DATA PROCESSING ADDENDUM

This DATA PROCESSING ADDENDUM ("DPA") forms part of the agreement (the "Agreement") between: (i) Orbital Technologies Inc. (“Vendor”), acting on its own behalf; and (ii) Customer (“Customer”) acting on its own behalf (Vendor and Customer will together be referred to as the “Parties”).

The terms used in this DPA shall have the meanings set forth in this Addendum.  Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.  In the case of conflict or ambiguity between this Addendum and the Agreement, the provision in this Addendum will prevail.  Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. Definitions

1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Vendor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

2. “CCPA” means the California Consumer Privacy Act of 2018, California Civil Code Section 1798.100, et seq., and, effective January 1, 2023, as amended by the California Privacy Rights Act of 2020 (“CPRA”), and its implementing regulations.

3. “Data Breach” means a breach of security leading to the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, access to, or other Processing of Personal Data transmitted, stored, or otherwise Processed;

4. “Data Protection Laws” means all data protection laws and regulations applicable to a Party’s Processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Laws and the CCPA;

5. “Data Subject Request” means a request made by a Data Subject in accordance with the rights granted under Data Protection Laws, including but not limited to requests to know, delete and opt-out under the CCPA and requests to access, rectify, erase, restrict Processing, data portability, object to Processing and not to be subject to automated individual decision making under EU Data Protection Laws.

6. “EU Data Protection Laws” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union) and (v) in respect of Switzerland, the Federal Act on Data Protection of 19 June 1992 (“FADP”);

7. “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

8. “EU Standard Contractual Clauses” means the contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, amended as indicated in Section 14.4 of this DPA;

9. “Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person or particular household;

10. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data by Vendor or its Subprocessors, or in connection with and for the purposes of the provision of the Services, whether or not accomplished by automatic means, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and as defined by Data Protection Laws;

11. “Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" or "special personal information" under applicable Data Protection Laws;

12. “Services” means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Customer pursuant to the Agreement;

13. "Subprocessor" means any person appointed by or on behalf of Vendor to Process Personal Data to fulfill Vendor’s obligations with respect to providing the Services pursuant to the Agreement or this DPA.  Subprocessors may include third parties or Affiliates of Vendor but shall exclude employees, contractors, or consultants of Vendor or Subprocessors.

14. “U.K. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

15. “U.K. Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data from controllers to processors established in third countries which do not ensure an adequate level of protection, as described in Article 46 of the UK GDPR and approved by the European Commission decision 2010/87/EU.

2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data Breach”, and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

3. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Personal Data.

1. Roles of the Parties.  The parties acknowledge and agree that with respect to the Processing of Personal Data under the Agreement, Customer is the Controller, and Vendor is the Processor or Service Provider.  The subject matter, duration, purpose of the Processing, and types of Personal Data and categories of Data Subjects under this DPA are set forth in Annex A.

2. Sensitive Data.  Customer shall not provide (or cause to be provided) any Sensitive Data to Vendor under the Agreement, and Vendor will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise.  For the avoidance of doubt, this DPA will not apply to Sensitive Data.

3. Customer Obligations.  Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its Processing of Personal Data and any processing instructions it issues to Vendor; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Vendor to Process Personal Data for the purposes described in the Agreement.  Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.  Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any content created, sent or managed through the Service.

4. Vendor’s Obligations.  Vendor will adhere to applicable Data Protection Laws in Processing Personal Data according to the processing instructions issued by Customer.  Vendor will Process Personal Data only in accordance with Customer’s documented written instructions.  The Parties agree that the Agreement sets out Customer’s complete and final instructions to Vendor in relation to the Processing of Personal Data, and processing outside of the scope of these instructions (if any) shall require prior written agreement of both of the Parties.

5. Lawfulness of Customer’s Instructions.  Customer shall ensure that Vendor’s processing of Personal Data in accordance with Customer’s instructions will not cause Vendor to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws.  

