Data Processing Addendum (DPA)

Personal information is processed for the period necessary to fulfill the purposes for which it is collected, to comply with legal and regulatory obligations and for the duration of any period necessary to establish, exercise or defend any legal rights. In order to determine the most appropriate retention periods for your personal information, we consider the amount, nature and sensitivity of your information, the reasons for which we collect and process your personal information, and applicable legal requirements.

In some instances, we may choose to anonymize personal information instead of deleting it, for statistical use, for instance. When we choose to anonymize, we make sure that there is no way that the personal information can be linked back to any specific individual.

While we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification. That said, please note that no method of electronic transmission or storage is 100% secure and we cannot guarantee absolute data security.

Where Privacera Processes Personal Data that is subject to the GDPR, the terms and conditions set forth in the standard contractual clauses issued by the European Commission attached hereto at Exhibit A (the “Standard Contractual Clauses”) shall apply to such Processing. The Parties agree that the terms in the Standard Contractual Clauses are incorporated by reference into this DPA. Customer is defined as data exporter and Privacera is defined as data importer within the terms of the Standard Contractual Clauses. If there is a conflict between the provisions of this DPA or the data privacy provisions of the Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Processing of Data. Privacera shall only Process such Personal Data in accordance with Customer’s written instructions from time-to-time (including as set out in the Agreement, or as provided as submissions through the Services) or as required for Privacera to provide, manage and facilitate the provision of the Services. In addition to, and without limiting, the foregoing obligations, to the extent Privacera Processes any Personal Data subject to the CCPA, Privacera (a) shall not further collect, use, retain, access, share, transfer, or otherwise Process Personal Data for any purpose not related to providing the Services and shall not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Privacera; and (b) is prohibited from “selling” Personal Data (as defined under Section 1798.140(t) of the CCPA). Pursuant to Section 1798.40 the CCPA, Privacera hereby certifies that it understands and agrees to and shall comply with the restrictions set forth under clauses (a) and (b) of this Section 5.1. Privacera promptly inform Customer if, in its opinion, the Customer’s instructions infringe or violate any Data Protection Laws, or if Privacera is unable to comply with the Customers’ instructions

Security; Confidentiality. Privacera will implement appropriate industry standard technical and organizational measures reasonable designed to ensure a level of security appropriate to the risk as set forth on Schedule B hereto. In assessing the appropriate level of security, Privacera must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. Privacera will take reasonable steps to ensure that any person acting under its authority who has access to Personal Data is bound by enforceable contractual or statutory confidentiality obligation to protect Personal Data that are at least as protective as those obligations herein.

Data Breach. Privacera shall inform Customer without undue delay, as soon as it has become aware of a security breach that results in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to unencrypted Personal Data in Privacera’s possession or control (a “Data Breach”). Privacera shall provide all reasonable information in Privacera’s possession concerning such Data Breach insofar as it affects Customer, including the following, to the extent then known: (a) the possible cause and consequences for the Data Subjects of the Data Breach; (b) the categories of Personal Data involved; (c) a summary of the possible consequences for the relevant Data Subjects; (d) a summary of the unauthorized recipients of the Personal Data; and (e) the measures taken by Privacera to mitigate any damage. Privacera shall use reasonable efforts to provide Customer updates of further developments concerning a Data Breach.

Assistance to Customer. Will assist Customer, at Customer’s cost and expense, in complying with data security, data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities requirements under Data Protection Laws, taking into account the nature of the Processing and the information available to Privacera. To the extent authorized under applicable law, Customer shall be responsible for any costs arising from Privacera’s provision of such assistance. If Privacera receives a request from a Data Subject to exercise a Data Subject right provided for under the Data Protection Laws in relation to that Data Subject’s Personal Data, Privacera will promptly notify Customer of the request and provide a copy of the request to Customer. Privacera will use commercially reasonable efforts to assist Customer with responding to any such request upon Customer’s written request for assistance.

