Home Policies & Agreements Data Processing Addendum

Service Express Data Processing Addendum

CUSTOMER DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “Addendum”) forms a part of the written services agreement (“Agreement”) between Service Express, LLC, on behalf of itself and its Affiliates (“Service Express”), and the customer executing the Agreement (“Customer”). By signing or otherwise executing the Agreement, the parties enter into this Addendum to the extent applicable. Capitalized terms not defined herein have the meaning set forth in the Agreement.

HOW THIS ADDENDUM APPLIES:

This Addendum is an addendum to and forms part of the Agreement and applies to Personal Data is provided or otherwise made available by Customer to Service Express pursuant to the Agreement. This Addendum will be effective and replace any previously applicable Personal Data Processing terms as of the date the parties execute the Agreement. This Addendum does not replace any comparable or additional rights relating to Processing of Personal Data contained in the Agreement.

PERSONAL DATA PROCESSING TERMS:

  1. DEFINITIONS.
    • CCPA” means California Consumer Privacy Act, as amended by the California Privacy Rights Act, including its implementing regulations..
    • Controller” means the entity that determines the purposes and means of the Processing of Data, including as a “business,” as such term is defined under the CCPA.
    • Data Laws” means all applicable state, federal and foreign laws and regulations related to the privacy or security of Personal Data, including but not limited to the CCPA, GDPR, Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CDPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Consumer Privacy Act (UCPA).
    • GDPR”means (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, together with the applicable national implementations of GDPR; (b) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; and (c) the United Kingdom’s adoption of the EU GDPR and the Data Protection Act of 2018, in each case, as may be amended, superseded or replaced.
    • Instructions” means Customer’s documented instructions for the Processing of Personal Data as set out in the Agreement and this Addendum or as otherwise agreed by the parties in writing.
    • Personal Data” means information provided or otherwise made available by or on behalf of Customer to Service Express in the course of Service Express’s performance under the Agreement that: (i) identifies or can be used to identify an individual; (ii) can be used to authenticate an individual; or (iii) as otherwise similarly defined by Data Laws.
    • Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Service Express, or a similar incident with respect to Personal Data as defined under applicable Data Laws.
    • Processing” or “Process” means any operation or set of operations that is performed upon Data, whether or not by automatic means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    • Processor” means the entity that Processes Data on behalf of the Controller, including as a “service provider” or “contractor,” as such terms are defined under the CCPA.
    • Public Authority” means a governmental agency or law enforcement authority, including judicial authorities.
    • Standard Contractual Clauses” means, as applicable, the clauses pursuant to: (a) the European Commission’s decision (EU) 2021/915 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to Processors established in Third Countries which do not ensure an adequate level of data protection; (b) the International Data Addendum to the European Commission’s standard contractual clauses for international data transfers; or (c) any applicable set of clauses approved by the European Commission or United Kingdom’s Information Commissioner’s Office which supersedes or replaces such Standard Contractual Clauses.
  2. SCOPE. This Addendum governs the Processing by Service Express of Personal Data for the purposes set forth herein and in the Agreement. Except as otherwise set forth in the Agreement: (a) the type of Personal Data Service Express may Process in connection with the Agreement is limited to contact information (name, title, company, address, email, phone number); (b) the categories of individuals whose Personal Data is Processed are personnel of Customer and its clients; and (c) the purpose of Processing is to enable Service Express to provide Customer and its clients with data center solutions, hardware maintenance and support, or other services as further detailed in the Agreement (the “Purpose”). Additional details about the subject matter and duration of Processing and the nature and purpose of Processing are set forth in the Agreement.