6. Details of the Processing.  The subject-matter of the Processing of Personal Data by Vendor is the performance of the Services pursuant to the Agreement.  The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex A hereto.

3. Subprocessing.  

1. General Authorization.  Customer generally authorizes the use of Subprocessors to Process Personal Data in connection with fulfilling Vendor’s obligations under the Agreement and/or this DPA.  A list of current Subprocessors can be viewed at https://useorbital.com/legal/subprocessors (the “Subprocessor List”).  Customer hereby authorizes Vendor to engage the Subprocessors listed in the Subprocessor List.

2. New Subprocessors.  When Vendor engages a new Subprocessor to Process Personal Data, Vendor will, at least ten (10) days before the new Subprocessor begins Processing Personal Data, notify Customer by updating the Subprocessor List.

3. Communication With Subprocessors.  Customer shall not directly communicate with Vendor’s Subprocessors about the Services, unless agreed to in writing by Vendor in Vendor’s sole discretion.

4. Security.

1. Vendor’s Personnel.  Vendor shall ensure that any person who is authorized by Vendor to process Personal Data (including its staff and agents) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

2. Security Measures.  Vendor shall implement and maintain commercially reasonable technical and organizational measures that are designed to protect against Data Breaches involving, and unauthorized or accidental destruction, loss, alteration or damage, unauthorized disclosure of or access to, Personal Data and designed to preserve the security and confidentiality of Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in accordance with the security standards described in Annex D (the “Security Measures”).

3. Updates to Security Measures.  Customer acknowledges that the Security Measures are subject to technical progress and development and that Vendor may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provides to Customer.

4. Customer’s Obligations Regarding Security Measures.  Customer is responsible for independently determining whether the Security Measures adequately meet its obligations under applicable Data Protection Laws.  Customer is also responsible for its secure use of the Services, including protecting the security of Personal Data in transit to and from the Services (including securely backing up or encrypting any such Personal Data).

5. Security Breach.

1. Notification.  In the event that Vendor becomes reasonably aware of any Security Breach, Vendor will use good faith efforts to notify Customer of the Security Breach without undue delay, but in no event later than five (5) business days after Vendor becomes reasonably aware of the Security Breach.  The notification obligations in this Section 5 do not apply to incidents that are caused by Customer or Customer’s personnel or users or to unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewall or networked systems.

2. Manner of Notification.  Notification of a Security Breach, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means that Vendor selects, including via electronic mail.  It is Customer’s sole responsibility to ensure that it maintains accurate contact information with Vendor at all times.

3. Data Breach Management.  Vendor shall make commercially reasonable efforts to identify the cause of a Data Breach and take those steps that Vendor deems necessary and reasonable to remediate the cause of such Data Breach to the extent that remediation is within Vendor’s reasonable control.

6. Termination.

1. Termination.  This DPA shall terminate automatically upon the later of (a) the termination or expiry of the Agreement, or (b) Vendor’s deletion or return of the Personal Data to Customer.  

2. Return or Deletion of Data.  Upon termination or expiration of this DPA, Vendor shall (at Customer’s election) delete or return to Customer all existing copies of Personal Data, unless Data Protection Laws require continued retention of the Personal Data.  Upon Customer’s request, Vendor shall confirm compliance with these obligations in writing.  This requirement shall not apply to Personal Data that Vendor has archived on backup systems, which Personal Data shall be deleted by Vendor at such time as Vendor next restores to its active systems the backup that contains the Personal Data.

7. Data Subject Requests.

1. Data Subject Requests.  In the event that a Data Subject Request is made to Vendor, Vendor shall not respond to the Data Subject Request directly, except to direct the Data Subject to contact Customer directly or as required by Data Protection Laws.  If Vendor is required by Data Protection Laws to respond to the Data Subject Request, it shall notify Customer by any means that Vendor selects, including via electronic mail, unless prohibited from doing so by Data Protection Laws.  For the avoidance of doubt, nothing in the Agreement or the DPA shall restrict or prevent Vendor from responding to any Data Subject Request or request or inquiry from a Data Protection Authority in relation to Personal Data for which Vendor is a Controller.  

