Data Processing Addendum

1. DEFINITIONS

2. APPOINTMENT AND SCOPE

2.1 Controller appoints Processor to Process Personal Data on its behalf in connection with the provision of the Services, and Processor accepts such appointment.

2.2 Processor shall only Process Personal Data in accordance with Controller's lawful instructions, as set out in this Addendum and the Main Agreement.

2.3 The nature, scope, categories of Personal Data, categories of data subjects, and purposes of Processing are set out in Schedule 1 to this Addendum.

2.4 Processor shall not engage any sub-processor without Controller's prior written consent. Any such consent may be given or withheld by Controller in its reasonable discretion.

2.5 If Processor engages a sub-processor, Processor shall: (a) ensure that the sub-processor is bound by obligations equivalent to those set out in this Addendum; (b) remain fully liable to Controller for the sub-processor's performance of its obligations; and (c) notify Controller without undue delay if the sub-processor fails to meet its obligations.

3. DATA PROTECTION COMPLIANCE

3.1 Processor shall comply with all applicable Data Protection Law in the performance of its obligations under this Addendum.

3.2 Processor shall process Personal Data only as necessary for the provision of the Services and in accordance with Controller's documented instructions.

3.3 If Processor believes that any instruction from Controller infringes Data Protection Law, Processor shall notify Controller immediately and shall not implement the instruction until instructed otherwise by Controller.

3.4 Processor shall maintain records of all Processing activities carried out on behalf of Controller, as required by Data Protection Law, and shall make such records available to Controller and the relevant supervisory authority upon request.

3.5 Processor shall ensure that all personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. SECURITY MEASURES

4.1 Processor shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction or damage, appropriate to the risk represented by the Processing and the nature of the Personal Data to be protected.

4.2 Without prejudice to the generality of clause 4.1, Processor shall maintain at least the following security measures:

• 4.2.1 A comprehensive information security management system, including policies and procedures covering all aspects of data security
• 4.2.2 Access control measures to ensure that only authorised personnel have access to Personal Data
• 4.2.3 Encryption of Personal Data both in transit and at rest
• 4.2.4 Regular security testing, including vulnerability assessments and penetration testing at least annually
• 4.2.5 A privacy and security incident management program, including procedures for detecting, reporting and investigating security incidents
• 4.2.6 A privacy and security awareness training program for all relevant personnel, with regular refresher training
• 4.2.7 Business continuity and disaster recovery plans, including regular testing and backups of Personal Data
• 4.2.8 Procedures to conduct periodic independent security risk evaluations
• 4.2.9 Measures to ensure the security of any equipment or systems used to Process Personal Data
• 4.2.10 Regular reviews and updates of security measures to address new threats and vulnerabilities

5. DATA SUBJECT RIGHTS

5.1 Processor shall promptly notify Controller (within 24 hours) of any Data Subject Request or any communication from a supervisory authority relating to the Processing of Personal Data.

5.2 Processor shall provide Controller with all necessary assistance and information to enable Controller to respond to Data Subject Requests in accordance with Data Protection Law, including within any time limits specified by Data Protection Law.

5.3 Processor shall not respond to any Data Subject Request or communication from a supervisory authority without Controller's prior written authorisation, except as required by Data Protection Law.

5.4 Controller shall reimburse Processor for any reasonable costs incurred by Processor in providing assistance under this clause 5, unless such costs are already included in the fees payable under the Main Agreement.

6. PERSONAL DATA BREACH NOTIFICATION

6.1 Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of Controller.

6.2 The notification under clause 6.1 shall include at least the following information:

• (a) A description of the nature of the Personal Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
• (b) The name and contact details of the data protection officer or other contact point where more information can be obtained;
• (c) A description of the likely consequences of the Personal Data Breach;
• (d) A description of the measures taken or proposed to be taken by Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
• (e) Any other information that may assist Controller in responding to the Personal Data Breach.