  3. DATA PROCESSING.
    • Roles of the Parties. The parties agree that, for any Personal Data received by Service Express from or on behalf of Customer in connection with or as part of the performance of the Agreement, Customer is the Controller or Processor, and Service Express is the Processor or a sub-Processor, as the case may be.
    • Instructions. Service Express shall Process Personal Data solely on behalf of and in accordance with Customer’s Instructions in compliance with applicable Data Laws. If Service Express determines that Customer’s Instructions infringe applicable Data Laws, Service Express shall notify Customer as soon as reasonably practicable, and Service Express shall not be required to comply with such infringing Instruction unless and until the matter has been resolved by agreement of the parties or a Public Authority determines that Instruction to be lawful.
    • Confidentiality. Service Express shall ensure that any individuals it engages involved in the Processing of Personal Data have committed themselves to protect the confidentiality of the Personal Data.
    • Restrictions on Use of Personal Data. Service Express will not: (i) sell or share any Personal Data (including as such terms are defined under the CCPA) or otherwise retain, use, or disclose Personal Data for any purpose other than the Purpose, including a commercial purpose other than providing the services under the Agreement, or as otherwise permitted by Data Laws and the Agreement; (ii) retain, use, or disclose Personal Data outside of the direct business relationship between Service Express and Customer specified in the Agreement for the Purpose, unless expressly permitted by Data Laws and the Agreement; or (iii) combine or update Personal Data with personal information Service Express receives from, or on behalf of, another person or entity, or that Service Express collects from its own interaction with a data subject; provided that, to the extent not prohibited by the Agreement, Service Express may combine Personal Data with other personal information to perform any permissible business purpose under applicable Data Laws consistent with a data subject’s expectations, except for cross-context behavioral advertising or where such combination is with Personal Data of opted-out data subject for advertising and marketing services.
    • Sub-Processors. Service Express shall only engage another Processor (each, a “Sub-Processor”) with the prior written consent of Customer. Notwithstanding the foregoing, subject to the restrictions, if any, set forth in the Agreement, Customer generally authorizes Service Express to engage Sub-Processors to Process Personal Data as long as Service Express has in place a written contract with such Sub-Processor(s), which contract contains substantively equivalent provisions as set forth in the Agreement and this Addendum, including with respect to Processing and Personal Data retention requirements and, where applicable Standard Contractual Clauses. Upon written request (email sufficient) by Customer, Service Express shall provide Customer an up-to-date list of all Sub-Processors involved in the Processing of Personal Data. Customer has the right to object to any such Sub-Processors by notifying Service Express within 14 days after receipt of such list from Service Express. Service Express shall remain fully responsible for the acts of all Sub-Processors to the same extent it is responsible for the acts of its own employees, and Service Express shall be liable to Customer for a Sub-Processor’s failure to fulfill its data protection obligations hereunder.
  4. OBLIGATIONS OF CUSTOMER.
    • Instructions. Customer shall ensure that its Instructions to Service Express at all times comply with Data Laws, and Customer acknowledges that Service Express is not responsible for determining if the Instructions are compliant.
    • Consents. Customer represents and warrants that it has obtained all necessary authorizations and affirmative consents required for compliance with applicable Data Law prior to disclosing, transferring, or otherwise making available any Personal Data to Service Express, and that such authorizations and consents clearly and completely stated, without limitation: (i) what Personal Data was being collected, (ii) why it was being collected, and (iii) that it would be made available to Service Express as a Processor.
