COPLEY SOFWTARE, INC. DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Agreement between Copley Software, Inc. (“Copley”) and (“Customer”) (together, the “Parties”). This DPA sets forth Customer’s instructions for the processing of Personal Data in connection with the services provided under the Agreement (the “Services”) and the rights and obligations of both Parties. Except as expressly set forth in this DPA, the Agreement shall remain unmodified and in full force and effect. In the event of any conflicts between this DPA and the Agreement, this DPA will govern to the extent of the conflict.

1. Definitions. For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement. All other terms in this DPA not otherwise defined in the Agreement shall have the corresponding meanings given to them in Privacy Laws.
   1. “Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time. 
   2. “EU/UK Privacy Laws” means, as applicable: (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time. 
   3. “Personal Data” means any information Copley processes on behalf of Customer to provide the Services that is defined as “personal data” or “personal information” under any Privacy Law. 
   4. “Privacy Laws” means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
   5. “Processor to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.
   6. “Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time. 
   7. “US Privacy Laws” means, as applicable, the California Consumer Privacy Act and any similar law of any other state that regulates the processing of Personal Data.
2. Amendments. The Parties agree to negotiate in good faith modifications to this DPA if changes are required for Copley to continue to process the Personal Data as contemplated by the Agreement or this DPA in compliance with Privacy Laws, or to address the legal interpretation of the Privacy Laws.
3. Roles of the Parties. The Parties acknowledge that for purposes of Privacy Laws, Customer is the “controller,” “business,” or any similar term provided under Privacy Laws, and Copley is the “service provider,” “processor,” “contractor,” or any similar term provided under Privacy Laws. 
4. Details of Processing. The Parties agree that the details of processing are as described in Annex 1.
5. Customer Obligations. Customer shall comply with all Privacy Laws in providing Personal Data to Copley in connection with the Services. Customer represents and warrants that: (a) the Privacy Laws applicable to Customer do not prevent Copley from fulfilling the instructions received from Customer and performing Copley’s obligations under this DPA; (b) all Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Customer has a lawful basis for disclosing the Personal Data to Copley and enabling Copley to process the Personal Data as set out in this DPA. Customer shall notify Copley without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Privacy Laws, in which case, Copley shall not be required to continue processing such Personal Data. 
6. Processing of Personal Data. In processing Personal Data under the Agreement, Copley shall:
   1. only process Personal Data on documented instructions from Customer, for the limited and specific purpose described in Annex 1, and at all times in compliance with Privacy Laws, unless required to process such Personal Data by applicable law to which Copley is subject; in such a case, Copley shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; 
   2. notify Customer (i) without undue delay if it makes a determination that it can no longer meet its obligations under applicable US Privacy Laws, and (ii) immediately if Copley, in its opinion, on the instruction of Customer, infringes applicable EU/UK Privacy Laws;
   3. to the extent required by US Privacy Laws, and upon reasonable written notice that Customer reasonably believes Copley is using Personal Data in violation of Privacy Laws or this DPA, grant Customer the right to take reasonable and appropriate steps to help ensure that Copley uses the Personal Data in a manner consistent with Customer’s obligations under Privacy Laws, and stop and remediate any unauthorized use of the Personal Data; and
   4. require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data.
7. Anonymized Data. Copley may aggregate and/or anonymize Personal Data such that it no longer constitutes Personal Data under Privacy Laws and process such data for its own purposes. To the extent Copley receives de-identified data (as such term is defined under applicable US Privacy Laws) from Customer, Copley shall: (i) take commercially reasonable measures to ensure that the data cannot be associated with an identified or identifiable individual; (ii) publicly commit to maintain and use the data only in a de-identified fashion; and (iii) not attempt to re-identify the data.
8. Prohibitions. To the extent required by applicable US Privacy Laws, and except to the extent permitted by such US Privacy Laws, Copley is prohibited from: 
   1. selling the Personal Data or sharing the Personal Data for cross-context behavioral advertising purposes; 
   2. retaining, using, or disclosing the Personal Data outside of the direct business relationship between Copley and Customer and for any purpose other than for the specific purpose of performing the Services; and 
   3. combining the Personal Data received from, or on behalf of, Customer with any Personal Data that may be collected from Copley’s separate interactions with the individual(s) to whom the Personal Data relates or from any other sources, except to perform a business purpose or as otherwise permitted by Privacy Laws. 
9. Use of Subcontractors. To the extent Copley engages any subcontractors to process Personal Data on its behalf:
   1. Customer hereby grants Copley general written authorization to engage the subcontractors set out on the Copley’s website, currently at: https://copley.com/subprocessor-list/ (as such website address may be amended or replaced from time to time), subject to the requirements of this Section 9 (the “Subcontractor List”).
   2. If Copley appoints a new subcontractor or intends to make any changes concerning the addition or replacement of any subcontractor, Copley will post such change to the Subcontractor List which shall have a mechanism allowing Customer to subscribe to notifications of new subcontractors (“Notification Mechanism”), and sending email notification to Customers who have subscribed to the Notification Mechanism. If Customer does not subscribe to such notifications, Customer shall be deemed to have received notice of a new subcontractor when such changes are posted to the Subcontractor List. Within 14 days of Customer’s receipt of the Notification Mechanism or from Copley’s listing of a change on the Subcontractor List, Customer can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor’s compliance with Privacy Laws. If Customer does so object, Copley will engage in good faith means to resolve the matter. 
   3. Copley shall engage subcontractors only pursuant to a written agreement that contains obligations on the subcontractor which are consistent in material respects with the obligations on Copley under this DPA.
   4. In the event Copley engages a subcontractor to carry out specific processing activities on behalf of Customer pursuant to EU/UK Privacy Laws, where that subcontractor fails to fulfil its obligations, Copley shall remain fully liable under applicable EU/UK Privacy Laws to Customer for the performance of that subcontractor’s obligations.
10. Assistance. To the extent required by Privacy Laws, and taking into account the nature of the processing, Copley shall, in relation to the processing of Personal Data and to enable Customer to comply with its obligations which arise as a result thereof, provide reasonable assistance to Customer, through appropriate technical and organizational measures, in: 
    1. responding to requests from individuals pursuant to their rights under Privacy Laws, including by providing, deleting or correcting the relevant Personal Data, or by enabling Customer to do the same, insofar as this is possible; 
    2. implementing reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure; 
    3. notifying relevant competent authorities and/or affected individuals of Personal Data breaches;
    4. conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities; and 
    5. entering into this DPA.
11. Security Measures. Copley shall, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the processing, implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk, as set out in Annex 2, or otherwise agreed and documented between Customer and Copley from time to time. To the extent required by Privacy Laws, Copley shall without undue delay notify Customer in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, with further information about the breach provided in phases as more details become available.
12. Access and Audits. Upon reasonable request of Customer, Copley shall make available to Customer such information in its possession as is reasonably necessary to demonstrate Copley’s compliance with its obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer and reasonably accepted by Copley. Customer shall be permitted to conduct such an assessment no more than once every 12 months, upon 30 days’ advance written notice to Copley, and only after the Parties come to agreement on the scope of the audit and the auditor is bound by a duty of confidentiality. As an alternative to an audit performed by or at the direction of Customer, to the extent permitted by Privacy Laws, Copley may arrange for a qualified and independent auditor to conduct, at Copley’s expense, an assessment of Copley’s policies and technical and organizational measures in support of its obligations under Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessment, and will provide a report of such assessment to Customer upon reasonable request. Notwithstanding the foregoing, in no event shall Copley be required to give Customer access to information, facilities or systems to the extent doing so would cause Copley to be in violation of confidentiality obligations owed to other customers or its legal obligations.
13. Deletion of Personal Data.  At Customer’s written direction, Copley shall delete or return all Personal Data to Customer as requested at the end of the provision of the Services, unless retention of the Personal Data is required by law. 
14. Data Transfers. 