8. Jurisdiction Specific Terms.

1. To the extent that Vendor Processes Personal Data subject to the GDPR, the terms of Annex B shall apply and are hereby incorporated into the DPA by this reference.  To the extent that Vendor Processes Personal Data subject to the CCPA, the terms of Annex C shall apply and are hereby incorporated into the DPA by this reference.

9. Limitation of Liability.

1. Limitation of Liability.  To the extent permitted by applicable Data Protection Laws, each Party’s (and all of that Party’s Affiliates’) liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.

2. Claims by Customer.  Any claims made against Vendor or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement.

3. Exclusion.  In no event shall any Party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

10. Concluding Provisions.

1. Amendments.  This DPA may not be amended or supplemented, nor shall any of its provisions be deemed to be waived or otherwise modified, except through a writing duly executed by authorized representatives of Vendor and Customer.

2. Severability.  Should any provision of this DPA or any of the Annexes be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force.  The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein.

3. Governing Law.  This DPA will be governed by and construed in accordance with the laws of the jurisdiction selected in the Agreement, without regard to conflict of laws provisions, unless required otherwise by Data Protection Laws.

4. Notice.  Any notices that are required to be provided in this DPA shall be provided in accordance with any notice provision of the Agreement, unless otherwise specified.

5. Authorization.  Customer represents that it is authorized to agree to and enter into this DPA.

ANNEX A TO DPA

DESCRIPTION OF THE PROCESSING

1. Subject Matter and Details of the Processing

The Parties acknowledge and agree that

1. the subject matter of the Processing under the Agreement is Vendor’s provision of the Services, as set out in the Agreement;

2. the duration of the Processing is from Vendor’s receipt of Personal Data until deletion of all Personal Data by Vendor in accordance with the Agreement;

3. the nature and purpose of the Processing is to provide Vendor’s Services;

4. the categories of Data Subjects to whom the Personal Data pertains are the individuals about whom Vendor processes Personal Data in connection with the Services, including: Customer’s employees, contractors, consultants, agents, and other authorized end users.

The Parties acknowledge and agree that (i) the subject matter of the Processing under the Agreement is Vendor’s provision of the Services; (ii) the duration of the Processing is until the termination of the Agreement in accordance with its terms; (iii) the nature and purpose of the Processing is to provide the Services; (iv) the Data Subjects to whom the Personal Data pertains are individuals about whom Vendor processes Personal Data in connection with the Services; and (v) the Personal Data are provided by Customer or its users in connection with the Services.

2. Types of Personal Data to Be Processed

• Unique user id (if targeting via segment)
• Email & name (if user schedules call)
• Any Personal Data explicitly uploaded by Customer (optional)
• Any Personal Data provided in the screener responses (optional)

3. Categories of Data Subjects

• Customer’s Personnel
• Customer’s End Users

4. Categories of Sensitive Data to Be Processed

None.

5. Obligations and Rights of the Controller

The obligations and rights of Customer are as set out in the Agreement and the DPA.

ANNEX B TO DPA

PROVISIONS APPLICABLE TO PROCESSING OF PERSONAL DATA
SUBJECT TO EU DATA PROTECTION LAWS

The provisions of this Annex B will apply to the Processing by Vendor of Personal Data under the Agreement, but only to the extent that the Processing of Personal Data is subject to EU Data Protection Laws.  In the event of any conflict between the provisions of this Annex B and the DPA or the Agreement, the provisions of this Annex B shall control.

1. Processing of Personal Data.

1. Roles of the Parties.  When Processing Personal Data that is subject to EU Data Protection Law in accordance with Customer’s instructions, the Parties acknowledge that Customer is the Controller of the Personal Data and Vendor is the Processor.

2. Legality of Processing Instructions.  Vendor shall inform Customer in writing, including by electronic mail, if it believes that an instruction of Customer relating to the Processing of Personal Data infringes on EU Data Protection Laws.

