Data Processing Addendum

1. Definitions

1. "Affiliate" refers to an entity that is directly or indirectly controlled by a party, or that controls or is under common control with a party. Control means ownership of more than 50% of the voting shares or other equity interests.
2. "Authorised Sub-Processor" refers to a third party that is either (1) listed in Exhibit B or (2) subsequently authorised under Section 4.2 of this DPA and who needs to know or have access to Customer's Personal Data in order for Company to fulfil its responsibilities under this DPA or the Agreement.
3. "Company Account Data" refers to personal information about the customer-company relationship, such as the names or contact details of persons the customer has given permission to access the customer's account and the billing details of people the customer has linked to the account. The term "Company Account Data" also refers to any information that the company may need to gather in order to manage its relationship with customers, verify their identities, or as required by other laws and regulations.
4. "Company Usage Data" refers to information about how the services are used that is gathered and processed by the company in the course of providing the services. This information may include activity logs, information used to determine the origin and destination of communications, information used to maintain and improve service performance, and information utilised to look into and stop system abuse.
5. "Data Exporter" means Customer.
6. "Data Importer" means Company.
7. "Data Protection Laws" refers to all applicable laws and regulations in any relevant jurisdiction that have to do with using or processing Personal Data, such as the following: (i) the California Consumer Privacy Act ("CCPA"), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679 ("EU GDPR") and the EU GDPR as it is incorporated into English and Welsh law through section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR") (collectively, the "GDPR"), (iii) the Swiss Federal Act on Data Protection, (iv) the UK Data Protection Act 2018; and (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003; each as updated, amended, or replaced from time to time. The definitions provided in the GDPR shall apply to the terms "Data Subject," "Personal Data," "Personal Data Breach," "processing," "processor," "controller," and "supervisory authority."
8. "EU SCCs" refers to the standard contractual clauses that the European Commission approved in Commission Decision 2021/914, dated 4 June 2021, for transfers of personal data to nations that the European Commission has not otherwise recognised as providing an adequate level of protection for personal data (modified by Section 6.2 of this DPA and periodically updated).
9. "Ex-EEA Transfer" refers to the transfer of processed personal data from the Data Exporter to the Data Importer (or its locations) outside of the European Economic Area (the "EEA") that is not subject to an adequacy decision made by the European Commission in compliance with the applicable GDPR provisions.
10. "Ex-UK Transfer" refers to the movement of Personal Data covered by Chapter V of the UK GDPR from the Data Exporter to the Data Importer (or its premises) outside of the United Kingdom (the "UK"), processed in compliance with the Data Protection Act 2018 and the UK GDPR. This transfer is not subject to an adequacy decision made by the Secretary of State in compliance with the applicable provisions of the Data Protection Act 2018 and the UK GDPR.
11. "Services" shall have the meaning set forth in the Agreement.
12. "Standard Contractual Clauses" means the EU SCCs and the UK SCCs.
13. "UK SCCs" means the EU SCCs, as amended by the UK Addendum.

