Verisian Data Processing Agreement

2.1. Scope and Roles. This DPA applies when Verisian processes Customer Personal Data in the course of providing the Verisian Services. In this context, Verisian is a “processor” to Customer, who may act as either a “controller” or “processor” with respect to Customer Personal Data.

2.2. Details of the Processing.

‍2.2.1. Subject Matter. The subject matter of the data processing under this DPA is Customer Personal Data.

2.2.2. Duration. The duration of the data processing under this DPA is until the expiration or termination of the Verisian Agreement in accordance with its terms.

2.2.3. Nature and Purpose. The purpose of the data processing under this DPA is the provision of the Verisian Services to Customer in accordance with the Verisian Agreement.

2.2.4. Types of Customer Personal Data. The types of Customer Personal Data processed under this DPA include any Customer Personal Data uploaded to the Verisian Services by Customer.

2.2.5. Categories of Data Subjects. The data subjects may include Customer’s customers, employees, suppliers, and end users, or any other individual whose personal data Customer uploads to the Verisian Services.

2.3. Compliance with Laws. Each party will comply with all applicable Data Protection Law, including the EU GDPR, in relation to the processing of Customer Personal Data.

2.4. Verisian's Processing. Verisian will process Customer Personal Data only for the purposes of: (i) provisioning the Verisian Services, (ii) processing initiated by Customer in its use of the Verisian Services, and (iii) processing in accordance with your Verisian Agreement, this DPA, and your other reasonable documented instructions that are consistent with the terms of your Verisian Agreement. Any other processing will require prior written agreement between the parties.

2.5. Customer Obligations. Customer acknowledges that it controls the nature and contents of the Customer Personal Data. Customer will ensure that it has obtained all necessary and appropriate consents from and provided notices to data subjects where required by Data Protection Law to enable the lawful transfer of any Customer Personal Data to Verisian for the duration and purposes of this DPA and the Verisian Agreement.

3.1. Confidentiality of Personnel. Verisian will ensure that any of our personnel and any subcontractors who have access to Customer Personal Data are under an appropriate obligation of confidentiality.

3.2. Security Measures. We will implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing of Customer Personal Data.

3.3. Optional Security Controls. Verisian makes available a number of security controls, features, and functionalities that Customer may elect to use, as described in the Technical and Organizational Security Measures and our Documentation. Customer is responsible for implementing those measures to ensure a level of security appropriate to the Customer Personal Data.

3.4. Breach Notification. We will notify you without undue delay if we become aware of a personal data breach affecting Customer Personal Data.

Authorized Subprocessors. You acknowledge and agree that we may retain our affiliates and other third parties to further process Customer Personal Data on your behalf as Subprocessors in connection with the provision of the Verisian Services. You may contact us to receive a current list of our Subprocessors

4.2. Objections to Subprocessors. In the event you have a reasonable objection to any new Subprocessor, either (A) we will instruct such Subprocessor not to process Customer Personal Data on your behalf and, if possible, continue to provide the Verisian Services in accordance with the terms of the Verisian Agreement and any applicable Order Form, or (B) if we cannot provide the Verisian Services without the use of such Subprocessor, you may, as your sole and exclusive remedy, terminate this Agreement and any applicable Order Form and receive a refund of any prepaid fees for unused Subscriptions.

4.3 Subprocessor Obligations. Verisian will impose on each Subprocessor the same data protection obligations as are imposed on us under this DPA. We will be liable to you for the performance of the Subprocessors' obligations to the extent required by Data Protection Law.4.1.

5.1. To assist with your obligations to respond to requests from data subjects, the Verisian Services provide Customer with the ability to retrieve, correct, or delete Customer Personal Data. Customer may use these controls to assist it in connection with its obligations under Data Protection Law, including its obligations related to any request from a data subject to exercise their rights under Data Protection Law (each, a “Data Subject Request”).

5.2. If a data subject contacts Verisian with a Data Subject Request that identifies Customer, to the extent legally permitted, we will promptly notify Customer. Solely to the extent that Customer is unable to access Customer Personal Data itself, and Verisian is legally permitted to do so, we will provide commercially reasonable assistance to Customer in responding to the Data Subject Request. To the extent legally permitted, Customer will be responsible for any costs arising from Verisian’s provision of such assistance, including any fees associated with the provision of additional functionality.

