Data Protection Addendum

    1. Definitions

    For purposes of this Data Protection Addendum, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this Data Protection Addendum have the meanings given to them elsewhere in this Agreement.

    1.1 Applicable Data Protection Laws means all laws to the extent applicable to the relevant Personal Data or processing thereof under this Agreement, including, as applicable, the European Data Protection Laws, the CCPA and the APPI.

    1.2 APPI means the Act on the Protection of Personal Information (Act No. 57 of 2003) of Japan, as amended from time to time.

    1.3 CCPA means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.

    1.4 EEA means the European Economic Area.

    1.5 EU means the European Union.

    1.6 European Data Protection Laws means the GDPR and other data protection laws of the EU, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent it applies to the relevant Personal Data or processing thereof under this Agreement.

    1.7 GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.

    1.8 Information Security Incident means a breach of DI’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in DI’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

    1.9 Licensee means the Master Managed Service Provider as defined in the Master Managed Service Provider Agreement.

    1.10 Personal Data means (a) the personal data (as defined in GDPR) that Licensee provides to DI under this Agreement, and (b) any other information that Licensee provides to DI under this Agreement that constitutes “personal information” under and governed by the CCPA as well as APPI. For purposes of this Data Protection Addendum, Personal Data does not include personal data of representatives of Licensee with whom DI has business relationships independent of the provision of the Software and related support, maintenance or other professional services (“Services”).

    1.11 Security Measures has the meaning given in Section 4.1 of this Data Protection Addendum (DI’s Security Measures).

    1.12 Standard Contractual Clauses means the mandatory provisions of the standard contractual clauses for the transfer of personal data to processors established in third countries in the form set out by European Commission Decision 2010/87/EU.

    1.13 Subprocessors means third parties authorized under this Data Protection Addendum to process Personal Data in relation to the provision of the Software or Services.

    1.14 Third Party Subprocessors has the meaning given in Section 6 (Subprocessors) of Annex 1 of this Data Protection Addendum.

    1.15 The terms controller, data subject, processing, processor and supervisory authority as used in this Data Protection Addendum have the meanings given in the GDPR.

    2. Duration and Scope of Addendum

    2.1 This Data Protection Addendum will, notwithstanding the expiration of this Agreement, remain in effect until, and automatically expire upon, DI’s deletion of all Personal Data.

    2.2 Annex 1 (EU Annex) to this Data Protection Addendum applies to Personal Data or the processing thereof subject to European Data Protection Laws. Annex 2 (California Annex) to this Data Protection Addendum, applies to Personal Data or the processing thereof subject to the CCPA. Annex 3 (Japan Annex) to this Data Protection Addendum applies to Personal Data or the processing thereof subject to APPI. Where two or more of those laws apply, multiple Annexes shall apply accordingly.

    3. Licensee Instructions

    DI will process Personal Data only in accordance with Licensee’s instructions. By entering into this Data Protection Addendum, Licensee instructs DI to process Personal Data to provide the Software and Services. Licensee acknowledges and agrees that such instruction authorizes DI to process Personal Data (a) to perform its obligations and exercise its rights under this Agreement; (b) perform its legal obligations and to establish, exercise or defend legal claims in respect of this Agreement; (c) pursuant to any other written instructions given by Licensee and acknowledged in writing by DI as constituting instructions for purposes of this Data Protection Addendum; and (d) as reasonably necessary for the proper management and administration of DI’s business.

    4. Security

    4.1 DI Security Measures. DI will implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data as described in Annex 4 (the “Security Measures”).

    4.2 Information Security Incidents. If DI becomes aware of an Information Security Incident, DI will (a) notify Licensee of the Information Security Incident without undue delay after becoming aware of the Information Security Incident, and (b) take reasonable steps to identify the cause of such Information Security Incident, minimize harm and prevent a recurrence. Notifications made pursuant to this Section will describe, to the extent possible, details of the Information Security Incident, including steps taken to mitigate the potential risks and steps DI recommends Licensee take to address the Information Security Incident. DI’s notification of or response to an Information Security Incident under this Section will not be construed as an acknowledgement by DI of any fault or liability with respect to the Information Security Incident.

