Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any applicable national data protection laws implementing the GDPR, by and between the controller identified on the signature page ("Controller") and the processor identified on the signature page ("Processor"), collectively the "Parties." This DPA forms part of, and is incorporated by reference into, the underlying services agreement between the Parties (the "Services Agreement"). In the event of any conflict between this DPA and the Services Agreement, the terms of this DPA shall prevail with respect to data protection matters.

The following definitions apply throughout this DPA: "Personal Data" has the meaning given in Article 4(1) GDPR; "Data Subject" means the identified or identifiable natural person to whom Personal Data relates; "Processing" has the meaning given in Article 4(2) GDPR; "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data; "Supervisory Authority" means the competent data protection authority in the Controller's Member State of establishment; and "Standard Contractual Clauses" means the clauses approved by the European Commission for the transfer of Personal Data to third countries, as may be updated from time to time.

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, as set forth in Annex II to this DPA, including as appropriate: (a) pseudonymization and encryption of Personal Data; (b) the ability to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems and services; (c) the ability to restore availability of and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational security measures.

The Processor shall ensure that any natural person acting under the Processor's authority who has access to Personal Data Processes it only on instructions from the Controller, and shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. The Processor shall not engage any sub-processor without the prior specific or general written authorization of the Controller. A list of approved sub-processors is set forth in Annex III. The Processor shall notify the Controller of any intended changes to sub-processors with sufficient advance notice to allow the Controller to object prior to the change taking effect.

The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including the rights of access, rectification, erasure, restriction, data portability, and objection. Upon receipt of a Data Subject request addressed to the Processor, the Processor shall promptly forward such request to the Controller and shall not respond to the Data Subject directly except on documented instructions from the Controller.

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and, where feasible, no later than forty-eight (48) hours after becoming aware of the breach. Such notification shall include: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the data protection officer or other contact point; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach. The Processor shall document all Personal Data Breaches, including those not reported to the Supervisory Authority.

The Processor shall not transfer Personal Data to a country or international organization outside the European Economic Area (EEA) unless: (a) the European Commission has issued an adequacy decision for the recipient country pursuant to Article 45 GDPR; (b) appropriate safeguards are in place pursuant to Article 46 GDPR, including Standard Contractual Clauses; (c) the transfer falls within a derogation under Article 49 GDPR; or (d) the Controller has provided specific prior written authorization for the transfer. Where Standard Contractual Clauses are used for international transfers, they are incorporated by reference and form part of this DPA.

The Processor shall inform the Controller of the countries in which it and any approved sub-processors intend to Process Personal Data. The Processor shall cooperate with the Controller in conducting transfer impact assessments where required under applicable law, including assessments of the laws and practices of the recipient country that may affect the level of protection afforded to Personal Data. Where a transfer impact assessment reveals that a transfer cannot be made with equivalent protection to that afforded in the EEA, the Processor shall implement any supplementary measures identified as necessary to bring the transfer into compliance with applicable law.