1. To the extent Copley processes Personal Data subject to EU/UK Privacy Laws in a Third Country, and it is acting as data importer, Copley shall comply with the data importer’s obligations and Customer shall comply with the data exporter’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA, and: 

1. for the purposes of Annex I or Part 1 (as relevant), Customer is a controller and Copley is a processor, and the parties, contact person’s details and processing details set out in the Agreement, this DPA and Annex 1 shall apply and the Start Date is the effective date of the Agreement;
2. if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 14;
3. for the purposes of Annex II or Part 1 (as relevant), the technical and organizational security measures, and the technical and organizational measures taken by Copley to assist Customer, as each are set out in Annex 2, shall apply; and 
4. if applicable, for the purposes of: (i) Clause 9, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Section 9 shall apply; (ii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be the Courts of the Republic of Ireland; (iv) Part 1, Copley as importer may terminate the UK Addendum pursuant to Section 19 of such UK Addendum. 

Customer acknowledges and agrees that Copley may appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, in which case, Copley shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer.

ANNEX 1

Details of Processing

Nature of the processing

Access, use, disclosure, storage and deletion of Personal Data by Copley in connection within its provision of the Services to Customer as set out in the Agreement.

Purpose(s) of the processing

Provision of the Services by Vendor to Customer as set out in the Agreement.

Categories of individuals whose Personal Data is processed

Customers, clients, and users of Customer, including any individuals that may see advertising or marketing material of Customer on platforms owned by subcontractors.

Categories of Personal Data processed

Full name, address, email address, phone number, and other contact details; date of birth, marketing segments, and other demographic information; browsing history, purchase history, clickstream data, and other marketing or advertising history information; device information, browser information, internet protocol (IP) address, and other usage data.

Types of Personal Data subject to the processing that are considered “sensitive” or “special category” under Privacy Laws

None

Frequency (e.g. one-off or continuous) and duration of the processing

Relevant Personal Data is processed on a continuous basis for the duration of the term of the Agreement and any post-termination retention period as set out in the Agreement.

The subject matter, nature and duration of processing carried out by any sub-processors authorized pursuant to Section 9 is as set out in this Annex 1

ANNEX 2

Security Measures 

1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of Copley’s information security program.
2. Periodic review and assessment of risks to Copley’s organization, monitoring and maintaining compliance with Copley’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management as appropriate.
3. Data security controls which include logical segregation of data, restricted (e.g., role-based) access and monitoring, and use of commercially available and industry standard encryption technologies for Customer Personal Data as appropriate.
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5. Password controls designed to manage and control password strength and password management requirements for assigned Copley credentials as appropriate.
6. Change management procedures and tracking mechanisms designed to test, approve and monitor changes to Copley’s technology and information assets.
7. Incident response procedures designed to allow Copley to investigate, respond to, mitigate and notify events related to Copley’s technology and information assets.
8. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack, as appropriate.
9. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.