6.1. If we receive a valid and binding legal order (“Request”) from any governmental body (“Requesting Party”) for disclosure of Customer Personal Data, we will use commercially reasonable efforts to redirect the Requesting Party to seek that Customer Personal Data directly from Customer.

6.2. If, despite our efforts, we are compelled to disclose Customer Personal Data to a Requesting Party, we will:

(a) if legally permitted, promptly notify Customer of the Request to allow Customer to seek a protective order or other appropriate remedy. If we are prohibited from notifying Customer, we will use commercially reasonable efforts to obtain a waiver of that prohibition;

(b) challenge any over-broad or inappropriate Request (including Requests that conflict with the law of the European Union); and

(c ) disclose only the minimum amount of Customer Personal Data necessary to satisfy the Request.

Taking into account the nature of the processing and the information available to us, at your request and cost, Verisian will provide reasonable assistance to ensure compliance with the obligations under applicable Data Protection Law with respect to implementing appropriate security measures, personal data breach notifications, impact assessments and consultations with supervisory authorities or regulators, in each case solely related to processing of Customer Personal Data by Verisian.

8.1. Upon Customer’s request, and subject to the confidentiality obligations set forth in your Verisian Agreement, Verisian will make available to Customer (or Customer’s independent, third-party auditor) information regarding Verisian’s compliance with the security obligations set forth in this DPA in the form of third-party certifications and audits.

8.2. If that information is not sufficient to demonstrate our compliance with the security obligations in the DPA, you may contact Verisian in accordance with the notice provision of your Verisian Agreement to request an on-site audit of Verisian's procedures relevant to the protection of Customer Personal Data, but only to the extent required under applicable Data Protection Law. Customer will reimburse Verisian for its reasonable costs associated with any such on-site audit. Before the commencement of any such on-site audit, Customer and Verisian will mutually agree upon the scope, timing, and duration of the audit.

8.3. Customer will promptly notify Verisian with information regarding any non-compliance discovered during the course of an audit, and Verisian will use commercially reasonable efforts to address any confirmed non-compliance.

9.1. Data Deployment Locations. Customer Personal Data will only be hosted in the region(s) that Customer chooses to deploy its database clusters in its configuration of the Verisian Services (the “Deployment Region”). Customer is solely responsible for any transfer of Customer Personal Data caused by Customer’s subsequent designation of other Deployment Regions. When required by Data Protection Law, such transfers by Customer will be governed by the transfer mechanisms described in Section 9.3 below.

9.2. Other Processing Locations. You may choose to use certain optional features of the Verisian Services that require transfers of Customer Personal Data outside of the EEA, Switzerland or the United Kingdom. When required by Data Protection Law, such transfers will be governed by the provisions of Section 9.3 below.

9.3. Transfer Mechanism. Verisian participates in and certifies compliance with the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework (together, the “DPF”). As required by the DPF, Verisian will (i) provide at least the same level of privacy protection to Customer Personal Data as is required by the DPF Principles, (ii) notify Customer if Verisian makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, and (iii) upon notice, take reasonable and appropriate steps to remediate unauthorized processing of Customer Personal Data. Where the transfer of Customer Personal Data is from the EEA, Switzerland or the United Kingdom to a territory which has not been recognized by the relevant authorities as providing an adequate level of protection for personal data according to Data Protection Law, Verisian agrees to process that Customer Personal Data in compliance with the provisions set out in Schedule 1 below, which forms an integral part of this DPA.

Customer may retrieve or delete all Customer Personal Data upon expiration or termination of the Verisian Agreement. Upon termination of your Verisian Agreement or upon your request, Verisian will delete any Customer Personal Data not deleted by Customer, unless we are legally required to store the Customer Personal Data.

1. For purposes of this Schedule 1, “Standard Contractual Clauses” means, as the circumstances may require, the applicable module(s) of the Standard Contractual Clauses approved by the European Commission in decision 2021/914, or any subsequent versions of the Standard Contractual Clauses which may be adopted by the European Commission from time to time. Upon the effective date of adoption for any revised Standard Contractual Clauses by the European Commission, all references in this DPA to the “Standard Contractual Clauses” shall refer to that latest version thereof.

‍2. Pursuant to Section 9.3 of the DPA, where the transfer of Customer Personal Data is from the EEA, Switzerland or the United Kingdom to a territory which has not been recognized by the relevant authorities as providing an adequate level of protection for personal data according to Data Protection Law, then the Standard Contractual Clauses shall apply in accordance with this Schedule 1.