2. Relationship of the Parties; Processing of Data

1. Except as otherwise stated in this DPA or the Agreement, the parties recognise and agree that Customer may act as a controller or processor with relation to the processing of Personal Data, and that Company is a processor. Customer agrees to treat Personal Data in accordance with Data Protection Laws at all times and to give instructions for such processing while using the Services. Customer is responsible for making sure that Company does not violate any data protection laws by processing Personal Data as per Customer's instructions. The accuracy, calibre, and legality of (i) any Personal Data that Customer provides to Company, either directly or through third parties, (ii) the methods by which Customer obtained any such Personal Data, and (iii) the instructions Customer gives Company for the processing of such Personal Data are all the responsibility of Customer. In accordance with the terms of the Agreement, Customer shall not supply or make available to Company any Personal Data that is unsuitable for the nature of the Services, and Customer shall indemnify Company against any and all claims and damages arising therefrom.
2. Unless required by a supervisory authority to which the company is subject, the company shall not process personal data for any of the following reasons: (i) purposes other than those specified in the Agreement and/or Exhibit A; (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer; or (iii) in violation of data protection laws. If the company processes personal data for any of the aforementioned reasons, it shall notify the customer of the legal requirement prior to processing, unless the law prohibits such information on important grounds of public interest. By using the Services, Customer grants Company permission to treat Personal Data in the ways mentioned above and as part of any processing that Customer initiates.
3. Exhibit A to this DPA contains a description of the types of Personal Data gathered and the categories of Data Subjects, along with the subject matter, nature, purpose, and duration of this processing.
4. After the Services are finished, at the customer's request, the Company will return or erase the customer's personal data, unless the customer requests or is permitted by law to store the personal data longer. The Company shall take steps to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule, or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control if return or destruction is impracticable or prohibited by law, rule, or regulation. The parties agree that, in the event that the parties have entered into Standard Contractual Clauses as outlined in Section 6 (Transfers of Personal Data), the Company will only provide Customer with the certification of deletion of Personal Data that is outlined in Clause 8.1(d) and Clause 8.5 of the EU SCCs (if applicable) upon Customer's request.
5. CCPA. For the purposes of the CCPA (to the extent it applies), the parties acknowledge and agree that the Company is a service provider. The Company is receiving personal information from Customer in order to provide the Services in accordance with the Agreement, which constitutes a business purpose. This agreement does not apply to Company Account Data or Company Usage Data. The business won't sell any of these personal data. Except as required to carry out the Services for Customer in accordance with the Agreement, or as otherwise specified in the Agreement or as permitted by the CCPA, Company shall not retain, use, or disclose any personal information submitted by Customer under the terms of the Agreement. The definitions of "personal information," "service provider," "sale," and "sell" are found in CCPA Section 1798.140. The company attests to its understanding of the limitations outlined in this Section 2.5.

3. Confidentiality

1. The Company shall guarantee that each individual it permits to handle Personal Data has consented to safeguard Personal Data in compliance with the Agreement's confidentiality obligations. Customer acknowledges and agrees that Company may, in the course of fulfilling its obligations under this DPA, the Agreement, or the supply of Services to Customer, disclose Personal Data to its advisers, auditors, or other third parties as reasonably required.

4. Authorised Sub-Processors

1. Customer understands and agrees that (1) Company may use the Authorised Sub-Processors on the List (defined below) and its Affiliates to access and process Personal Data in connection with the Services; and (2) Company may occasionally use other third parties to provide the Services, including processing Personal Data. Through this DPA, Customer gives Company formal permission to use subprocessors as needed to carry out the Services.
2. Customer may see the Company's current list of authorised sub-processors (the "List") at [URL]. The Company may update this List from time to time. The customer may choose to subscribe to notices of new Authorised Sub-Processors via the mechanism provided by the company. These notifications may comprise email notifications, among other forms of communication. Customer forfeits any right to receive advance notice of modifications to Authorised Sub-Processors in the event that it chooses not to subscribe to such alerts. The Company will add any third party to the List and notify subscribers, including Customer, via the aforementioned notifications at least ten (10) days prior to permitting any third party other than current Authorised Sub-Processors to access or participate in the processing of Personal Data. Within ten (10) days of receiving the aforementioned notice, Customer may object to such an engagement by notifying Company in writing; however, Customer's objection must be made in writing and must be supported by valid data protection grounds. Customer understands that some sub-processors are necessary for the Company to provide the Services, and that if Customer objects to the usage of a sub-processor, the Company may not be able to provide the Services to Customer.
3. Customer may stop using the impacted service by giving writing notice to Company if they reasonably object to an engagement in line with Section 4.2 and the Company is unable to offer a commercially acceptable alternative within a reasonable amount of time. Customer will still be liable for all fees under the Agreement payable to Company even after discontinuation.
4. For the purposes of this DPA, a third party will be considered an Authorised Sub-Processor if Customer does not object to the third party's involvement in line with Section 4.2 within ten (10) days of notice from the Company.
5. The Authorised Sub-Processor and the Company will sign a written agreement in which the Authorised Sub-Processor will be subject to data protection requirements for the protection of personal data that are equivalent to those imposed on the Company under this DPA. If an Authorised Sub-Processor breaches the written agreement with Company on data protection, Company will still be accountable to Customer for Authorised Sub-Processor's performance of such requirements.
6. If the parties have agreed to Standard Contractual Clauses as outlined in Section 6 (Transfers of Personal Data), then: (i) the aforementioned authorizations will be considered the customer's prior written consent to the subcontracting by the company of the processing of Personal Data, if such consent is required under the Standard Contractual Clauses; and (ii) the parties agree that commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, may be removed by the company beforehand from copies of the agreements with Authorised Sub-Processors that must be provided to the customer in accordance with Clause 9(c) of the EU SCCs. The parties further agree that the company will only provide these copies upon the customer's request.