    4.3 Licensee’s Security Responsibilities and Assessment

    4.3.1 Licensee’s Security Responsibilities. Licensee agrees that, without limitation of DI’s obligations under Section 4.1 (DI Security Measures) and Section 4.2 (Information Security Incidents) of this Data Protection Addendum, Licensee is solely responsible for its use of the Software and Services, including (a) making appropriate use of the Software and Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Licensee uses to access the Software and Services; (c) securing Licensee’s systems and devices that DI uses to provide the Software and Services; and (d) backing up Personal Data.

    4.3.2 Licensee’s Security Assessment. Licensee is solely responsible for evaluating for itself whether the Software and Services, the Security Measures and DI’s commitments under this Data Protection Addendum will meet Licensee’s needs, including with respect to any security obligations of Licensee under Applicable Data Protection Laws or other laws. Licensee acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by DI provide a level of security appropriate to the risk in respect of the Personal Data.

    5. Data Subject Rights

    5.1 Licensee’s Responsibility for Requests. If DI receives any request from a data subject in relation to the data subject’s Personal Data, DI will advise the data subject to submit the request to Licensee and Licensee will be responsible for responding to any such request.

    5.2 DI’s Data Subject Request Assistance. DI will (taking into account the nature of the processing of Personal Data) provide Licensee with self-service functionality through the Software or other reasonable assistance as necessary for Licensee to perform its obligation under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws, including if applicable, Licensee’s obligation to respond to requests for exercising the data subject’s rights set out in Chapter III of the GDPR or Articles 27 through 30 of the APPI. Licensee shall reimburse DI for any such assistance, beyond providing self-service features included as part of the Software, at DI’s then-current professional services rates, which shall be made available to Licensee upon request.

    6. Licensee Responsibilities

    Licensee represents and warrants to DI that (a) Licensee has established or ensured that another party has established a legal basis for DI’s processing of Personal Data contemplated by this Data Protection Addendum; (b) all notices have been given to, and consents and rights have been obtained from, the relevant data subjects and any other party as may be required by Applicable Data Protection Laws and any other laws for such processing; and (c) Personal Data does not and will not contain any protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), any biometric information, or any payment card information subject to the Payment Card Industry Data Security Standard.

    7. Analytics

    Licensee acknowledges and agrees that DI may create and derive from processing under this Agreement anonymized and/or aggregated data that does not identify Licensee or any natural person, and use, publicize or share with third parties such data to improve DI’s products and services and for its other lawful business purposes, including those set forth in this Agreement.

    8. Notices

    Notwithstanding anything to the contrary in this Agreement, any notices required or permitted to be given by DI to Licensee may be given (a) in accordance with any notice clause of this Agreement; (b) to DI’s primary points of contact with Licensee; or (c) to any email provided by Licensee for the purpose of providing it with Software or Service related communications or alerts. Licensee is solely responsible for ensuring that such email addresses are valid.

    9. Effect of These Terms

    Except as expressly modified by this Data Protection Addendum, the terms of End User Software License Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this Data Protection Addendum and any terms of the End User Software License Agreement, this Data Protection Addendum will govern. Any liabilities arising in respect of this Data Protection Addendum are subject to the limitations of liability under this Agreement.


    Annex 1

    EU Annex

    1. Processing of Data

    1.1 Subject Matter and Details of Processing. The parties acknowledge and agree that (a) the subject matter of the processing under this Agreement is DI’s provision of the Software and Services; (b) the duration of the processing is from DI’s receipt of Personal Data until deletion of all Personal Data by DI in accordance with this Agreement; (c) the nature and purpose of the processing is to provide the Software and Services; (d) the data subjects to whom the processing pertains are Licensee’s employees and other personnel; and (e) the categories of Personal Data are contact details, workplace communications and other information processed by workplace information systems about such data subjects.

    1.2 Roles and Regulatory Compliance; Authorization. The parties acknowledge and agree that (a) DI is a processor of that Personal Data under European Data Protection Laws; (b) Licensee is a controller of that Personal Data under European Data Protection Laws; and (c) each party will comply with the obligations applicable to it in such role under the European Data Protection Laws with respect to the processing of that Personal Data.

    1.3 DI’s Compliance with Instructions. DI will only process Personal Data in accordance with Licensee’s instructions described in Section 3 (Licensee Instructions) of this Data Protection Addendum unless European Data Protection Laws requires otherwise, in which case DI will notify Licensee (unless that law prohibits DI from doing so on important grounds of public interest).

    1.4 Data Deletion. Upon termination of Licensee’s access to the Software or Services, Licensee instructs DI to delete all Personal Data from DI’s systems as soon as reasonably practicable, unless European Data Protection Laws requires otherwise.

