DATA PROCESSING ADDENDUM

Last Updated: May 13, 2025

THIS DATA PROCESSING ADDENDUM (“DPA”) shall be applicable between the Parties, shall be considered incorporated into the Agreement (“Agreement”) entered into by the Parties, and serves as a separate Schedule / Exhibit thereto.  It is intended to govern data processing activities conducted under the General Data Protection Regulation (“GDPR”) of the European Union (“EU”) and similar “omnibus” AI-related legislation adopted by other jurisdictions throughout the world, including without limitation the UK GDPR and the Swiss Data Protection Act.

1. SCOPE.  This DPA applies where any Processing of Personal Data relates to Data Subjects located in the EU, the EEA, Switzerland, the United Kingdom, or such other location that makes said Processing otherwise subject to the GDPR [collectively referred to as the “GDPR Countries”]. In the case of a conflict or ambiguity between this DPA and either the Agreement or any supplemental agreement related to data Processing, this DPA shall control.
2. DEFINITIONS.  Except where otherwise specified, all capitalized terms shall use the definitions and meanings assigned to them under the EU GDPR.  However, notwithstanding the foregoing, the following specific definitions shall apply to this DPA:
   1. “Applicable Laws” means all laws, regulations, orders, rules, judgments, directives, industry agreements or determinations in force from time to time applicable to a party and relevant to the Agreement or this DPA, including, without limitation Data Protection Law;
   2. “Breach Event” means and refers to any: (i) unauthorized access to or acquisition of data or systems that materially compromises the security, confidentiality or integrity of Personal Data held by or on behalf of a Party; or (ii) any unauthorized disclosure or access to such Personal Data.
   3. “Data Protection Law” means all laws and regulations, including laws and regulations of the European Union, the EEA and their member states, Switzerland and the United Kingdom, the GDPR, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Directives, the GDPR (when applicable), and any amendments to or replacements for such laws and regulations, applicable to processing of Personal Data under the Agreement or this DPA.
   4. “EEA” means the European Economic Area.
   5. “Personal Data” means any information provided or made available by either Party to the other which relates to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. For the avoidance of doubt, Personal Data includes personally identifiable information.
   6. “Processing” takes the meaning particularly defined in the applicable Data Protection Law. Any other tense or form of “Processing” shall be interpreted accordingly.
   7. "PIA” means Privacy Impact Assessment.
   8. “SCCs” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
3. SCCs.  The SCCs  are hereby incorporated into this DPA by reference. The Parties agree to observe the terms of the SCCs without modification and use them whenever and wherever it is legally required. If mandated by the applicable Data Protection Law, the Parties will execute (or re-execute) the SCCs in one or more separate document(s) structuring any proposed transfers of Personal Data in accordance with said Data Protection Law. Notwithstanding the foregoing, the SCCs shall not be required for the transfer of Personal Data to a country, territory or jurisdiction outside the GDPR Countries for which the European Commission has decided by means of an "adequacy decision" that such country, territory or jurisdiction ensures an adequate level of protection as described in GDPR Art. 45.
   1. Updates to or Replacement of the SCCs.  The Parties agree to work together in good faith to enter into an updated version of the SCCs, or another appropriate successor transfer mechanism [e.g., standard clauses in accordance with Art. 46 of the GDPR] to enable a valid transfer in compliance with the applicable Data Protection Law if the SCCs are: (i) amended, replaced or repealed by the European Commission; (ii) declared entirely or partially invalid by a court of competent jurisdiction [e.g., the EU Court of Justice]; or (iii) otherwise terminated, annulled, replaced or repealed under one or more applicable Data Protection Law.
   2. Situation-Specific Processing Details.  Unless otherwise specified, the subject-matter of Processing of Personal Data by a Party hereunder encompasses the Eligible Products & Services pursuant to one or more of the Parties' Agreement(s). The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data being Processed, the categories of Data Subjects, and the roles of each Party (e.g., data processor vs. data controller, etc.) shall be further specified in a separate form (e.g., details of the processing). The information contained in a completed form shall be incorporated into the SCCs as needs require.
4. OBLIGATIONS.  Each Party to this DPA agrees that it shall:  (i) comply, at its own cost, with all applicable Data Protection Law and use commercially reasonable measures to assist the other Party with compliance with same; (ii) Process Personal Data only in accordance with documented instructions from a Data Subject or as required by the Agreement and/or applicable Data Protection Law; (iii) treat all Personal Data received pursuant to one or more of the Parties' Agreement(s) as Confidential Information & Materials, and not disclose Personal Data provided or supplied by the other Party to any other Person without written authorization from said other Party except where specifically required by Applicable Laws, and then only to the minimum extent necessary to comply with said requirement and only after notifying the other Party of the basis for doing so; (iv) not benefit commercially from