Data Processing Addendum

This Data Processing Addendum (“DPA”) provides a set of supplemental obligations that Cotano, Inc. (“Provider”) hereby assumes as part of the SaaS Agreement (the “SaaS Agreement” or the “Agreement”) with the “Customer” who has purchased and maintains an active subscription to use Cotano’s software as a service (SaaS) solutions.All capitalized terms not defined in this DPA shall have the meanings set forth in the SaaS Agreement. 
1. DefinitionsSaaS Agreement” means the agreement between Customer and Provider for the provision of the provided SaaS Services.Customer Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwiseCustomer Data” has the meaning set forth in the Agreement.Customer Personal Data” means any Customer Data that is Personal Data.Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise processed by Provider or a Sub-processor.Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR.Data Subject” means the identified or identifiable person to whom Personal Data relates. EEA” means the European Economic Area.GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.Security Incident” means any unauthorized or unlawful breach of security in the SaaS Services that lead to the unauthorized disclosure of or access to Customer Personal Data.SaaS Services” means the services to be supplied or carried out by the Provider pursuant to the SaaS Agreement.Standard Contractual Clauses” means the contractual clauses set out in Annex 1.Sub-processor” means any Data Processor engaged by Provider to assist in fulfilling its obligations with respect to providing the SaaS Services pursuant to the SaaS Agreement or this DPA. Sub-processors may include third parties or affiliated companies.
2. Scope and Applicability of this DPA2.1 This DPA applies where and only to the extent that Provider processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing the SaaS Services pursuant to the SaaS Agreement.
2.2 Notwithstanding expiry or termination of the SaaS Agreement, this DPA will remain in effect until, and will automatically expire upon, deletion of all Customer Personal Data by Provider as described in this DPA or termination of the SaaS Agreement.
3. Processing of Personal Data3.1 Role of the Parties. As between Provider and Customer, Customer is the Data Controller of Customer Data, and Provider is the Processor of Customer Data. Provider shall Process Customer Data only as a Data Processor acting on behalf of the Customer and at its direction.
3.2 Customer Processing of Personal Data. Customer agrees that (i) it will comply with its obligations under Data Protection Laws in respect of its processing of Personal Data, including any obligations specific to its role as a Data Controller and/or Data Processor (as applicable), and any processing instructions it issues to Provider; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for Provider to process Personal Data and provide the SaaS Services pursuant to the SaaS Agreement and this DPA. If Customer is itself a Data Processor, Customer warrants to Provider that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Provider as another Data Processor, have been authorized by the relevant Data Controller to the extent required under applicable law.
3.3 Customer Instructions. Provider will process Customer Personal Data only for the purposes described in this DPA and only in accordance with Customer’s lawful instructions documented in this DPA, the SaaS Agreement, and via Customer’s use of the SaaS Services, and in order for Provider to fulfill its obligations to provide SaaS Services under the SaaS Agreement (“Customer Instructions”). The parties agree that this DPA and the SaaS Agreement set out the Customer’s complete and final instructions to Provider in relation to the processing of Customer Personal Data. Additional processing outside the scope of these Customer Instructions (if any) will require a prior written agreement between Customer and Provider.
3.4 Details of Data Processing.(a) Subject matter: The subject matter of the data processing under this DPA is Customer Personal Data.(b) Purpose: The purpose of the data processing under this DPA is the provision of the SaaS Services to the Customer and the performance of Provider’s obligations under the SaaS Agreement (including this DPA) or as otherwise agreed by the parties in mutually executed written form.(c) Duration: As between Provider and Customer, the duration of the data processing under this DPA is until the termination of the SaaS Agreement in accordance with its terms.(d) Nature of the processing: Provider provides the SaaS Services, which may process Customer Personal Data upon the instruction of the Customer in accordance with the terms of this DPA, the SaaS Agreement, and Customer Instructions.
3.5 Access or Use. Provider will not access or use Customer Personal Data, except as necessary to maintain or provide the SaaS Services and its obligations under the SaaS Agreement, this DPA, or as necessary to comply with the law or binding order of a governmental body.
4. Subprocessing4.1 Authorized Sub-processors. Customer agrees that Provider may engage Sub-processors to host Customer Data and to provide the SaaS Services, disaster recovery, and backup related services on its behalf. Provider will provide a list of the Sub-processors currently engaged by it on Customer’s written request.
4.2 Sub-processor Obligations. Provider will: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Provider to breach any of its obligations under this DPA
5. Security5.1 Security Measures. Provider shall implement and maintain appropriate technical and organizational security measures to preserve the security, confidentiality, and availability of the Customer Personal Data processed by the Provider when providing the SaaS Services to Customer. 