Return/Destruction of Personal Data. Upon termination of the Agreement or this DPA for any reason, or on Customer’s instructions, promptly cease to Process the Personal Data and subject to sections below, and shall return and/or destroy a complete copy of all the Personal Data in Privacera’s possession or control, unless any Data Protection Law prevents it from returning or destroying all or part of the Personal Data or requires storage of the Personal Data (in which case Privacera must keep them confidential.

General. Customer represents and warrants that (a) it has the necessary rights to transfer or make available such Personal Data to Privacera (including that Customer has, or has procured, the necessary legal authority, permissions and/or consents for Privacera to process the Personal Data to provide the Services); (b) Customer’s instructions comply with (and will not cause Privacera to be in breach of) any Data Protection Laws; (c) that Customer has taken all necessary steps to ensure that any Data Subjects are aware of the nature of the Processing of the Personal Data to be undertaken; and (d) Customer is in compliance with all Data Protection Laws. Customer is responsible for handling and responding to all Data Subject rights requests under Data Protection Laws, including, but not limited to, communicating with the Data Subject making the request. Customer further agrees to cooperate with Privacera to fulfil their respective data protection compliance obligations in accordance with the Data Protection Laws.

Affiliates. Where an Affiliate of Customer is the Data Controller over any Personal Data processed by Privacera under this DPA, Customer will procure that any relevant Affiliate complies with its obligations under the Data Protection Laws and Section 6.1 in respect of such Personal Data. Customer shall remain responsible for its Affiliates performance under this DPA.

SUB-PROCESSORS. Customer gives a general authorization to Privacera to disclose Personal Data to Sub-Processors; provided that, each Sub-Processor shall be bound by a written agreement which imposes on the Sub-Processor the same data protection obligations as are imposed on Privacera under this DPA to the extent applicable to the nature of the service provided by the Sub-Processors. Where the Sub-Processor fails to fulfil its data protection obligations under such agreement, Privacera shall remain fully liable towards Customer for the performance of the Sub-Processor’s obligations under such agreement. Privacera’s current Sub-Processors are listed on Schedule A hereto. Privacera shall give Customer reasonable prior written notice of Privacera’s appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within seven (7) business days of receipt of that notice, Customer notifies Privacera in writing of any objections (on reasonable grounds) to the proposed appointment, then Privacera shall not appoint (nor disclose any Personal Data to) the proposed Subprocessor. If Customer does not provide notice of its objections to the new subprocessor within such seven (7) day period above, then the Subprocessor shall be deemed accepted.

AUDIT AND RECORDS. Subject to any audit provisions and procedures in the Agreement, Privacera shall make available to Customer, on request, all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer, a Supervisory Authority, or an independent auditor mandated by Customer or Customer Affiliate of Privacera’s data processing facilities, procedures and documentation which relate to the Processing of Personal Data in order to ascertain compliance with the terms of this DPA. Privacera shall fully cooperate with Customer in respect of any such audit and, at the request of Customer, provide Customer with evidence of compliance with its obligations under this DPA. Notwithstanding the foregoing, the audit rights and obligations in this Section shall not apply if the audit rights included in the Agreement meet the requirements of the Data Protection Laws.

CHANGES IN DATA PROTECTION LAWS. Notwithstanding any provisions to the contrary in this DPA, if any change in Data Protection Laws may require or result in any variation to this DPA, Privacera will modify this DPA as necessary to incorporate such change(s) and provide a copy of the modified DPA to Customer. Customer shall notify Privacera of any objection to such modifications of the DPA within thirty (30) days’ of Privacera’s dispatch of such modified DPA. If Privacera does not receive any objection from Customer within this thirty (30) day period, Customer will be deemed to have accepted such modifications and such modifications will become binding and enforceable as part of this DPA. Should Customer submit objections to Privacera within the above-referenced thirty (30) days, Customer and Privacera agree to discuss and negotiate in good faith any such necessary modifications to this DPA to address the changes with a view to agreeing and implementing modifications as mutually agreeable to both Customer and Privacera as soon as is reasonably practicable but no later than thirty (30) days following Privacera’s receipt of Customer’s objections. If Customer and Privacera are unable to reach agreement on modifications to this DPA within such thirty (30) day time period, Privacera may terminate the Agreement without notice to Customer.