    • Compliance. Customer shall comply with all applicable Data Laws, including, without limitation, maintaining all relevant regulatory registrations and notifications as required under Data Law and the terms of this Addendum. Customer agrees that Service Express shall not be liable for any claim brought by Customer or any third party (including, without limitation, a data subject, or Public Authority) arising from any action or omission by Service Express to the extent that such action or omission resulted from compliance with Customer’s Instructions, Customer’s failure to obtain necessary consents, or Customer’s failure to comply with Data Laws. In any such event, Customer shall indemnify, defend and hold harmless Service Express from and against all expenses, losses, costs and damages arising from such claim.
  5. ASSISTANCE. Service Express shall provide reasonable assistance to Customer in complying with Customer’s obligations under applicable Data Laws, including with respect to the security of Processing Personal Data, Personal Data Breach notification, and responding to data subject and Public Authority requests. Without limiting the generality of the foregoing, Service Express agrees to provide assistance as follows:
    • Data Subject Requests. If Customer requests, Service Express shall reasonably assist Customer, by appropriate technical and organizational measures, in responding to data subject requests to exercise their rights under applicable Data Laws. If Service Express receives a request directly from a data subject with respect to such Personal Data, Service Express shall, as soon as reasonably practicable, forward the same to Customer (except where prohibited from doing so by applicable law). Service Express shall not respond to any such data subject request unless instructed to do so in writing by Customer or otherwise required by applicable law, except that Customer authorizes Service Express to redirect the data subject request as necessary to allow Customer to respond directly.
    • Data Impact Assessments. To the extent applicable in relation to Service Express’s Processing of Personal Data and within the scope of the services provided by Service Express to Customer, Service Express shall cooperate and assist Customer, at Customer’s request, with any data protection impact assessment that Customer is required to carry out under applicable Data Law.
    • Public Authorities. Service Express will assist Customer at Customer’s request as reasonably necessary for Customer to meet its obligations to relevant Public Authorities in connection with the Processing of Personal Data hereunder, including any necessary prior consultations with such Public Authorities and responding to any Public Authority requests.
  6. SECURITY. Service Express has implemented and shall maintain security measures in accordance with industry standards and applicable Data Laws appropriate given the nature of the Personal Data to ensure the privacy and security of the Personal Data during Processing, which measures are designed to protect Personal Data against unauthorized or unlawful Processing or accidental loss, destruction, or damage. In particular, Service Express has in place technical and organizational safeguards intended to: (i) maintain the security and confidentiality of Personal Data; (ii) protect against anticipated threats to the security and integrity of Personal Data; and (iii) protect against unauthorized access to or use of Personal Data. Customer acknowledges and agrees that it is satisfied that Service Express’s security measures are sufficient and appropriate to ensure the security of Personal Data during Processing in accordance with applicable Data Law. Service Express may change the security controls through the adoption of new or enhanced security technologies, and Customer authorizes Service Express to make such changes provided that they do not diminish the level of protection of Personal Data in Service Express’s possession, custody, or control.
  7. OVERSIGHT AND REMEDIATION.
    • Information. Upon Customer’s request, Service Express shall make available to Customer all relevant information and documentation reasonably necessary to demonstrate compliance with the requirements of this Addendum and applicable Data Laws.
