Data Processing Addendum (DPA)

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Agreement between the party identified in the Agreement (“Subscriber”) and ProcessMate, and applies to the extent that (i) ProcessMate processes Personal Data on behalf of Subscriber in the course of providing Services and (ii) the Agreement expressly incorporates this DPA by reference. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

1. DEFINITIONS.

1.1 “Agreement” means the written or electronic agreement between Subscriber and ProcessMate for the provision of the Services to Subscriber.

1.2 “Controller” means an entity that determines the purposes and means of the processing of Personal Data.

1.3 “Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.

1.4 “EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”); and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).

1.5 “EU Model Clauses” means the standard contractual clauses for Processors as approved by the European Commission pursuant to Decision C (2010)593, which may be amended or replaced later.

1.6 “Personal Data” means any information relating to an identified or identifiable natural person as contained within Subscriber data as defined in the Agreement.

1.7 “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.8 “Processor” means an entity that processes Personal Data on behalf of a Controller.

1.9 “Services” means any cloud service offering or Subscriber support services provided by ProcessMate to Subscriber pursuant to the Agreement.

1.10 “Sub-processor” means any Processor engaged by ProcessMate processes Personal Data pursuant to the Agreement. Sub-processors may include third parties.

2. PROCESSING.

2.1 Role of the Parties. ProcessMate will process Personal Data under the Agreement only as a Processor acting on behalf of the Subscriber. Subscriber may act either as a Controller or as a Processor with respect to Personal Data.

2.2 Subscriber Processing of Personal Data. Subscriber will, in its use of the Services, comply with its obligations under Data Protection Law in respect of its processing of Personal Data and any processing instructions it issues to ProcessMate. Subscriber represents that it has all rights and authorizations necessary for ProcessMate to process Personal Data pursuant to the Agreement.

2.3 ProcessMate Processing of Personal Data. ProcessMate will comply with its processor obligations under Data Protection Law and will process Personal Data in accordance with Subscriber’s instructions. Subscriber agrees that the Agreement is its complete and final instructions to ProcessMate in relation to the processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between ProcessMate and Subscriber by way of written amendment to the Agreement. Upon notice in writing, Subscriber may terminate the Agreement if ProcessMate declines to follow Subscriber’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in the Agreement, to the extent such instructions are necessary to enable Subscriber to comply with Data Protection Laws.

2.4 Processing of Personal Data Details.

2.4.1 Subject matter. The subject matter of the processing under the Agreement is the Personal Data.

2.4.2 Duration. The processing of data starts on the effective day of the Agreement and continues until the termination of the Agreement.

2.4.3 Purpose. The purpose of the processing under the Agreement is the provision of the Services by ProcessMate to Subscriber as specified in the Agreement.

2.4.4 Nature of the processing. ProcessMate and/or its Sub-processors are providing Services to Subscriber as described in the Agreement. These Services may include the processing of Personal Data by ProcessMate and/or its Sub-processors on systems which may contain Personal Data.

2.4.5 Categories of data subjects. The data subjects of Subscriber may include Subscriber’s end users, employees, contractors, suppliers, and other third parties.

2.4.6 Categories of data. Personal Data that is submitted to the Services by the Subscriber.

3. SUBPROCESSING.

3.1 Use of Sub-Processors. ProcessMate engages Sub-processors to provide certain services on its behalf. The current list of Sub-processors and their respective DPA’s is available in Exhibit A of this Addendum. Subscriber consents to ProcessMate engaging Sub-processors to process Personal Data under the Agreement. ProcessMate will be responsible for any acts, errors, or omissions of its Sub-processors that cause ProcessMate to breach any of ProcessMate obligations under this DPA.

3.2 Obligations. ProcessMate will enter into an agreement with each Sub-processor that obligates the Sub-processor to protect the Personal Data in a manner substantially similar to the standards set forth in the Agreement (to the extent applicable to the services provided by the Sub-processor).

4. SECURITY MEASURES.

4.1 Security Measures by ProcessMate. ProcessMate will implement and maintain appropriate technical and organizational security measures to protect against Personal Data Breaches and to preserve the security and confidentiality of Personal Data processed by ProcessMate on behalf of Subscriber in the provision of the Services (“Security Measures”). The Security Measures are subject to technical progress and development. ProcessMate may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Subscriber.

