Data Processing Agreement (“DPA”)

1 Roles and Scope

1.1 This DPA only applies to the Processing of Personal Data by Azets on behalf of Customer pursuant to the Engagement Letter.

1.2 Customer and Azets agree that with respect to Personal Data, Customer is the Controller of such Personal Data and Azets is a Processor of such Personal Data, except when Customer acts as a Processor or Sub-Processor of such Personal Data, in which case Azets is a Sub-Processor of such Personal Data. Nothing in the preceding sentence alters the obligations of either Azets or Customer under this DPA, as Azets acts as a Processor with respect to Customer in all events. In any instance where the Customer is a Processor or Sub-Processor, Customer warrants to Azets that Customer’s instructions, including appointment of Azets as a Processor or sub-Processor, have been authorised by the relevant Controller.

1.3 This DPA does not limit or reduce any data protection commitments Azets makes to Customer in the Terms of Business.

1.4 Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by Azets provide a level of security appropriate to the risk with respect to its Personal Data.

2 Details of the processing

2.1 Data Subjects. The categories of Data Subjects whose Personal Data may be Processed in connection with the Services are determined and controlled by Customer in its sole discretion and may include but are not limited to: Customer’s representatives and end users, such as employees, contractors, collaborators, clients, prospects, and customers; and employees or contractors of Customer’s clients, prospects, and customers.

2.2 Categories of Personal Data. The categories of Personal Data to be Processed in connection with the Services are determined by Customer in its sole discretion and may include but are not limited to: first and last name, employer, role, professional title, and contact information (e.g., email, phone numbers, and physical address).

2.3 Special Categories of Personal Data. Special categories of Personal Data, if any, to be Processed in connection with the Services are determined by Customer in its sole discretion and may include, but are not limited to, information revealing racial or ethnic origin; political, religious, or philosophical beliefs; trade union membership; or health data.

2.4 Processing Operations. Azets shall Process Personal Data only as described and subject to the limitations herein:

2.4.1 to provide Customer the Services in accordance with the Documented Instructions (as defined below); and

2.4.2 for business operations incidental to providing the Services to Customer, which may include:

2.4.2.1 delivering functional capabilities as licensed, configured, and used by Customer and its Authorised Users, and

2.4.2.2 preventing, detecting, and repairing problems, including Security Incidents (as defined below), and providing technical support, professional planning, advice and guidance.

3 Obligations of AZETS

3.1 Processing by Azets shall be governed by the Engagement Letter and this DPA. In particular, Azets shall:

3.1.1 Process Personal Data only on Documented Instructions (as defined below) from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable Data Protection Legislation; in such a case, Azets shall notify Customer of said legal requirement before Processing, unless said Data Protection Legislation prohibits such notification on important grounds of public interest;

3.1.2 inform Customer if, in its opinion, an instruction given by Customer with regard to Processing of Personal Data infringes any applicable Data Protection Legislation; in such a case, Azets may suspend the relevant Processing without penalty or liability until Customer gives Azets relevant written instructions that in Azets’ opinion do not infringe Data Protection Legislation;

3.1.3 ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.1.4 provide periodic and mandatory data privacy and security training and awareness to Azets Personnel with access to Personal Data in accordance with applicable Data Protection Legislation;

3.1.5 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including, any detailed in the Engagement Letter related to Personal Data and, inter alia, as appropriate:

3.1.5.1 the Pseudonymisation and encryption of Personal Data;

3.1.5.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing

3.2 Systems and services: Azets shall ensure:

3.2.1 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

3.2.2 a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;

3.2.3 in assessing the appropriate level of security for purposes of clause 1.4 above, take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed;

3.2.4 take steps to ensure that any natural person acting under the authority of Azets who has access to Personal Data does not Process such Personal Data except on instructions from Customer, unless he or she is required to do so by applicable Data Protection Legislation; and

3.2.5 adhere to the conditions set forth in clauses 5 and 6 below for engaging or changing a Sub-Processor.

3.3 The Parties agree that this DPA and the Engagement Letter (including the provision of instructions made available by Azets for the provision of Cozone) constitute Customer’s documented instructions regarding Azets’ Processing of Personal Data (“Documented Instructions”). Azets shall Process Personal Data only in accordance with Documented Instructions, and for business operations incidental to providing the Services. Customer hereby grants all such rights and permissions in or relating to Personal Data to Azets and its Sub-Processors, as are necessary to perform the Services. Azets shall not retain, use, disclose or otherwise Process Personal Data other than for the purposes set out in this DPA and the Engagement Letter. Azets shall not derive information from Personal Data for any advertising or similar commercial purposes. In no event shall Azets sell Personal Data.

3.4 Additional instructions outside the scope of the Documented Instructions (if any) require a prior written Engagement Letter between Azets and Customer, including Engagement Letter on any additional fees payable by Customer to Azets for carrying out such instructions.