    • Audits. To the extent required by applicable Data Laws, Service Express grants to Customer the right to take reasonable and appropriate steps to ensure that Service Express’s use of Personal Data is consistent with this Addendum and Service Express’s obligations under Data Laws at least once every 12 months. Service Express shall allow for and contribute relevant information to such audits, including reasonable inspections, conducted by Customer or another auditor selected by Customer relating to Service Express’s Processing activities pursuant to this Addendum, provided Customer or its auditor has agreed to a confidentiality agreement acceptable to Service Express intended to protect Service Express’s proprietary information and the confidentiality of information that Service Express Processes on behalf of others. Service Express may reasonably limit the scope of the audit to protect the confidentiality of information that Service Express Processes on behalf of others. Service Express shall immediately inform Customer if, in Service Express’s opinion, an Instruction under this subsection infringes applicable Data Laws.
    • Remediation. Service Express hereby permits Customer to take reasonable and appropriate steps required under applicable Data Laws to stop and remediate Service Express’s unauthorized use of Personal Data upon notice to Service Express.
  8. PERSONAL DATA BREACH RESPONSE. Service Express shall notify Customer without undue delay after becoming aware of any Personal Data Breach. Service Express’s notice will: (a) describe the nature of the Personal Data Breach, to the extent known; and (b) provide a contact point where more information can be obtained. Service Express shall take reasonable efforts to identify the cause of the Personal Data Breach and take such steps as Service Express deems necessary and reasonable to remediate the cause of the Personal Data Breach within Service Express’s reasonable control. Service Express agrees to maintain and preserve all documents, records, and other data related to any Data Breach in accordance with applicable Data Laws and its record retention policies and procedures.
  9. CROSS-BORDER TRANSFERS. Service Express shall not transfer Personal Data outside the country to which Customer originally delivered it to Service Express for Processing – or, if it was originally delivered to a location inside the European Union, the European Economic Area, Switzerland or the United Kingdom (collectively, “Europe”), then outside of Europe – without Customer’s documented consent. With Customer’s documented consent, Service Express may transfer Personal Data to another country. If Personal Data that is subject to GDPR is transferred out of Europe to countries that do not ensure an adequate level of data protection within the meaning of GDPR, Service Express shall ensure that a mechanism to achieve adequacy in respect of that Processing is in place such as: (a) the requirement for Service Express and any Sub-Processor to execute with Customer or Service Express, as the case may be, Standard Contractual Clauses; or (b) the existence of any other specifically approved safeguard for data transfers (as recognized under GDPR) and/or the applicable Public Authority finding of adequacy. If Customer wishes to separately execute Standard Contractual Clauses, Customer must contact Service Express.
  10. RETURN AND DELETION OF PERSONAL DATA. Upon expiration or termination of the Agreement and at Customer’s request, Service Express shall delete or return all Personal Data to Customer and will delete any existing copies of Personal Data in its possession or control to the extent allowed by applicable law. This does not apply to Personal Data archived on back-up systems, which Service Express will protect from any further Processing and delete in accordance with its data retention policies and procedures. Until Personal Data is deleted or returned, Service Express shall continue to comply with the requirements of this Addendum with respect to such Personal Data.
  11. COMPLIANCE. Service Express certifies that it understands and will comply with each of the above provisions, and agrees that it will comply with all applicable provisions of Data Laws with regard to any Personal Data that it Processes. Service Express shall promptly notify Customer if Service Express makes a determination that it can no longer meet its obligations under applicable Data Laws or this Addendum.
  12. LIABILITY. Any claims arising from or in any way related to this Addendum or Service Express’s Processing of Personal Data hereunder, including the Standard Contractual Clauses, shall be subject to any limitation of liability, dispute resolution requirements, and other limitations set forth in the Agreement.
  13. ORDER OF PRECEDENCE. In the event of a conflict between the terms of this Addendum and the Agreement, the Addendum shall prevail with respect to the subject matter set forth herein.
  14. LEGAL EFFECT. This Addendum shall only become legally binding between Service Express and Customer when the formalities set out in the Section “How this Addendum Applies” above have been fully completed.