5. Security of Personal Data

1. Company shall maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Personal Data, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Additional details regarding the organisational and technical security procedures of the company are provided in Exhibit C.

6. Transfers of Personal Data

1. In order to deliver the Services, the parties agree that the Company may transmit Personal Data processed under this DPA outside of the European Economic Area (EEA), the United Kingdom, or Switzerland. The client understands that the company's main processing operations are located in the US and that the transfer of the client's personal data to the US is required in order for the client to get the services. When transferring Personal Data covered by this DPA to a country where the European Commission has not yet made an adequacy decision, the Company will make sure that the necessary precautions have been put in place to guarantee that the Personal Data is transferred in compliance with Data Protection Authorities.
2. Ex-EEA Transactions. The parties agree that the EU SCCs, which are regarded entered into (and by this reference incorporated into this DPA) and completed as follows, govern ex-EEA transfers:
   • Module One (Controller to Controller) of the EU SCCs apply when Company is processing Personal Data as a controller pursuant to Section 9 of this DPA.
   • Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and Company is processing Personal Data for Customer as a processor pursuant to Section 2 of this DPA.
   • Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a processor and Company is processing Personal Data on behalf of Customer as a sub-processor.
   • For each module, where applicable the following applies:
     • The optional docking clause in Clause 7 does not apply.
     • In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 4.2 of this DPA;
     • In Clause 11, the optional language does not apply;
     • All square brackets in Clause 13 are hereby removed;
     • In Clause 17 (Option 1), the EU SCCs will be governed by Ireland law.
     • In Clause 18 (b), disputes will be resolved before the courts of Ireland;
     • Exhibit B to this DPA contains the information required in Annex I and Annex III of the EU SCCs;
     • Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and
     • By entering into this DPA, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
3. Former UK Transfers. The parties agree that ex-UK transfers are made in line with the UK SCCs, which are incorporated into this DPA by reference and are presumed to have been entered into. The parties also agree that the UK Addendum, which is incorporated herein as Exhibit D of this DPA, governs how the ex-UK transfers are updated and completed.
4. Transfers from Switzerland. The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
   • The terms "General Data Protection Regulation" or "Regulation (EU) 2016/679" as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the "FADP," and as revised as of 25 September 2020, the "Revised FADP") with respect to data transfers subject to the FADP.
   • The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
   • The Federal Data Protection and Information Commissioner ("FDPIC") of Switzerland will have jurisdiction over data transfers governed by the FADP, and the relevant EU supervisory authority will have jurisdiction over data transfers governed by the GDPR, according to a modification made to clause 13 of the EU SCCs. All additional criteria of Section 13 must be followed, subject to the aforementioned.
   • The term "EU Member State" as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18 (c) of the EU SCCs.
5. Supplementary Measures. In respect of any ex-EEA Transfer or EU Transfer, the following supplementary measures shall apply:
   • As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Customer's Personal Data ("Government Agency Requests");
   • If, after the date of this DPA, the Data Importer receives any Government Agency Requests, Company shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Company may provide Customer's basic contact information to the government agency. If compelled to disclose Customer's Personal Data to a law enforcement or government agency, Company shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Company is legally prohibited from doing so. Company shall not voluntarily disclose Personal Data to any law enforcement or government agency. Data Exporter and Data Importer shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of the such Government Agency Requests;
   • The Data Exporter and Data Importer will meet as needed to consider whether:
     • the protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
     • additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
     • it is still appropriate for Personal Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities.
6. The Data Importer shall, upon request from the Data Exporter, promptly execute such Standard Contractual Clauses, incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer, and the requirements of the relevant Data Protection Laws, if Data Protection Laws require the Data Exporter to execute the Standard Contractual Clauses applicable to a specific transfer of Personal Data to a Data Importer as a separate agreement.
7. Data Importer may, by notice to Data Exporter, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws, with effect from the date set out in such notice, if any of the following two scenarios occur: (i) any of the means of legitimising transfers of Personal Data outside of the EEA or UK set forth in this DPA cease to be valid; or (ii) any supervisory authority requires that transfers of Personal Data pursuant to those means be suspended.