4 Security incident management

4.1 Notice. Azets shall notify Customer of any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data while Processed by Azets (a “Security Incident”) without undue delay after becoming aware of the Security Incident and, in any event, within 48 hours of becoming aware of such Security Incident. Notification of a Security Incident shall be delivered to one or more of Customer’s administrators by any means Azets selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information. Customer is solely responsible for complying with its obligations under incident notification Laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident. Azets’ obligation to report or respond to a Security Incident is not an acknowledgement by Azets of any fault or liability with respect to the Security Incident. Similarly, Customer’s failure to comply with notification provisions hereunder or otherwise and any liabilities arising therefrom shall not be attributed to Azets.

4.2 In the event of a Security Incident, Azets shall (i) investigate the Security Incident; (ii) provide Customer with information about the Security Incident (including, where possible, the nature of the Security Incident, the contact from whom more information can be obtained, and the likely consequences of the Security Incident), which information may be provided in phases as it becomes available; and (iii) take reasonable steps to mitigate the effects of, and to help minimise any damage resulting from, the Security Incident. In the event that a Security Incident was not due to the fault of Azets, Azets shall cooperate with Customer with reasonable costs and expenses to be covered by Customer.

4.3 Azets shall make reasonable efforts to assist Customer in fulfilling Customer’s obligation under GDPR Article 33 or other applicable Data Protection Legislation to notify the relevant Supervisory Authority and Data Subjects about such Security Incident.

4.4 Customer shall notify Azets promptly about any possible misuse of its accounts or authentication credentials or any potential security incident related to Cozone.

5 Sub-processors

5.1 Azets may engage subcontractors and Sub-Processors to provide services on its behalf.

5.2 In addition to Azets’ Affiliates, Customer consents to Azets engaging the Sub-Processors listed at https://www.azets.co.uk/about-us/policies-legal/privacy-policy/processors/ or https://www.blickrothenberg.com/privacy-policy/privacy-policy-processors/ as applicable for the Processing of Personal Data in accordance with this DPA. The preceding authorisations shall constitute Customer’s prior written consent to the subcontracting by Azets of the Processing of Personal Data if such consent is required.

5.3 Where Azets engages a Sub-Processor for carrying out specific Processing activities on behalf of Customer, the same data protection obligations as set out in this DPA shall be imposed on such Sub-Processor by way of contract or other legal act to the extent required by applicable Data Protection Legislation, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing shall meet the requirements of applicable Data Protection Legislation. Where a Sub-Processor fails to fulfil such data protection obligations, Azets shall remain fully responsible and liable for the performance of such Sub-Processor’s obligations.

6 Changes to sub-processors

6.1 Unless otherwise agreed by the Parties, at least sixty (60) days before authorising any new Sub-Processor to access Personal Data, Azets shall provide notice of such change by posting to https://www.azets.co.uk/about-us/policies-legal/privacy-policy/processors/ or https://www.blickrothenberg.com/privacy-policy/privacy-policy-processors/ as applicable. Within thirty (30) days of such notice being posted, Customer may object to the appointment of an additional Sub-Processor on reasonable grounds, provided in writing to Azets, in which case Azets shall have the right to cure the objection through one of the following options (to be selected at Azets’ sole discretion):

6.2 Azets shall cancel its planned use of Sub-Processor or shall offer an alternative plan to provide the Services without using such Sub-Processor;

6.3 Azets shall take the corrective steps, if any, identified by Customer in its objection as sufficient to remove Customer’s objection, and proceed to use the Sub-Processor; or

6.4 Azets may cease to provide, or Customer may agree not to use (temporarily or permanently), the particular aspect of the Services that would involve the use of such Sub-Processor, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering the reduced scope of the Services.

6.5 If none of the above options are reasonably available or the objection otherwise has not been resolved to the mutual satisfaction of the Parties within thirty (30) days after Azets’ receipt of Customer’s objection pursuant to this DPA, either Party may terminate the Engagement Letter.

6.6 Emergency Replacement of a Sub-Processor. Azets may replace a Sub-Processor at any time if the need for the change is urgent and necessary, and the reason for the change is beyond Azets’ reasonable control. In such instance, Azets shall notify Customer of the replacement Sub-Processor as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-Processor pursuant to clause 6.1 above. Customer shall not be entitled to any remuneration or accrue any rights of termination due to the emergency replacement.

7 Cooperation with requests from Data Subjects

7.1 Azets shall assist the Customer, in a manner consistent with the functionality or performance of the Services and Azets’ role as a Processor, in respect of any Data Subject requests to exercise one or more of their rights under applicable Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Azets’ provision of such assistance beyond the existing functionality or performance of the Services.