Version Date: July 26, 2023.

SUBCONTRACTOR DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “Addendum”) forms a part of the Master Services Agreement or other written services agreement (“Agreement”) between Service Express, LLC, on behalf of itself and its Affiliates (“Service Express”), and the entity executing the Agreement (“Company”). By signing or otherwise executing the Agreement, the parties enter into this Addendum to the extent applicable. Capitalized terms not defined herein have the meaning set forth in the Agreement.

HOW THIS ADDENDUM APPLIES:

This Addendum is an addendum to and forms part of the Agreement and applies to Personal Data is provided or otherwise made available by one party (“Requesting Party” to the other party (“Service Provider”) pursuant to the Agreement. This Addendum will be effective and replace any previously applicable Personal Data Processing terms as of the date the parties execute the Agreement. This Addendum does not replace any comparable or additional rights relating to Processing of Personal Data contained in the Agreement (including any existing data processing addendum to the Agreement).

PERSONAL DATA PROCESSING TERMS:

  1. DEFINITIONS.
    • CCPA” means California Consumer Privacy Act, as amended by the California Privacy Rights Act, including its implementing regulations..
    • Controller” means the entity that determines the purposes and means of the Processing of Data, including as a “business,” as such term is defined under the CCPA.
    • Data Laws” means all applicable state, federal and foreign laws and regulations related to the privacy or security of Personal Data, including but not limited to the CCPA, GDPR, Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CDPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Consumer Privacy Act (UCPA).
    • GDPR”means (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, together with the applicable national implementations of GDPR; (b) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; and (c) the United Kingdom’s adoption of the EU GDPR and the Data Protection Act of 2018, in each case, as may be amended, superseded or replaced.
    • Instructions” means Requesting Party’s documented instructions for the Processing of Personal Data as set out in the Agreement and this Addendum or as otherwise agreed by the parties in writing.
    • Personal Data” means information provided or otherwise made available by or on behalf of Requesting Party to Service Provider in the course of Service Provider’s performance under the Agreement that: (i) identifies or can be used to identify an individual; (ii) can be used to authenticate an individual; or (iii) as otherwise similarly defined by Data Laws.
    • Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Service Provider, or a similar incident with respect to Personal Data as defined under applicable Data Laws.
    • Processing” or “Process” means any operation or set of operations that is performed upon Data, whether or not by automatic means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    • Processor” means the entity that Processes Data on behalf of the Controller, including as a “service provider” or “contractor,” as such terms are defined under the CCPA.
    • Public Authority” means a governmental agency or law enforcement authority, including judicial authorities.
    • Standard Contractual Clauses” means, as applicable, the clauses pursuant to: (a) the European Commission’s decision (EU) 2021/915 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to Processors established in Third Countries which do not ensure an adequate level of data protection; (b) the International Data Addendum to the European Commission’s standard contractual clauses for international data transfers; or (c) any applicable set of clauses approved by the European Commission or United Kingdom’s Information Commissioner’s Office which supersedes or replaces such Standard Contractual Clauses.
  2. SCOPE. This Addendum governs the Processing by Service Provider of Personal Data for the purposes set forth herein and in the Agreement. The type of Personal Data Service Provider may Process in connection with the Agreement is limited to contact information (name, title, company, address, email, phone number); the categories of individuals whose Personal Data is Processed are personnel of Requesting Party and its clients; and the purpose of Processing is to enable Service Provider to provide Requesting Party and its customers with certain support, maintenance, and/or managed services as further detailed in the Agreement (the “Purpose”). Additional details about the subject matter and duration of Processing and the nature and purpose of Processing are set forth in the Agreement.
  3. DATA PROCESSING.
    • Roles of the Parties. The parties agree that, for any Personal Data received by Service Provider from or on behalf of Requesting Party in connection with or as part of the performance of the Agreement, Requesting Party is the Controller or Processor, and Service Provider is the Processor or a sub-Processor, as the case may be.
    • Instructions. Service Provider shall Process Personal Data solely on behalf of and in accordance with Requesting Party’s Instructions in compliance with applicable Data Laws. If Service Provider determines that Requesting Party’s Instructions infringe applicable Data Laws, Service Provider shall notify Requesting Party as soon as reasonably practicable, and Service Provider shall not be required to comply with such infringing Instruction unless and until the matter has been resolved by agreement of the parties or a Public Authority determines that Instruction to be lawful.