7. Rights of Data Subjects

1. When a Data Subject requests to exercise any of the following rights, Company will, to the extent allowed by law, notify Customer. These rights include access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to processing that results in automated decision-making (collectively, these requests are referred to as "Data Subject Request(s)"). In the event that Company gets a Data Subject Request pertaining to Customer's data, Company will encourage the Data Subject to submit their request to Customer, who will then be in charge of answering the request including, if required, by using the Services' functionality. The onus is entirely on the customer to make sure that the company receives any requests from data subjects for the erasure, restriction, or cessation of processing, or for the withdrawal of consent to processing, and, if relevant, to make sure that a record of consent to processing is kept for each data subject.
2. Insofar as (i) Customer is unable to respond to the Data Subject Request on its own and (ii) Company is able to do so in compliance with all applicable laws, rules, and regulations, Company shall, upon Customer's request, and after considering the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organisational measures to assist Customer in complying with Customer's obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible. To the extent allowed by law, Customer is liable for any fees and expenditures resulting from any assistance provided by Company.

8. Actions and Access Requests; Audits

1. In order for Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, Company shall, considering the nature of the processing and the information available to Company, provide Customer with reasonable cooperation and assistance, provided that Customer does not otherwise have access to the relevant information. To the extent allowed by law, Customer is liable for any fees and expenditures resulting from any assistance provided by Company.
2. When it comes to Customer's cooperation and/or prior consultation with any Supervisory Authority, as required by the GDPR, Company shall, considering the nature of the processing and the information available to Company, provide Customer with reasonable cooperation and assistance. Any charges and expenditures resulting from any such help provided by Company shall be borne by Customer to the extent authorised by law.
3. In order to prove that it has complied with its duties under this DPA, the Company must keep adequate records, which it must keep for three (3) years following the Agreement's termination. Customer shall have the right to see, audit, and copy such records at Company's offices during regular business hours upon providing reasonable notice to Company.
4. Upon Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall, either (i) make available for Customer's review copies of certifications or reports demonstrating Company's compliance with prevailing data security standards applicable to the processing of Customer's Personal Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer's independent third party representative to conduct an audit or inspection of Company's data security infrastructure and procedures that is sufficient to demonstrate Company's compliance with its obligations under Data Protection Laws, provided that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Company's business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Company for any time expended for on-site audits. If Customer and Company have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 8.9 of the EU SCCs shall be carried out in accordance with this Section 8.4.
5. Company shall immediately notify Customer if an instruction, in the Company's opinion, infringes the Data Protection Laws or Supervisory Authority.
6. If there is a Personal Data Breach, Company will notify Customer of the Breach as soon as possible and take reasonable remedial action (to the extent that remediation is within Company's reasonable control) as determined by Company in its sole discretion.
7. In the event of a Personal Data Breach, Company shall, in light of the processing's nature and the information at its disposal, offer Customer the reasonable cooperation and support required to enable Customer to fulfil its obligations under the GDPR with regard to promptly notifying (i) the applicable Supervisory Authority and (ii) the affected Data Subjects.
8. If a Customer's actions or omissions result in a Personal Data Breach, the duties outlined in Sections 8.6 and 8.7 will not be applicable. The Company's duty under Sections 8.6 and 8.7 to notify or address a Personal Data Breach shall not be interpreted as an admission of fault or liability on the part of the Company with regard to the Personal Data Breach.

9. Company's Role as a Controller

The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent controller, not a joint controller with Customer. Company will process Company Account Data and Company Usage Data as a controller (i) to manage the relationship with Customer; (ii) to carry out Company's core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Company is subject; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this DPA and the Agreement. Company may also process Company Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws. Any processing by the Company as a controller shall be in accordance with the Company's privacy policy set forth at [URL].

10. Conflict

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this DPA; (3) the Agreement; and (4) the Company's privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.