2. Subprocessors.

1. Objection to New Subprocessors.  If Customer has a reasonable objection to the addition of a new Subprocessor to the Subprocessor List in accordance with Section 3.2 of the DPA, Customer must notify Vendor of the objection in writing within ten (10) calendar days of the addition of the new Subprocessor to the Subprocessor List.  If Customer does not notify Vendor in writing of an objection within ten (10) calendar days, Customer waives any objection that it may have had to the new Subprocessor.  If Customer submits an objection in accordance with this Section 2, the Parties agree to discuss Customer’s concerns in good faith with a view toward achieving a commercially reasonable resolution.  If no such resolution can be reached within thirty (30) calendar days, Vendor may, at its option, either (a) withdraw the objectionable Subprocessor and either perform the Services itself, or appoint a new Subprocessor in accordance with the terms of Section 3.2 of the DPA, or (b) permit Customer to suspend or terminate the Services and the Agreement in accordance with the termination provisions of the Agreement without liability to either party (but Customer must pay any fees incurred for Services actually performed by Vendor prior to suspension or termination in accordance with the terms of the Agreement).  The parties agree that by complying with this Section 2, Vendor fulfills its obligations under Section 9 of the Standard Contractual Clauses.

1. Subprocessor Contractual Terms.  Vendor will contractually impose data protection obligations on its Subprocessors that are equivalent to those data protection obligations imposed on Vendor under the DPA and this Annex B.

2. Liability for Acts/Omissions of Subprocessors.  Vendor shall remain liable for the acts and omissions of its Subprocessors to the same extent that Vendor would be liable if it performed the services of each Subprocessor directly under the terms of this DPA.

3. Data Subject Requests.  Taking into account the nature of the Processing, Vendor shall assist Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request.

4. Data Protection Impact Assessment.  To the extent required under applicable Data Protection Laws, Vendor shall (taking into account the nature of the processing and the information available to Vendor) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with Supervisory Authorities as required by Data Protection Laws.  Vendor shall comply with the foregoing by: (i) complying with Section 5 (Audits) of this Annex B; (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing subsections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer’s expense). 

5. Audits.

1. Audits Generally.  Vendor will make information reasonably necessary to demonstrate compliance with this DPA available to Customer.  Customer may audit Vendor’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by applicable Data Protection Laws, including where mandated by Customer’s Supervisory Authority.  Any audit must be conducted during regular business hours, subject to the agreed final audit plan as set forth in Section 5.3 of this Annex B and subject to Vendor’s safety, security or other relevant policies, and may not unreasonably interfere with Vendor’s business activities.

2. Third Party Auditors.  If a third party is to conduct an audit under Section 5.1 of this Annex B, Vendor may object to the auditor if the auditor is, in Vendor’s reasonable opinion, a competitor of Vendor.  Such objection by Vendor will require Customer to appoint another auditor or conduct the audit itself.  Customer will be responsible for all fees charged by any auditor appointed by Customer to execute any audit under this Section 5.

3. Audit Plan.  Aside from an audit of a Supervisory Authority, to request an audit, Customer must submit a detailed proposed audit plan to Vendor at least thirty (30) calendar days in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the Parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof.  The proposed audit plan must describe the scope, duration and start date of the audit.  Vendor will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Vendor’s security, privacy, employment or other relevant policies).  Vendor will work cooperatively with Customer to agree on a final audit plan.  Nothing in this Section 5.3 shall require Vendor to disclose any information where such disclosure would result in a breach of any duty of confidentiality.

4. Third Party Audit Reports.  If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Vendor has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.

5. Subprocessor Information.  Nothing in this Section 5 shall be construed to require Vendor to furnish more information about its Subprocessors in connection with such audits than such Subprocessors make available to Vendor without restriction on further disclosure.