the Personal Data except as explicitly agreed to in writing by the Parties and in full compliance with the applicable Data Protection Law; (v) not transfer any Personal Data across international or jurisdictional boundaries in contravention of applicable Data Protection Law, except where such transfer is legally required, such as in the case of a Party being subject to a valid court order mandating same, and then only to the minimum extent necessary to comply with the requirement and only after notifying the other Party of the basis for doing so; (vi) implement and maintain appropriate measures to ensure the security and protection of Personal Data, taking into account the nature and sensitivity of the information to be protected, the risk presented by Processing, the state of the art, and the costs associated with said implementation and maintenance, while remaining in full compliance with the applicable Data Protection Law, with such measures to include appropriate physical, electronic and procedural safeguards to ensure the security and confidentiality of Personal Data and to prevent unauthorized access to or use of same; (vii) adopt, at its own cost, any commercially reasonable recommendations which the other Party may make concerning measures, programs and procedures to help ensure ongoing compliance with applicable Data Protection Law; (viii) not subcontract any duties or obligations except as explicitly agreed to in writing by the Parties, and to assume full responsibility for any such subcontractor or subprocessor’s compliance with the obligations that have been imposed upon said subcontractor/processor in accordance with the Parties Agreement(s) or the applicable Data Protection Law; (ix) designate at least one data protection liaison for purposes of overseeing the Parties' respective Processing efforts, and provide his/her contact information to the other Party; (x) put in place measures to ensure that any staff members and subcontractors who have access to Personal Data of one or more Data Subject(s): (a) have received appropriate training on their responsibilities under applicable Data Protection Law; and (b) are reliable, trustworthy, and have committed themselves to complying at all times with the applicable Data Protection Law; (xi) notify the other Party no later than seven calendar days after receiving:  (a) a request from a Data Subject to have access to their Personal Data, (b) a request to exercise any other applicable rights the Data Subject may have under the applicable Data Protection Law, or (c) a complaint, subpoena or official records request from a government representative or agency relating to either Party's obligations under the applicable Data Protection Law; (xii) provide reasonable assistance and cooperation in responding to any such request, complaint, subpoena or official records request as described above, including, without limitation by: (a) allowing Data Subjects to have access to their Personal Data, know whether it has been sold or disclosed in any way (and if so to whom), and to have that Personal Data corrected, deleted, or blocked, within the relevant time frames set out by the applicable Data Protection Law, and without any discrimination, cost or penalty for exercising these rights; (b) By providing a Party with any information reasonably requested relating to the Processing of Personal Data under one or more of the Parties' Agreement(s); and; (c) By providing, whenever required, any Personal Data held in relation to a Data Subject without additional cost in a commonly-used, structured, electronic, and machine-readable format; (xiii) provide additional reasonable cooperation in order for a Party to independently demonstrate compliance with applicable Data Protection Law, including without limitation making available to the other Party information to facilitate audits or inspections called for under one or more of the Parties' Agreement(s) or required by applicable Data Protection Law, and whether conducted by a Party, its authorized agent, or government entity, provided said audits or inspections occur no more than once per calendar year absent a legal requirement or a showing of substantial good cause, and are subject to reasonable, independently-verifiable security controls; (xiv) whenever a PIA or similar risk mitigation exercise is requested by a Party concerning the Eligible Products & Services, to provide timely and commercially reasonable support and assistance for said exercise, provided such PIA occurs no more than once per calendar year, absent a specific legal requirement or a showing of substantial good cause by a requesting Party; (xv) immediately notify the other Party in writing upon learning of any Breach Event and to take commercially reasonable steps to: (a) investigate, correct, mitigate, remediate and otherwise resolve said Breach Event; and (b) where required by applicable Data Protection Law, provide timely notices disclosing the Breach Event to relevant regulators and affected individuals, but only to the minimum extent necessary to comply with said requirement and only after notifying the other Party in writing of the basis for doing so; and (xvi) within a reasonable period of time after termination or expiration of any Agreement between the Parties relating to the Processing of Personal Data: (a) delete, destroy, deface or return all Personal Data to the other Party held or stored on its behalf upon receipt of a written request for same; and (b) delete, destroy or deface any existing copies of said Data, and provide a suitable certification of the  deletion / destruction / defacement, except where applicable law specifically requires the retain copies of such Personal Data, but only to the minimum extent and for the minimum period required by Applicable Law.