3.1. When the Standard Contractual Clauses are the applicable transfer mechanism in accordance with Section 2 above, the parties agree that:

3.1.1 Clause 7 will not apply.

3.1.2 in Clause 9(a), Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set forth in Section 4.1 of the DPA.

3.1.3 in Clause 11(a), the optional language will not apply.

3.1.4 in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland.

3.1.5 in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland.

3.2. For purposes of Annex I, Part A of the Standard Contractual Clauses (List of Parties):

3.2.1 Data Exporter: Customer.

Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive legal communications.

Data Exporter Role: Data Exporter’s role is outlined in Section 2 of the DPA.

Signature & Date: By entering into the Verisian Agreement, Data Exporter is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule I to the DPA, as of the effective date of the Verisian Agreement.

3.2.2 Data Importer: Verisian Ltd
‍
Contact Details: Verisian's DPO at [email protected]
‍
Data Importer Role: Data Importer’s role is outlined in Section 2 of the DPA.

Signature & Date: By entering into the Verisian Agreement, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule 1 to the DPA, as of the effective date of the Verisian Agreement.

3.3. For purposes of Annex I, Part B of the Standard Contractual Clauses (Description of Transfer):
‍
3.3.1 The categories of data subjects are described in Section 2.2.5 of the DPA.

3.3.2 The forms of Customer Personal Data transferred are described in Section 2.2.4 of the DPA.

3.3.3 The frequency of the transfer is on a continuous basis for the duration of the Verisian Agreement.

3.3.4 The nature and purpose of the processing is described in Section 2.2.3 of the DPA.

3.3.5 The period of retention of Customer Personal Data in relation to the processing will end upon termination of the Verisian Agreement.

3.4. For purposes of Annex I, Part C of the Standard Contractual Clauses (Competent Supervisory Authority), the competent supervisory authority/ies shall be determined in accordance with EU GDPR and Clause 13 of the Standard Contractual Clauses.

3.5. Sections 3 and 4.3 of the DPA contain the information required under Annex II of the Standard Contractual Clauses (Technical and Organizational Measures).3.6. In addition to the above stipulations, each of the following forms part of the Standard Contractual Clauses and sets out the parties’ understanding of their respective obligations under the Standard Contractual Clauses:

3.6.1 Clause 8.9 of the Standard Contractual Clauses: Audit. Data Exporter acknowledges and agrees that it exercises its audit right(s) under Clause 8.9 by instructing Data Importer to comply with the audit measures described in Section 8 (Customer Audit Rights) of the DPA.

3.6.2 Clause 9(c ) of the Standard Contractual Clauses: Disclosure of Subprocessor agreements. The parties acknowledge that, pursuant to subprocessor confidentiality restrictions, Data Importer may be restricted from disclosing onward subprocessor agreements to Data Exporter. Even where Data Importer cannot disclose a subprocessor agreement to Data Exporter, the parties agree that, upon the request of Data Exporter, Data Importer shall (on a confidential basis) provide all information it reasonably can in connection with such subprocessing agreement to Data Exporter.

3.6.3 Clause 12 of the Standard Contractual Clauses: Liability. To the greatest extent permitted under Data Protection Law, any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Verisian Agreement.

4.1. With respect to transfers of Customer Personal Data protected by FADP, the Standard Contractual Clauses will apply in accordance with Sections 2 and 3 above, with the following modifications:
‍
4.1.1 any references in the Standard Contractual Clauses to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to FADP;4.1.2 references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be; and4.1.3 references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.

5.1. With respect to transfers of Customer Personal Data protected by UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under S119A(1) Data Protection Act 2018 (“UK Addendum”), shall apply and be incorporated by reference into this DPA, with Part 1: Tables completed in accordance with the applicable stipulations in Section 3 of this Schedule 1. Either data exporter or data importer may terminate the UK Addendum pursuant to Section 19 of the UK Addendum if, after a good faith effort by the parties to amend the DPA to account for the approved changes and any reasonable clarifications to the UK Addendum, the parties are unable to come to agreement. To the extent of any conflict between Section 3 of this Schedule 1 and any mandatory clauses of the UK Addendum, the UK Addendum shall govern to the extent UK GDPR applies to the transfer.