    2. Data Security

    2.1 DI Security Measures, Controls and Assistance

    2.1.1 DI Security Assistance. DI will (taking into account the nature of the processing of Personal Data and the information available to DI) provide Licensee with reasonable assistance necessary for Licensee to comply with its obligations in respect of Personal Data under European Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; (b) complying with the terms of Section 4.2 (Information Security Incidents) of this Data Protection Addendum; and (c) complying with this Annex 1.

    2.1.2 Security Compliance by DI Staff. DI will grant access to Personal Data only to personnel who need such access for the scope of their job duties, and are subject to appropriate confidentiality arrangements.

    2.2 Reviews and Audits of Compliance

    2.2.1 Licensee may audit DI’s compliance with its obligations under this Data Protection Addendum up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by Licensee’s supervisory authority. DI will contribute to such audits by providing Licensee or Licensee’s supervisory authority with the information and assistance reasonably necessary to conduct the audit.

    2.2.2 If a third party is to conduct the audit, DI may object to the auditor if the auditor is, in DI’s reasonable opinion, not independent, a competitor of DI, or otherwise manifestly unsuitable. Such objection by DI will require Licensee to appoint another auditor or conduct the audit itself.

    2.2.3 To request an audit, Licensee must submit a detailed proposed audit plan to DI at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. DI will review the proposed audit plan and provide Licensee with any concerns or questions (for example, any request for information that could compromise DI security, privacy, employment or other relevant policies). DI will work cooperatively with Licensee to agree on a final audit plan. Nothing in this Section shall require DI to breach any duties of confidentiality.

    2.2.4 If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO or similar audit report performed by a qualified third party auditor within twelve (12) months of Licensee’s audit request and DI has confirmed there are no known material changes in the controls audited, Licensee agrees to accept such report lieu of requesting an audit of such controls or measures.

    2.2.5 The audit must be conducted during regular business hours, subject to the agreed final audit plan and DI’s safety, security or other relevant policies, and may not unreasonably interfere with DI business activities.

    2.2.6 Licensee will promptly notify DI of any non-compliance discovered during the course of an audit and provide DI any audit reports generated in connection with any audit under this Section, unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Licensee may use the audit reports only for the purposes of meeting Licensee’s regulatory audit requirements and/or confirming compliance with the requirements of this Data Protection Addendum.

    2.2.7 Any audits are at Licensee’s expense. Licensee shall reimburse DI for any time expended by DI or its Third Party Subprocessors in connection with any audits or inspections under this Section at DI’s then-current professional services rates, which shall be made available to Licensee upon request. Licensee will be responsible for any fees charged by any auditor appointed by Licensee to execute any such audit. Nothing in this Data Protection Addendum shall be construed to require DI to furnish more information about its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.

    3. Impact Assessments and Consultations

    DI will (taking into account the nature of the processing and the information available to DI) reasonably assist Licensee in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of DI’s information security program and the security measures applied in connection therewith; and (b) providing the other information contained in this Agreement including this Data Protection Addendum.

    4. Data Transfers

    4.1 Data Processing Facilities. DI may, subject to Section 4.2 (Transfers out of the EEA) of this Annex 1, store and process Personal Data in the United States, Israel, or anywhere DI or its Subprocessors maintain facilities.

    4.2 Transfers out of the EEA. If Licensee transfers Personal Data out of the EEA to DI in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the Standard Contractual Clauses, the terms of which are hereby incorporated into this Data Protection Addendum. In furtherance of the foregoing, the parties agree that:

    4.2.1 for purposes of the Standard Contractual Clauses, (a) Licensee will act as the data exporter and (b) DI will act as the data importer;

    4.2.2 for purposes of Appendix 1 to the Standard Contractual Clauses, the categories of data subjects, data, special categories of data (if appropriate), and the processing operations shall be as set out in Section 1.1 to this Annex 1 (Subject Matter and Details of Processing);

    4.2.3 for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures;

    4.2.4 upon data exporter’s request under the Standard Contractual Clauses, data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that data importer may remove or redact all commercial information or clauses unrelated the Standard Contractual Clauses or their equivalent beforehand;

    4.2.5 the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 2.2 of this Annex 1 (Reviews and Audits of Compliance);

    4.2.6 Licensee’s authorizations in Section 5 of this Annex 1 (Subprocessors) will constitute Licensee’s prior written consent to the subcontracting by DI of the processing of Personal Data if such consent is required under Clause 5(h) of the Standard Contractual Clauses;

    4.2.7 certification of deletion of Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Licensee’s request; and

    4.3 notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the lawful transfer of Personal Data outside the EEA (e.g., US-E.U. Privacy Shield, binding corporate rules) applies to the transfer.