    • Confidentiality. Service Provider shall ensure that any individuals it engages involved in the Processing of Personal Data have committed themselves to protect the confidentiality of the Personal Data.
    • Restrictions on Use of Personal Data. Service Provider will not: (i) sell or share any Personal Data (including as such terms are defined under the CCPA) or otherwise retain, use, or disclose Personal Data for any purpose other than the Purpose, including a commercial purpose other than providing the services under the Agreement, or as otherwise permitted by Data Laws and the Agreement; (ii) retain, use, or disclose Personal Data outside of the direct business relationship between Service Provider and Requesting Party specified in the Agreement for the Purpose, unless expressly permitted by Data Laws and the Agreement; or (iii) combine or update Personal Data with personal information Service Provider receives from, or on behalf of, another person or entity, or that Service Provider collects from its own interaction with a data subject; provided that, to the extent not prohibited by the Agreement, Service Provider may combine Personal Data with other personal information to perform any permissible business purpose under applicable Data Laws consistent with a data subject’s expectations, except for cross-context behavioral advertising or where such combination is with Personal Data of opted-out data subject for advertising and marketing services.
    • Sub-Processors. Service Provider shall only engage another Processor (each, a “Sub-Processor”) with the prior written consent of Requesting Party. Notwithstanding the foregoing, subject to the restrictions, if any, set forth in the Agreement, Requesting Party generally authorizes Service Provider to engage Sub-Processors to Process Personal Data as long as Service Provider has in place a written contract with such Sub-Processor(s), which contract contains substantively equivalent provisions as set forth in the Agreement and this Addendum, including with respect to Processing and Personal Data retention requirements and, where applicable Standard Contractual Clauses. Upon written request (email sufficient) by Requesting Party, Service Provider shall provide Requesting Party an up-to-date list of all Sub-Processors involved in the Processing of Personal Data. Requesting Party has the right to object to any such Sub-Processors by notifying Service Provider within 14 days after receipt of such list from Service Provider. Service Provider shall remain fully responsible for the acts of all Sub-Processors to the same extent it is responsible for the acts of its own employees, and Service Provider shall be liable to Requesting Party for a Sub-Processor’s failure to fulfill its data protection obligations hereunder.
  4. ASSISTANCE. Service Provider shall provide reasonable assistance to Requesting Party in complying with Requesting Party’s obligations under applicable Data Laws, including with respect to the security of Processing Personal Data, Personal Data Breach notification, and responding to data subject and Public Authority requests. Without limiting the generality of the foregoing, Service Provider agrees to provide assistance as follows:
    • Data Subject Requests. If Requesting Party requests, Service Provider shall reasonably assist Requesting Party, by appropriate technical and organizational measures, in responding to data subject requests to exercise their rights under applicable Data Laws. If Service Provider receives a request directly from a data subject with respect to such Personal Data, Service Provider shall, as soon as reasonably practicable, forward the same to Requesting Party (except where prohibited from doing so by applicable law). Service Provider shall not respond to any such data subject request unless instructed to do so in writing by Requesting Party or otherwise required by applicable law, except that Requesting Party authorizes Service Provider to redirect the data subject request as necessary to allow Requesting Party to respond directly.
    • Data Impact Assessments. To the extent applicable in relation to Service Provider’s Processing of Personal Data and within the scope of the services provided by Service Provider to Requesting Party, Service Provider shall cooperate and assist Requesting Party, at Requesting Party’s request, with any data protection impact assessment that Requesting Party is required to carry out under applicable Data Law.
    • Public Authorities. Service Provider will assist Requesting Party at Requesting Party’s request as reasonably necessary for Requesting Party to meet its obligations to relevant Public Authorities in connection with the Processing of Personal Data hereunder, including any necessary prior consultations with such Public Authorities and responding to any Public Authority requests.
  5. SECURITY. Service Provider has implemented and shall maintain security measures in accordance with industry standards and applicable Data Laws appropriate given the nature of the Personal Data to ensure the privacy and security of the Personal Data during Processing, which measures are designed to protect Personal Data against unauthorized or unlawful Processing or accidental loss, destruction, or damage. In particular, Service Provider has in place technical and organizational safeguards intended to: (i) maintain the security and confidentiality of Personal Data; (ii) protect against anticipated threats to the security and integrity of Personal Data; and (iii) protect against unauthorized access to or use of Personal Data. Service Provider may change the security controls through the adoption of new or enhanced security technologies, and Requesting Party authorizes Service Provider to make such changes provided that they do not diminish the level of protection of Personal Data in Service Provider’s possession, custody, or control.