6.3 Processor shall cooperate fully with Controller and provide all necessary assistance to enable Controller to comply with its obligations under Data Protection Law relating to the Personal Data Breach, including notifying the supervisory authority and/or data subjects where required.

6.4 Processor shall maintain a record of all Personal Data Breaches affecting Personal Data Processed on behalf of Controller and shall make such records available to Controller upon request.

7. INTERNATIONAL DATA TRANSFERS

7.1 Processor shall not transfer Personal Data to a third country or an international organisation unless: (a) Controller has given prior written consent; and (b) appropriate safeguards are in place to protect the Personal Data, as required by Data Protection Law.

7.2 Where Personal Data is transferred from the European Economic Area ("EEA") or the United Kingdom ("UK") to a third country that has not been deemed to provide an adequate level of protection by the European Commission or UK Government respectively, the parties agree that the transfer shall be governed by the Standard Contractual Clauses.

7.3 The parties acknowledge and agree that:

• (a) For transfers from the EEA, the 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) shall apply;
• (b) For transfers from the UK, the UK International Data Transfer Agreement ("IDTA") and/or Addendum to the EU SCCs shall apply, as appropriate;
• (c) Processor shall be the "data importer" and Controller shall be the "data exporter" for the purposes of the Standard Contractual Clauses;
• (d) Module One (Controller to Processor) of the Standard Contractual Clauses shall apply to all such transfers.

7.4 Processor shall not transfer Personal Data to any sub-processor located in a third country unless the requirements of this clause 7 are satisfied in respect of such transfer.

7.5 Processor shall provide Controller with any information reasonably requested by Controller to demonstrate compliance with this clause 7, including copies of any agreements with sub-processors relating to international data transfers.

8. AUDIT RIGHTS

8.1 Controller shall have the right to audit Processor's compliance with the obligations set out in this Addendum, including by conducting or commissioning an independent audit of Processor's Processing activities and security measures.

8.2 Controller shall provide Processor with reasonable prior written notice (at least 30 days) of any audit, unless a shorter notice period is justified due to a suspected breach of this Addendum or Data Protection Law.

8.3 Processor shall provide Controller with full and free access to all relevant records, systems, and personnel necessary for the conduct of the audit, during normal business hours and subject to reasonable confidentiality arrangements.

8.4 Processor shall provide Controller with a written response to any audit findings within 14 days of receipt, setting out the measures to be taken to address any non-compliance, together with a timeline for implementation.

8.5 Controller shall bear the costs of any audit conducted under this clause 8, unless the audit reveals a material breach of this Addendum by Processor, in which case Processor shall bear the costs of the audit.

8.6 Processor shall, upon Controller's request, provide Controller with copies of any independent audit reports or certifications relating to its data protection and security practices, including ISO 27001 certification or similar.

9. CONFIDENTIALITY

9.1 Processor shall treat all Personal Data and any other confidential information relating to Controller or the Services as strictly confidential.

9.2 Processor shall not disclose any such confidential information to any third party without Controller's prior written consent, except as required by law or as necessary to perform its obligations under this Addendum.

9.3 Processor shall ensure that all personnel who have access to such confidential information are informed of the confidential nature of the information and are bound by confidentiality obligations.

9.4 The confidentiality obligations set out in this clause 9 shall survive the termination of this Addendum for a period of 5 years.

10. TERMINATION

10.1 This Addendum shall commence on the Effective Date and shall continue for the term of the Main Agreement, unless terminated earlier in accordance with this clause 10.

10.2 Either party may terminate this Addendum with immediate effect by giving written notice to the other party if: (a) the other party materially breaches any of its obligations under this Addendum and fails to remedy such breach within 30 days of receipt of written notice; or (b) the other party becomes insolvent or enters into any insolvency proceedings.

10.3 Upon termination of this Addendum, Processor shall, at Controller's option and expense:

• (a) Return all Personal Data to Controller in a commonly used and machine-readable format;
• (b) Erase all Personal Data and provide Controller with a written confirmation of such erasure;
• (c) Transfer the Personal Data to another processor designated by Controller, provided that such transfer is in accordance with Data Protection Law.

