereto.

Specific Provisions. Where the Standard Contractual Clauses identify optional provisions or provisions with multiple options, the following shall apply: (a) Clause 9 (Use of sub-processors) Option 1, Specific Prior Authorisation is exercised. (b) In Clause 11(a) (Redress), the optional provision is omitted. (c) In Clause 16(b) (Suspension of transfers), Buyer will suspend transfers of Personal Data only where required by Data Protection Law and will notify Supplier promptly, and prior to such suspension of practicable, so that Supplier may remedy the condition requiring suspension of transfers. (d) In Clause 17 (Governing law), Option 1 is exercised. The laws of Belgium shall govern with respect to data transfers involving the EEA, and the laws of the UK shall apply with respect to data transfers involving the UK. (e) In Clause 18 (Choice of forum and jurisdiction), the courts of Belgium shall have jurisdiction with respect to data transfers involving the EEA, and the courts of the UK shall have jurisdiction with respect to data transfers involving the UK.

Additional Specific Provisions for UK data transfers. With respect to data transfers involving the UK, Appendix B shall apply.

Notification and Transparency. Where Buyer is required by the Standard Contractual Clauses to notify the competent supervisory authority, Buyer shall first provide Supplier with the details of the notification and permit Supplier to provide prior written input into the relevant notification, provided that such input does not unduly delay the notification.

Signatories. Buyer and Supplier each agrees that their execution of the DPA is deemed to constitute its execution of the Standard Contractual Clauses, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.

ANNEX I TO APPENDIX B

A. LIST OF PARTIES & THEIR CAPACITIES. The full name, address and contact details for the Data Exporter and Data Importer (as defined below) are set out in the Agreement. Module 2 applies where the data exporter and Data Controller is Buyer and its relevant affiliates, which are established in the EEA / exporting data from the EEA, and the data importer and Data Processor is Supplier and its relevant sub-processors located in non-adequacy approved third countries.

B. DESCRIPTION OF TRANSFER.

Categories of Data Subjects. The data subjects about whom Personal Data is or may be transferred are Buyer’s customers, potential customers, and consultants.

Categories of Personal Data Transferred. The Personal Data that may be transferred concern the following categories of data: identification and contact details (including name and email address) and other Personal Data relevant to the purposes for which data is transferred.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. None.

Frequency of the Transfer. The frequency of the transfer may be either one-off or continuous, as described in the Agreement.

Nature of the Processing. Personal Data may be Processed in any of the following ways: receiving, storing, analyzing, and otherwise Processing data made available by or on behalf of Buyer as provided in the Agreement.

Purpose(s) of the Data Transfer and further Processing. Personal Data shall be transferred and/or Processed only in connection with specific commercial objectives. Personal Data will be Processed to provide Services to Buyer as described in the Agreement.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine the period. Personal Data will generally be retained only for such period as it has continuing relevance to commercial objectives or as may be necessary to provide, or receive the full benefits of, the Services, unless otherwise required to be deleted by applicable law, legal requirement, or data retention policy.

For transfers to sub-processors, the Supplier shall specify subject matter, nature and duration of Processing to Buyer in the sub-processor notice required of the Processor by the terms of this DPA.

C. COMPETENT SUPERVISORY AUTHORITY. Please see Appendix B above.

ANNEX II TO APPENDIX B

Description of the technical and organizational security measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons: See the Agreement.

APPENDIX B
UK International Data Transfer Addendum

Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables
Table 1: Parties

Start date	The start date is the effective date of the Agreement
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Full legal name: See Annex I(A) to Appendix A Trading name (if different): See Annex I(A) to Appendix A Main address (if a company registered address): See Annex I(A) to Appendix A Official registration number (if any) (company number or similar identifier): See Annex I(A) to Appendix A	Full legal name: See Annex I(A) to Appendix A Trading name (if different): See Annex I(A) to Appendix A Main address (if a company registered address): See Annex I(A) to Appendix A Official registration number (if any) (company number or similar identifier): See Annex I(A) to Appendix A
Key Contact	As noted in the Agreement.	As noted in the Agreement.
Signature (if required for the purposes of Section ‎2)	N/A	N/A

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

X the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
1
2	X	X		Specific Authorisation	As described in the Agreement
3
4

Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: See Annex I(A) to Appendix B
Annex 1B: Description of Transfer: See Annex I(B) to Appendix B
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Annex II to Appendix B
Annex III: List of Sub processors (Modules 2 and 3 only): Provided in Agreement

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19:

Importer, to the extent the importer is Controller

Exporter, to the extent the exporter is Controller

neither Party

Part 2: Mandatory Clauses

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 of those Mandatory Clauses.