  6. OVERSIGHT AND REMEDIATION.
    • Information. Upon Requesting Party’s request, Service Provider shall make available to Requesting Party all relevant information and documentation reasonably necessary to demonstrate compliance with the requirements of this Addendum and applicable Data Laws.
    • Audits. To the extent required by applicable Data Laws, Service Provider grants to Requesting Party the right to take reasonable and appropriate steps to ensure that Service Provider’s use of Personal Data is consistent with this Addendum and Service Provider’s obligations under Data Laws at least once every 12 months. Service Provider shall allow for and contribute relevant information to such audits, including reasonable inspections, conducted by Requesting Party or another auditor selected by Requesting Party relating to Service Provider’s Processing activities pursuant to this Addendum, provided Requesting Party or its auditor has agreed to a confidentiality agreement acceptable to Service Provider intended to protect Service Provider’s proprietary information and the confidentiality of information that Service Provider Processes on behalf of others. Service Provider may reasonably limit the scope of the audit to protect the confidentiality of information that Service Provider Processes on behalf of others. Service Provider shall immediately inform Requesting Party if, in Service Provider’s opinion, an Instruction under this subsection infringes applicable Data Laws.
    • Remediation. Service Provider hereby permits Requesting Party to take reasonable and appropriate steps required under applicable Data Laws to stop and remediate Service Provider’s unauthorized use of Personal Data upon notice to Service Provider.
  7. PERSONAL DATA BREACH RESPONSE. Service Provider shall notify Requesting Party without undue delay after becoming aware of any Personal Data Breach. Service Provider’s notice will: (a) describe the nature of the Personal Data Breach, to the extent known; and (b) provide a contact point where more information can be obtained. Service Provider shall take reasonable efforts to identify the cause of the Personal Data Breach and take such steps as Service Provider deems necessary and reasonable to remediate the cause of the Personal Data Breach within Service Provider’s reasonable control. Service Provider agrees to maintain and preserve all documents, records, and other data related to any Data Breach in accordance with applicable Data Laws and its record retention policies and procedures.
  8. CROSS-BORDER TRANSFERS. Service Provider shall not transfer Personal Data outside the country to which Requesting Party originally delivered it to Service Provider for Processing – or, if it was originally delivered to a location inside the European Union, the European Economic Area, Switzerland or the United Kingdom (collectively, “Europe”), then outside of Europe – without Requesting Party’s documented consent. With Requesting Party’s documented consent, Service Provider may transfer Personal Data to another country. If Personal Data that is subject to GDPR is transferred out of Europe to countries that do not ensure an adequate level of data protection within the meaning of GDPR, Service Provider shall ensure that a mechanism to achieve adequacy in respect of that Processing is in place such as: (a) the requirement for Service Provider and any Sub-Processor to execute with Requesting Party or Service Provider, as the case may be, Standard Contractual Clauses; or (b) the existence of any other specifically approved safeguard for data transfers (as recognized under GDPR) and/or the applicable Public Authority finding of adequacy. If Requesting Party wishes to separately execute Standard Contractual Clauses, Requesting Party must contact Service Provider.
  9. RETURN AND DELETION OF PERSONAL DATA. Upon expiration or termination of the Agreement and at Requesting Party’s request, Service Provider shall delete or return all Personal Data to Requesting Party and will delete any existing copies of Personal Data in its possession or control to the extent allowed by applicable law. This does not apply to Personal Data archived on back-up systems, which Service Provider will protect from any further Processing and delete in accordance with its data retention policies and procedures. Until Personal Data is deleted or returned, Service Provider shall continue to comply with the requirements of this Addendum with respect to such Personal Data.
  10. COMPLIANCE. Service Provider certifies that it understands and will comply with each of the above provisions, and agrees that it will comply with all applicable provisions of Data Laws with regard to any Personal Data that it Processes. Service Provider shall promptly notify Requesting Party if Service Provider makes a determination that it can no longer meet its obligations under applicable Data Laws or this Addendum.
  11. LIABILITY. Any claims arising from or in any way related to this Addendum or Service Provider’s Processing of Personal Data hereunder, including the Standard Contractual Clauses, shall be subject to any limitation of liability, dispute resolution requirements, and other limitations set forth in the Agreement.
  12. ORDER OF PRECEDENCE. In the event of a conflict between the terms of this Addendum and the Agreement, the Addendum shall prevail with respect to the subject matter set forth herein.
  13. LEGAL EFFECT. This Addendum shall only become legally binding between Service Provider and Requesting Party when the formalities set out in the Section “How this Addendum Applies” above have been fully completed.

Version Date: July 26, 2023.