6. Audit Reports.  Customer will promptly notify Vendor of any non-compliance discovered during the course of an audit and provide Vendor any audit reports generated in connection with any audit under this Section 5 unless prohibited by applicable Data Protection Laws or otherwise instructed by a Supervisory Authority.  Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.  If any audit reveals that Vendor is not in compliance with the provisions of this DPA and/or applicable Data Protection Laws, Vendor shall take commercially reasonable corrective actions including temporary work-arounds reasonably necessary to comply with the provisions of this DPA and/or applicable Data Protection Laws.

6. Cross-Border Data Transfers.

1. Processing in the United States.  Customer acknowledges that, as of the date of this DPA, Vendor’s primary Processing facilities are located in the United States.

2. EU Standard Contractual Clauses:  For data transfers from the European Economic Area to a country that has not been deemed by the European Commission to provide an adequate level of protection of Personal Data pursuant to Article 45 of the GDPR, Module Two of the EU Standard Contractual Clauses (EEA controller to a non-EEA processor) will apply in the following manner:

1. In Clause 7, the optional docking clause will not apply;

2. In Clause 9(a), Option 2 will apply, and the time period for notice of Subprocessor changes will be as set forth in Section 3.2 (Subprocessing) of the DPA;

3. In Clause 11, the optional language will not apply;

4. In Clause 17, Option 1 will apply, and the EU Standard Contractual Clauses will be governed by Irishlaw;

5. In Clause 18(b), disputes will be resolved before the courts of Ireland;

6. In Annex I, Part A:

1. Data Exporter:  Customer and authorized affiliates of Customer;

2. Contact Details:  Customer's account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.

3. Data Exporter Role:  The Data Exporter’s role is defined in Section 2 of this DPA.

4. Signature & Date:  By entering into this DPA, Data Exporter is deemed to have signed the EU Standard Contractual Clauses (Module 2) incorporated herein, including their Annexes, as of the date of this DPA.

5. Data Importer:  Vendor.

6. Contact Details:  Orbital Privacy –- privacy@useorbital.com

7. Data Importer Role:  The Data Importer’s role is outlined in Section 2 of this DPA.

8. Signature & Date:  By entering into this DPA, Data Importer is deemed to have signed the EU Standard Contractual Clauses (Module 2) incorporated herein, including their Annexes, as of the date of this DPA.

7. In Annex I, Part B:

1. The categories of Data Subjects are described in Annex A, Section 1 to this DPA.

2. The Sensitive Data transferred is described in Annex A, Section 3 to this DPA.

3. The frequency of the transfer is a continuous basis for the duration of the Agreement.

4. The nature of the processing is described in Annex A, Section 1 to this DPA.

5. The purpose of the processing is described in Annex A, Section 1 to this DPA.

6. The period of the processing is described in Annex A, Section 1 to this DPA.

7. For transfers to Subprocessors, the subject matter and nature of the processing is outlined at https://useorbital.com/legal/subprocessors.

8. In Annex I, Part C, the competent Supervisory Authority is The Irish Data Protection Commission.

9. Annex D to this DPA serves as Annex II to the EU Standard Contractual Clauses.

3. U.K. Standard Contractual Clauses:  For data transfers from the United Kingdom to a country that has not been deemed by the United Kingdom Information Commissioner’s Office to provide an adequate level of protection of Personal Data pursuant to Article 45 of the U.K. GDPR, the U.K. Standard Contractual Clauses will apply in the following manner:

1. The illustrative indemnification clause will not apply;

2. Annex A serves as Appendix 1 to the U.K. Standard Contractual Clauses; and

3. Annex D serves as Appendix 2 to the U.K. Standard Contractual Clauses.

4. Additional Safeguards.  In the event of transfer of Personal Data from the European Economic Area, Switzerland or the United Kingdom to a jurisdiction that has not been deemed to provide an adequate level of protection for Personal Data by the European Commission or the United Kingdom Information Commissioner’s Office (as applicable), the Parties agree to supplement the provisions of the EU Standard Contractual Clauses and/or the U.K. Standard Contractual Clauses with the following safeguards and representations, where appropriate: 

1. Vendor shall implement and maintain in accordance with good industry practice measures, including the use of industry standard encryption, to protect the Personal Data from interception (including in transit from the Customer to Vendor and between different systems and services).  This includes having in place and maintaining network protection and industry standard encryption intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.