7.2 If Azets receives a request from one of Customer’s Data Subjects to exercise one or more of its rights under applicable Data Protection Legislation, Azets shall instruct the Data Subject to make its request directly to Customer. Customer shall be responsible for responding to any such request.

7.3 Supervisory Authorities. Azets shall notify Customer without undue delay if a Supervisory Authority makes any inquiry or request for disclosure regarding Personal Data provided by Customer to Azets.

8 Other cooperation

8.1 Taking into account the nature of Processing and the information available to Azets, Azets shall provide reasonable assistance to Customer in ensuring compliance with obligations:

8.1.1 to ensure an appropriate level of security;

8.1.2 in cases of a Security Incident, to provide appropriate notifications to Supervisory Authorities and Data Subjects, in accordance with applicable Data Protection Legislation;

8.1.3 where required under applicable Data Protection Legislation, to carry out assessments of the impact of envisaged Processing operations on the protection of Personal Data;

8.1.4 where required under applicable Data Protection Legislation, to consult with Supervisory Authorities with regard to matters related to such Processing; and

8.1.5 to demonstrate compliance with the obligations concerning Processing of Personal Data carried out on behalf of a Controller and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer pursuant to clause 10.1 below.

9 Retention and deletion of personal data

9.1 Personal Data. Subject to clause 9.2 below, Azets shall delete or return Personal Data in accordance with the mutual agreement of the Parties save to the extent that Azets is required by any applicable Law to retain some or all of the Personal Data. In such event, Azets shall extend the protections of the Engagement Letter and this DPA to such retained Personal Data and limit any further Processing of such Personal Data only to those limited purposes for which, and only for so long as, such retention is required by applicable Law.

9.2 Cozone. At all times during the applicable Term, Customer shall have the ability to access, extract, and delete Personal Data held in Cozone. Azets shall retain Personal Data stored in Cozone for ninety (90) days after expiration or termination of Customer’s Engagement Letter so that Customer may extract Personal Data. After said 90-day period ends, Azets shall disable Customer’s account and delete all Personal Data (within thirty (30) days) and, where required by Law, shall certify to Customer that it has done so, save to the extent that Azets is required by any applicable Law to retain some or all of such Personal Data. In such event, Azets shall extend the protections of the Engagement Letter and this DPA to such retained Personal Data and limit any further Processing of such Personal Data only to those limited purposes for which, and only for so long as, such retention is required by applicable Law. Nothing contained herein shall require Azets to alter, modify, delete, or destroy backups or other media created in the ordinary course of business for purposes of disaster recovery and business continuity, so long as such backups or other media are kept solely for such purposes and are overwritten, recycled, or otherwise remediated in the ordinary course of business and, in any event, not longer than ninety (90) days after creation. Azets has no liability for the deletion of any data, including Personal Data as described in this clause 9.2.

10 Security reports, Audits and Records

10.1 To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Legislation cannot reasonably be satisfied through (i) audit reports provided by Azets, (ii) documentation, or (iii) other compliance information that Azets makes generally available to its customers, Azets shall, not more than one time per calendar year, promptly respond to Customer’s audit requests. Before the commencement of an audit, Customer and Azets shall mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree shall not permit Azets to unreasonably delay performance of the audit. To the extent needed to perform the audit, Azets shall make the processing systems, facilities and supporting documentation relevant to the Processing of Personal Data by Azets, its Affiliates, and its Sub-Processors (where possible) available. Such an audit shall be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to Azets (not less than twenty days), and subject to reasonable confidentiality and security procedures. Neither Customer nor the auditor shall have access to any data from Azets’ other customers or to Azets systems or facilities not involved in the Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Azets expends for any such audit, in addition to the rates for services performed by Azets. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Azets and Azets shall promptly cure any material non-compliance.

10.2 If the Standard Contractual Clauses apply, then this clause is in addition to Clause 5 paragraph f and Clause 12 paragraph 2 of the Standard Contractual Clauses. Nothing in this clause varies or modifies the Standard Contractual Clauses or affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses or Data Protection Legislation.

10.3 Records of Processing Activities. Azets shall maintain, to the extent and in the manner required by applicable Data Protection Legislation, a record of all categories of Processing activities carried out on behalf of Customer and, to the extent applicable to the Processing of Personal Data on behalf of Customer, make such record available to Customer upon request.

11 Obligations of Customer

11.1 Customer acknowledges that:

11.1.1 Customer shall comply with all applicable Data Protection Legislation (including its obligations thereunder);

11.1.2 Customer is responsible for determining whether Cozone is appropriate for storage and Processing of Personal Data;

11.1.3 Customer has the right to transfer, or provide access to, Personal Data to Azets and its Sub-Processors for Processing in accordance with the terms of the Engagement Letter and this DPA;

11.1.4 Customer is solely responsible for fulfilling any third-party notification obligations related to a Security Incident; and

11.1.5 Customer specifically acknowledges that its use of the Services shall not violate the rights of any Data Subject, including, without limitation, those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Legislation.