    5. Subprocessors

    5.1 Consent to Subprocessor Engagement. Licensee specifically authorizes the engagement of DI’s Affiliates as Subprocessors. In addition, Licensee generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”).

    5.2 Information about Subprocessors. The Information about Subprocessors, including their functions and locations, is available at https://www.deepinstinct.com/sub-contractors/ (as may be updated by DI from time to time in accordance with this Annex 1).

    5.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, DI will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Data Protection Addendum with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. DI shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

    5.4 Opportunity to Object to Subprocessor Changes. When any new Third Party Subprocessor is engaged during the term of this Agreement, DI will notify Licensee of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the website listed in Section 5.2 (Information about Subprocessors). If Licensee objects to such engagement in a written notice to DI within 15 days of being informed thereof on reasonable grounds relating to the protection of Personal Data, Licensee and DI will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Licensee may, as its sole and exclusive remedy, terminate this Agreement and cancel the Service by providing written notice to DI.


    Annex 2

    California Annex

    1. DI shall not retain, use, or disclose any Personal Data that constitutes “personal information” under the CCPA (“CA Personal Information”) for any purpose other than for the specific purpose of providing the Software and Services, or as otherwise permitted by CCPA, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in CCPA) other than providing the Services.

    2. DI shall not (a) sell any CA Personal Information; (b) retain, use or disclose any CA Personal Information for any purpose other than for the specific purpose of providing the Software and Services, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in the CCPA) other than provision of the Software and Services; or (c) retain, use or disclose the CA Personal Information outside of the direct business relationship between DI and Licensee. DI hereby certifies that it understands its obligations under this Section and will comply with them.

    3. Provision of the Services encompasses the processing authorized by Licensee’s instructions described in Section 3 of this Data Protection Addendum (Licensee Instructions).

    4. Notwithstanding anything in this Agreement or any order form entered in connection therewith, the parties acknowledge and agree that DI’s access to CA Personal Information or any other Personal Data does not constitute part of the consideration exchanged by the parties in respect of this Agreement.


    Annex 3

    Japan Annex

    1. DI shall not retain, use, or process any Personal Data for any purpose other than for the specific purpose of providing the Software and Services

    2. DI shall retain, use and process the Personal Data in accordance with the Licensee’s instructions described in Section 3 of this Data Protection Addendum unless APPI requires otherwise, in which case DI will notify Licensee (unless that law prohibits DI from doing so on important grounds of public interest).

    3. When the Licensee instruct the DI to correct and/or update any Personal Data, DI shall correct and/or update the Personal Data in accordance with such instruction in a timely manner.

    4. DI shall perform or provide necessary and appropriate supervision and education to its employees, directors, officers, agents (collectively the "Information Handlers") who handle the Personal Data and shall cause the Information Handlers to assume data protection obligations not less protective than those in this Data Processing Addendum with respect to Personal Data.

    5. Licensee authorizes DI to outsource all or part of data processing to any Subprocessor that DI deems appropriate, provided that DI shall enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Data Protection Addendum with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. DI shall monitor the handling of Personal Data by the Subprocessors and shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessors.

    6. Except where authorized hereunder in Section 5 of this Annex 3 or otherwise permitted under the APPI, DI shall not provide the Personal Data to any third party.


    Annex 4

    Security Measures

    As from the effective date of this Agreement, DI will implement and maintain the Security Measures set out in this Annex 3.

    1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of DI’s information security program.

    2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to DI’s organization, monitoring and maintaining compliance with DI’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

    3. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly.

    4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access when employment terminates or changes in job functions occur).

    5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that DI passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on DI’s computer systems; (iii) must be changed every ninety (90) days; must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.

    6. Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of DI facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.

    7. Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to DI’s technology and information assets.

    8. Incident / problem management procedures design to allow DI to investigate, respond to, mitigate and notify of events related to DI’s technology and information assets.

    9. Network security controls that provide for the use of enterprise firewalls, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

    10. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

    11. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

    DI may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.