5.2 Security Incident Response. Upon confirming a Security Incident, Provider shall: (i) notify Customer without undue delay, and in any event such notification shall, where feasible, occur no later than 72 hours from Provider confirming the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) Provider shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Provider’s notification of or response to a Security Incident under this Section 5.2 (“Security Incident Response”) will not be construed as an acknowledgment by Provider of any fault or liability with respect to the Security Incident. 
6. Customer Responsibilities.6.1. Customer agrees that Provider has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Provider’s systems (for example, offline or on-premise storage on Customer’s computers) if any.
6.2. Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the SaaS Services, including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the SaaS Services and taking any appropriate steps to securely encrypt or backup any Customer Personal Data uploaded to Provider’s SaaS in connection with the SaaS Services.
7. International Transfers.7.1. Provider hosts Customer Personal Data in the region selected by Provider (as specified in the SaaS Agreement, or the applicable Order Form), provided, however, that Customer’s Authorized Users may access and use the SaaS Services via the Internet from any international location where they connect to the Internet, and in connection with such usage the SaaS Services may transfer Customer Personal Data to the applicable Authorized Users at their respective locations.
7.2. In cases when Provider processes any Customer Personal Data protected by the GDPR under the SaaS Agreement in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that Provider shall be deemed to provide adequate protection (within the meaning of GDPR) by applying the terms of this DPA and the Standard Contractual Clauses. In all such cases, for the purposes of implementing the Standard Contractual Clauses: (i) Customer is the data exporter and Provider is the data importer; (ii) Customer directs Provider to process Personal Data in accordance with the SaaS Agreement, Provider’s policies and this DPA; (iii) Appendix 1 of this DPA shall serve as Appendix 1 of the Standard Contractual Clauses.
8. Deletion or Return of Customer Personal Data.8.1. Deletion by Customer. Provider will cooperate with the Customer to enable the deletion of Customer Personal Data in accordance with the procedures set forth in 9.1 below.
8.2. Deletion on Termination. Upon termination or expiration of the SaaS Agreement, Provider shall delete all Customer Personal Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent Provider is required by applicable law to retain some or all of the Customer Personal Data; (ii) if Provider is reasonably required to retain some or all of the Customer Personal Data for limited operational and compliance purposes; or (iii) to Customer Personal Data that has been archived on back-up systems. In all such cases, the Provider shall maintain the Customer Personal Data securely and protect from any further processing. Customer may request Provider to provide written certification in the form of the Cotano’s Data Destruction Form signed by the Provider, that it has fully complied with this section. The terms of this DPA shall survive for so long as Provider continues to retain any Customer Personal Data. 
8.3. Subject to section 8.2 of this DPA, Customer may in its absolute discretion by prior written notice to Provider require Provider to (a) return a complete copy of Customer Personal Data to Customer by secure file transfer in such format as mutually agreed by the parties; and (b) delete and procure the deletion of all other copies of Customer Personal Data processed by Provider.
9. Cooperation9.1. Provider shall (at Customer’s expense) provide commercially reasonable cooperation to assist Customer in its response to any requests from data protection authorities with authority relating to the processing of Personal Data under the SaaS Agreement and this DPA. In the event that any such request is made directly to Provider, Provider shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Provider is required to respond to such a request, the Provider shall promptly notify the Customer and provide it with a copy of the request unless legally prohibited from doing so.
9.2. Individual Rights and Requests. To the extent Customer does not have the ability to independently correct, amend, or delete Customer Personal Data, or block or restrict processing of Customer Personal Data, then at Customer’s written direction and to the extent required by Data Protection Laws, Provider shall comply with any commercially reasonable request by Customer to facilitate such actions. To the extent legally permitted, the Customer shall be responsible for any costs arising from Provider’s or its Sub-processors’ provision of such assistance. Provider shall, to the extent legally permitted, promptly notify Customer if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict processing. Provider shall provide Customer with commercially reasonable cooperation and assistance in relation to the handling of a data subject’s request, to the extent legally permitted and to the extent Customer does not have the ability to address the request independently. 
9.3. Assessments and Data Protection Impact Assessments. Provider shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by Customer regarding the processing of Customer Personal Data, including responses to information security reviews, that are reasonably necessary to confirm Provider’s compliance with this DPA. Customer shall not exercise this right more than once per year, including with respect to any support required to perform a data protection impact assessment.
10. GDPR. 10.1. Provider will process Customer Personal Data in accordance with the GDPR requirements directly applicable to Provider’s provision of its SaaS Services. 
11. Severance.11.1. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12. Liability. 12.1. The liability of each party and each party’s Affiliates under this DPA shall be subject to the exclusions and limitations of liability set out in the SaaS Agreement.
13. Applicable Law. 13.1. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the SaaS Agreement unless required otherwise by applicable Data Protection Laws.
14. Termination. 14.1. This DPA will continue for so long as Provider is hosting, storing and/or processing Customer Personal Data in connection with the SaaS Agreement.IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the SaaS Agreement on the effective date of the SaaS Agreement.