2. Vendor will make commercially reasonable efforts to resist, subject to applicable Data Protection Laws and other applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the U.K. GDPR, including under Section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”);

3. If Vendor becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:

1. Vendor shall inform the relevant governmental authority that Vendor is a Processor of the Personal Data and that Customer has not authorized Vendor to disclose the Personal Data to the governmental authority, and inform the relevant governmental authority that any and all requests or demands for access to Personal Data should therefore be notified to or served upon Customer in writing.

2. Vendor will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Information which is under Vendor’s control.  Notwithstanding the above, (a) Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended governmental authority access; and (b) if, taking into account the nature, scope, context and purposes of the intended governmental authority access to Personal Data, Vendor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this Section 6.4.3.2 shall not apply.  In such event, Vendor shall notify Customer, as soon as practicable, following the access by the governmental authority, and provide Customer with relevant details of the same, unless and to the extent Vendor is legally prohibited from doing so.

4. Except to the extent prohibited by law, once every 12-month period, Vendor will inform Customer, at Customer’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under Section 702 of FISA.

5. If Vendor is prohibited by law from disclosing to Customer the existence of a request for information by a law enforcement entity under Section 702 of FISA or other similar legal process, Vendor shall take all reasonable steps to attempt to have the prohibition on disclosure removed, and shall promptly notify Customer of the request as soon as legally permitted.

5. Conflicts.  To the extent there is any conflict between the EU Standard Contractual Clauses or the U.K. Standard Contractual Clauses and any other terms in this DPA, including Section 8.1 (Jurisdiction Specific Terms), the provisions of the EU Standard Contractual Clauses will prevail, but only to the extent that the EU Standard Contractual Clauses and/or the U.K. Standard Contractual Clauses apply.

6. Amendments to EU Standard Contractual Clauses or U.K. Standard Contractual Clauses.  If the European Commission, the United Kingdom Information Commissioner’s Office or a Supervisory Authority amends the EU Standard Contractual Clauses or the U.K. Standard Contractual Clauses, the parties shall promptly discuss the proposed amendments and negotiate in good faith with a view toward agreeing and implementing those amendments as soon as is reasonably practicable.

ANNEX C TO DPA

PROVISIONS APPLICABLE TO PROCESSING OF
PERSONAL DATA SUBJECT TO THE CCPA

The provisions of this Annex C will apply to the Processing by Vendor of Personal Data under the Agreement only to the extent that the Processing of Personal Data is subject to the CCPA; in which case, in the event of any conflict between the provisions of this Annex C and the DPA or the Agreement, the provisions of this Annex C shall control.

1. Definitions.  As used in this Annex C, the terms “Business Purpose”, “Person”, “Personal Information”, “Sale” and “Service Provider” shall have the same meaning as in the CCPA (California Civil Code Section 1798.140), and their cognate terms shall be construed accordingly.

2. Roles of the Parties.  The Parties acknowledge and agree that, with regard to the Processing of Personal Data that constitutes Personal Information performed solely on behalf of Customer, Vendor is a Service Provider and receives Personal Data pursuant to the Business Purpose of providing the Services to Customer under the Agreement.

3. No Sale of Personal Data to Vendor.  Customer and Vendor hereby acknowledge and agree that in no event shall the transfer of Personal Data that constitutes Personal Information from Customer to Vendor pursuant to the Agreement constitute a Sale of Personal Information to Vendor, and that nothing in the Agreement shall be construed as providing for the Sale of Personal Information.  The Parties acknowledge and agree that Vendor’s access to Personal Data that constitutes Personal Information does not constitute part of the consideration exchanged by the Parties in respect of the Agreement.