4.2 Security Measures by Subscriber. Subscriber is responsible for using and configuring the Services in a manner which enables Subscriber to comply with Data Protection Laws, including implementing appropriate technical and organizational measures.

4.3 Personnel. ProcessMate restricts its personnel from processing Personal Data without authorization (unless required to do so by applicable law) and will ensure that any person authorized by ProcessMate to process Personal Data is subject to an obligation of confidentiality.

4.4 Prohibited Data. Subscriber acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as an individual’s financial or health information) to the Services, which would breach any applicable data protection laws.

5. PERSONAL DATA BREACH RESPONSE.

Upon becoming aware of a Personal Data Breach, ProcessMate will notify Subscriber without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Subscriber. ProcessMate will use reasonable endeavors to assist Subscriber in mitigating, where possible, the adverse effects of any Personal Data Breach.

6. AUDIT REPORTS.

ProcessMate audits its compliance against data protection and information security standards on a regular basis. Such audits are conducted by ProcessMate internal audit team or by third party auditors engaged by ProcessMate. The specific audits, and the data protection and information security certifications ProcessMate has achieved, will necessarily vary depending upon the nature of the Services in question. Upon Subscriber’s written request, and subject to obligations of confidentiality, ProcessMate will make available to Subscriber a summary of its most recent relevant audit report and/or other documentation reasonably required by Subscriber which ProcessMate makes generally available to its customers, so that Subscriber can verify ProcessMate’s compliance with this DPA.

7. DATA TRANSFERS AND EXPORTS.

7.1 Data Transfers. ProcessMate may transfer and process Personal Data to and in other locations around the world where ProcessMate or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement.

7.2 Data Transfers from the EEA and Switzerland. Where Personal Data is transferred from the European Economic Area and/or Switzerland to a company located in a country not recognized by the European Commission or the Swiss Federal Data Protection Authority as providing an adequate level of protection for Personal Data, Subscriber appoints ProcessMate to enter into the EU Model Clauses on Subscriber’s behalf with such company based outside of the EEA and Switzerland and involved in the processing of Personal Data. ProcessMate will provide a copy of those EU Model Clauses to Subscriber upon Subscriber’s written request.

8. DELETION OF DATA.

Following expiration or termination of the Agreement, ProcessMate will delete or return to Subscriber all Personal Data in ProcessMate’s possession as provided in the Agreement except to the extent ProcessMate is required by applicable law to retain some or all of the Personal Data (in which case ProcessMate will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.

9. COOPERATION.

9.1 Data Protection Requests. If ProcessMate receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under EU Data Protection Law, ProcessMate will promptly redirect the request to the Subscriber. ProcessMate will not respond to such communication directly without Subscriber’s prior authorization, unless legally compelled to do so. If ProcessMate is required to respond to such a request, ProcessMate will promptly notify Subscriber and provide Subscriber with a copy of the request, unless legally prohibited from doing so.

9.2 Subscriber Requests. ProcessMate will reasonably cooperate with Subscriber, at Subscriber’s expense, to permit Subscriber to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement in case when Subscriber is unable to access the relevant Personal Data in their use of the Services.

9.3 DPIAs and Prior Consultations. To the extent required by EU Data Protection Law, ProcessMate will, upon reasonable notice and at Subscriber’s expense, provide reasonably requested information regarding the Services to enable Subscriber to carry out data protection impact assessments (“DPIAs”) and/or prior consultations with data protection authorities.

9.4 Legal Disclosure Requests. If ProcessMate receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, such request will be dealt with in accordance with the DPA.

10. GENERAL.

10.1 Relationship with Agreement. Any claims brought under this DPA will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement, provided however that in no event will any party be deemed to have limited its liability under the Agreement with respect to any individual’s data protection rights under this DPA or pursuant to applicable law.

10.2 Conflicts. In the event of any conflict between this DPA and any privacy-related provisions in the Agreement, the terms of this DPA will prevail.

10.3 Modification and Supplementation. ProcessMate may modify the terms of this DPA in circumstances such as (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Law, or (iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Law. Supplemental terms may be added as an Annex or Appendix to this DPA where such terms only apply to the processing of Personal Data under the Data Protection Law of specific countries or jurisdictions. ProcessMate will provide notice of such changes to Subscriber, and the modified DPA will become effective, in accordance with the terms of the Agreement or as otherwise provided on ProcessMate’s website if not specified in the Agreement.

Exhibit A