11.2 Personal Data Sharing.

11.2.1 The use of Cozone may enable Authorised Users to share Personal Data or invite third party users to use and access Cozone. Such third-party users may access, view, download, and share Personal Data. Customer understands and agrees that:

11.2.1.1 it is solely Customer’s and its Authorised Users’ choice to share Personal Data;

11.2.1.2 Azets cannot control third parties with whom Customer or Authorised Users have shared Personal Data; and

11.2.1.3 Customer and/or its Authorised Users are solely responsible for their sharing of any Personal Data through Cozone.

12 Modification, Supplementation ,and Term

12.1 Azets may modify or supplement this DPA, with notice to Customer:

12.1.1 if required to do so by a Supervisory Authority or other government or regulatory entity;

12.1.2 if necessary to comply with applicable Data Protection Legislation;

12.1.3 to implement Standard Contractual Clauses, or

12.1.4 to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 of the GDPR or analogous provisions of other applicable Data Protection Legislation. In the event that such required modification or supplement results in Customer becoming non-compliant with Law that is applicable to Customer, Customer may terminate the Engagement Letter, and Customer shall be entitled to a pro-rata refund for prepaid Fees for Services not performed as of the date of termination.

12.2 This DPA is effective upon Customer’s use of the Services for which Azets is a Processor or Sub-Processor.

12.3 This DPA shall remain in force as long as Azets Processes Personal Data on behalf of Customer.

13 Transfer of personal data and location

13.1 Customer acknowledges that Azets and its Sub-Processors may Process Personal Data in countries that are outside of the European Economic Area (“EEA”) and the United Kingdom, including, but not limited to, the United States, India and/or Sri Lanka. This shall apply even where Customer has agreed with Azets to host Personal Data in the EEA or the United Kingdom, if such Processing is necessary to provide services requested by Customer.

13.2 Azets shall abide by the requirements of the Data Protection Legislation regarding the collection, use, transfer, retention, and other Processing of Personal Data from the EEA and the United Kingdom. All transfers of Personal Data to a third country or an international organisation (including any relevant Sub-Processor) that does not ensure an adequate level of protection shall be subject to appropriate safeguards as described in Article 46 of the GDPR and UK GDPR, and such transfers and safeguards shall be documented according to Article 30(2) of the GDPR or UK GDPR (as applicable).

13.3 All transfers of Personal Data out of the EEA and the United Kingdom shall be governed by the Standard Contractual Clauses, except for transfers (a) to and from any country which has a valid adequacy decision from the European Commission or the UK Government (as applicable), or (b) to and from any organisation which ensures an adequate level of protection in accordance with the applicable Data Protection Legislation. Subject to the foregoing and where indicated as applicable in Schedule 1 of this DPA, or this DPA, by Customer includes execution of the Standard Contractual Clauses. In the event any Standard Contractual Clauses include a transition period for implementation, Azets shall ensure the updated Standard Contractual Clauses shall be implemented prior to the expiration of such transition period (including in respect of transfers to any Sub-Processors which rely on the Standard Contractual Clauses).

13.4 Location of Personal Data

13.4.1 All Personal Data processed by Azets shall be stored in the UK or EEA, Customer acknowledges that Azets may employ Sub-Processors based in other regions, including but not limited to, the United States, India and/or Sri Lanka and, thus, Personnel of Sub-Processors in such locations may have access to Personal Data. Notwithstanding the foregoing, Azets does not control or limit the region or regions from, in, or to which Customer or Authorised Users may access, move, store or otherwise Process Personal Data.

13.5 Miscellaneous.

13.5.1 Azets and its Affiliates have appointed a data protection officer, EU representative, and UK representative. These are documented in the Privacy Policy at https://www.azets.co.uk/about-us/policies-legal/privacy-policy/ or https://www.blickrothenberg.com/privacy-policy/ as applicable.

13.5.2 If there is a conflict or inconsistency between the Engagement Letter and this DPA, the terms of this DPA shall prevail. If there is a conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

13.5.3 To the fullest extent permitted by Law, any claims brought under this DPA and/or the Standard Contractual Clauses shall be subject to the Terms of Business, including but not limited to, any applicable exclusions and limitations set forth therein. For the sake of clarity, Azets’ aggregate liability arising out of this DPA and/or the Standard Contractual Clauses shall in no event exceed the limitations set forth in the Terms of Business.

SCHEDULE 1 TO DATA PROCESSING AGREEMENT

ANNEX 1 TO THE STANDARD CONTRACTUAL CLAUSES

ANNEX 2 TO THE STANDARD CONTRACTURAL CLAUSES

Effective 23 January 2023