4. Limitations on Use and Disclosure.  Vendor will not sell the Personal Data that constitutes Personal Information Processed under this DPA and will not retain, use or disclose the Personal Data that constitutes Personal Information for any purposes other than the specific purpose of performing the Services as provided in the Agreement, the Business Purposes specified in the Agreement, and as required under the CCPA.  Vendor shall not retain, use or disclose Personal Data that constitutes Personal Information outside of the direct business relationship between Vendor and Customer.  Vendor hereby certifies that it understands the foregoing restriction and will comply with it in accordance with the requirements of the CCPA.

5. Compliance With CCPA.  Vendor shall comply with applicable obligations under the CCPA and to provide the same level of privacy protection to Personal Data that constitutes Personal Information as required by the CCPA.  If Vendor determines that it can no longer meet its obligations under the CCPA, it shall notify Customer in writing (including by email).

6. Monitoring Compliance with CCPA.  Customer shall have the right to take reasonable and appropriate steps to help to ensure that Vendor uses the Personal Data that constitutes Personal Information in a manner that is consistent with Customer’s obligations under the CCPA.  The Parties agree that those reasonable and appropriate steps are listed in Section 5 of Annex B to this DPA.

7. Combining Personal Information.  Vendor shall not combine Personal Data that constitutes Personal Information that Vendor receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another Person or Persons, or collects from its own interaction with the Data Subject (except to perform a Business Purpose as defined in regulations adopted pursuant to the CCPA).

ANNEX D TO DPA

SECURITY MEASURES

The technical and organizational measures implemented by Vendor pursuant to Section 4.2 of the DPA shall be as follows:

1. Security Staffing and Background Checks.

• Organizational management and dedicated staff responsible for the development, implementation and maintenance of Vendor’s information security program.  
• Employees are subject to background checks prior to employment.  
• Employees must complete management-approved security training during onboarding and revisit such training annually throughout their tenure.

2. Audit and Risk Assessment. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Vendor’s organization, monitoring and maintaining compliance with Vendor’s policies and procedures, and reporting the condition of Vendor’s information security and compliance to internal management. 

3. Security Controls.  Data security controls which include, at a minimum:

• Logical segregation of data;
• Restricted (e.g. role-based) access and monitoring; and
• Utilization of encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).

4. Access Controls.

• Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

5. Password Security.  Password controls designed to manage and control password strength, expiration and usage, including prohibiting users from sharing passwords and requiring that Vendor’s passwords that are assigned to its employees:

• Be at least eight (8) characters in length;
• Not be stored in readable format on  Vendor’s computer systems; and
• Newly issued passwords must be changed after first use.

6. System Event Logging.  System audit or event logging and related monitoring procedures to proactively record user access and system activity.

7. Physical Security.  Physical and environmental security of areas containing Personal Data managed by Vendor that are designed to:

• Protect information assets from unauthorized physical access;
• Manage, monitor and log movement of persons into and out of  Vendor’s facilities; and
• Guard against environmental hazards such as heat, fire and water damage.

8. Operational Procedures. Operational procedures and controls designed to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media designed to render data contained therein as undecipherable or unrecoverable prior to final disposal or release from Vendor’s possession.

9. Change Management.  Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to  Vendor’s technology and information assets.

10. Incident response.  Incident response management procedures designed to allow Vendor to investigate, respond to, mitigate and notify of events related to Vendor’s technology and information assets.

11. Network Security.  Network security controls that utilize firewalls and segregated access, and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

12. Vulnerability Management Processes.

• Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code; and
• Third party vulnerability assessments are conducted periodically and vulnerabilities are remediated as appropriate in accordance with Vendor’s internal risk assessment policies.

13. Business Continuity/Disaster Recovery.  Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.  Vendor Business Continuity and Disaster Recovery procedures (including restoration from backups) are reviewed and tested annually.

14. Policy Review.  Vendor’s security and privacy policies are reviewed and approved annually for Vendor’s business operations.