10.4 Processor shall complete the actions described in clause 10.3 within 14 days of termination, unless a longer period is agreed in writing by the parties.

10.5 The provisions of clauses 5, 6, 9, 11, 12, 13, and 14 shall survive the termination of this Addendum.

11. LIABILITY AND INDEMNIFICATION

11.1 Processor shall indemnify and hold harmless Controller, its Affiliates, and their respective directors, officers, employees, and agents from and against any and all losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or in connection with:

• (a) Processor's breach of any of its obligations under this Addendum;
• (b) Processor's failure to comply with Data Protection Law;
• (c) Any Personal Data Breach caused by Processor's negligence or wilful misconduct;
• (d) Any third-party claims arising out of the Processing of Personal Data by Processor.

11.2 Controller shall indemnify and hold harmless Processor, its Affiliates, and their respective directors, officers, employees, and agents from and against any and all losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or in connection with:

• (a) Controller's breach of any of its obligations under this Addendum;
• (b) Controller's failure to comply with Data Protection Law;
• (c) Any instructions given by Controller to Processor that infringe Data Protection Law;
• (d) Any third-party claims arising out of the nature or content of the Personal Data provided by Controller to Processor.

11.3 Nothing in this Addendum shall exclude or limit the liability of either party for:

• (a) Death or personal injury caused by negligence;
• (b) Fraud or fraudulent misrepresentation;
• (c) Any other liability that cannot be excluded or limited by applicable law.

11.4 The total liability of Processor under this Addendum shall not exceed the total fees paid by Controller to Processor under the Main Agreement during the 12-month period immediately preceding the event giving rise to the liability, except in cases of fraud, gross negligence, or breach of confidentiality obligations.

12. AMENDMENTS

12.1 Any amendment to this Addendum must be in writing and signed by both parties.

12.2 If changes to Data Protection Law require amendments to this Addendum to ensure compliance, either party may request such amendments by giving written notice to the other party.

12.3 The parties shall negotiate in good faith to agree any necessary amendments within 30 days of such request.

12.4 If the parties cannot agree on the necessary amendments within the period specified in clause 12.3, either party may terminate this Addendum by giving 30 days' written notice, provided that such termination shall not affect any rights or obligations accrued prior to termination.

13. GOVERNING LAW AND JURISDICTION

13.1 This Addendum shall be governed by and construed in accordance with the laws of [Governing Law Jurisdiction], excluding its conflict of laws rules.

13.2 Any dispute arising out of or in connection with this Addendum, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by arbitration in accordance with the [Arbitration Rules] of [Arbitration Institution].

13.3 The seat of arbitration shall be [Arbitration Seat].

13.4 The number of arbitrators shall be [Number of Arbitrators] (one or three).

13.5 The language of the arbitration shall be [Arbitration Language].

13.6 Notwithstanding the foregoing, either party may apply to any court of competent jurisdiction for interim or injunctive relief to protect its rights under this Addendum.

14. GENERAL PROVISIONS

14.1 This Addendum constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and arrangements, whether written or oral, relating to such subject matter.

14.2 Neither party shall assign or transfer this Addendum or any of its rights or obligations hereunder without the prior written consent of the other party. Any purported assignment or transfer without such consent shall be void.

14.3 The failure of either party to enforce any provision of this Addendum shall not constitute a waiver of such provision or the right to enforce such provision in the future.

14.4 If any provision of this Addendum is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.

14.5 All notices and communications under this Addendum shall be in writing and delivered to the parties at their respective addresses set out in the Main Agreement, or such other address as a party may notify to the other party in writing.

14.6 This Addendum shall be binding on and inure to the benefit of the parties and their respective successors and permitted assigns.

14.7 The parties are independent contractors, and nothing in this Addendum shall create a partnership, joint venture, agency, or employment relationship between them.