Altvia Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of Altvia’s Standard Terms and Conditions, available at https://info.altvia.com/Terms-Conditions (“Agreement“) between Altvia Solutions, LLC (“Company“) acting on its own behalf and as agent for each Company Affiliate; and the Customer identified in the Software Order Form or Statement of Work (“Customer“) acting on its own behalf and as agent for each Customer Affiliate.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

Should you require an executed and signed version of this Addendum, please email us at infosec@altvia.com.

The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws (as defined below) with regard to the relevant Customer Personal Data (as defined below), if applicable.

1. Definitions.
   1.1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Company respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
   1.2. “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” “Supervisory Authority,” “Personal Data Breach,” and “Special Categories of Personal Data” shall have the same meaning as in the Data Protection Laws;
   1.3. “Customer Personal Data” means any Personal Data Processed by Company or any Company Affiliate on behalf of Customer or any Customer Affiliate pursuant to or in connection with the Agreement or any related SOW;
   1.4. “Data Protection Laws” means all applicable laws relating to the privacy or security of Personal Data, including without limitation: (a) the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., and its implementing regulations (as amended from time to time, the “CCPA”); (b) European Data Protection Laws; and (c) UK Data Protection Laws;
   1.5. “European Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy or electronic communications in force from time to time in the European Economic Area or Switzerland, including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and the Swiss Federal Act on Data Protection (“FADP”).
   1.6. “Standard Contractual Clauses” means the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Controller to Processor or Module Three: Processor to Processor, as applicable) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), which are incorporated into this Addendum by reference. The parties agree that the details of Exhibit 1 shall be used to complete the Annexes of the Standard Contractual Clauses.
   1.7. “Subprocessor” means any Processor (including any third party and any Company Affiliate) appointed by Company to Process Customer Personal Data on behalf of Customer or any Customer Affiliate.
   1.8. “UK Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy or electronic communications in force from time to time in the United Kingdom, including the United Kingdom General Data Protection Regulation, as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.
2. Data Processing Terms. While providing the Professional Services or Software to Customer and Customer Affiliates pursuant to the Agreement, Company and Company Affiliates may Process Customer Personal Data on behalf of Customer or any Customer Affiliate as per the terms of this Addendum. Company agrees to comply with the following provisions with respect to any Customer Personal Data submitted by or for Customer or any Customer Affiliate to the Professional Services or Software or otherwise collected and Processed by or for Customer or any Customer Affiliate by Company or any Company Affiliate. Company shall not (a) sell (as defined in the CCPA) any Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Professional Services or Software and as otherwise permitted by the CCPA, including not retaining, using, or disclosing Customer Personal Data for a commercial purpose (as defined in the CCPA) other than provision of the Professional Services or Software; or (c) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Client and Customer. Company hereby certifies that it understands its obligations under this Section and will comply with them. Notwithstanding anything in the Agreement, the parties acknowledge and agree that Company’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
3. Processing of Customer Personal Data. Company shall not Process Customer Personal Data other than on Customer's documented instructions unless Processing is required by Data Protection Laws to which Company is subject, in which case Company shall to the extent permitted by Data Protection Laws inform Customer of that legal requirement before Processing Customer Personal Data. For the avoidance of doubt, the Agreement and any related SOW entered into by Customer shall constitute documented instructions for the purposes of this Addendum. Customer shall be responsible for: (1) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Company’s Processing of Customer Personal Data; and (2) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Company and to permit the processing of such Customer Personal Data by Company for the purposes of performing Company’s obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify Company of any changes in, or revocation of, the permission to use, disclose, or otherwise process Customer Personal Data that would impact Company’s ability to comply with the Agreement, or applicable Data Protection Laws. 
4. Confidentiality. Company shall take reasonable steps to ensure that individuals that Process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
6. Subprocessing. Company may engage such Subprocessors as Company considers reasonably appropriate for the processing of Customer Personal Data in accordance with this Addendum, provided that: (1) Company shall require all Subprocessors to enter into an agreement with equivalent effect to the Processing terms contained in this Addendum; and (2) Company shall remain fully liable for all the acts and omissions of each Subprocessor. Company’s current list of Subprocessors is available at https://info.altvia.com/subprocessor-list/ (“Subprocessor List”), which Customer hereby approves and authorizes. Company shall notify Customer of the addition or replacement of Subprocessors through a mechanism, accessible within the Subprocessor List, by which Customer may subscribe to notifications of new Subprocessors (the “Subprocessor Notification Mechanism”). If Customer does not subscribe to receive notifications through the Subprocessor Notification Mechanism, Customer shall be deemed to have waived its right to receive notification of new Subprocessors and Customer shall be responsible for periodically checking the Subprocessor List to remain informed of Company’s current list of Subprocessors. Customer may, on reasonable grounds, object to a Subprocessor by notifying Company in writing within 10 days of Company updating the Subprocessor List, giving reasons for Customer's objection. Customer’s failure to object within such 10-day period shall be deemed Customer’s waiver of its right to object to Company’s use of such new Subprocessor added to the Subprocessor List. In the event Customer objects to a new Subprocessor, Company shall: (a) work with Customer in good faith to make available a commercially reasonable change in the provision of the Professional Services or Software which avoids the use of that proposed Subprocessor; and (b) where such change cannot be made within 10 days of Company's receipt of Customer's notice, Customer may by written notice to Company with immediate effect terminate the portion of the Agreement or relevant SOW to the extent that it relates to the Professional Services or Software which require the use of the proposed Subprocessor. This termination right is Customer's sole and exclusive remedy to Customer’s objection of any Subprocessor appointed by Company
7. Data Subject Rights. Company shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data. In the event that any Data Subject exercises any of its rights under the Data Protection Laws in relation to Customer Personal Data, Company will shall use reasonable commercial efforts to assist Customer in fulfilling its obligations as Controller following written request from Customer, provided that Company may charge Customer on a time and materials basis in the event that Company considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
8. Personal Data Breach. In the event of a Personal Data Breach, Company will notify Customer without undue delay after becoming aware of the Personal Data Breach. Such notification may be delivered to an email address provided by Customer or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the appropriate notification contact details are current and valid. Company will take reasonable steps to provide Customer with information available to Company that Customer may reasonably require to comply with its obligations as Controller to notify impacted Data Subjects or Supervisory Authorities.
9. Data Protection Impact Assessment and Prior Consultation. In the event that Customer considers that the Processing of Customer Personal Data requires a privacy impact assessment to be undertaken or requires assistance with any prior consultations to any Supervisory Authority of Customer, following written request from Customer, Company shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, provided that Company may charge Customer on a time and materials basis in the event that Company considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
10. Deletion or Return of Customer Personal Data. Unless otherwise required by applicable Data Protection Laws, following termination or expiration of the Agreement Company shall, at Customer's option, delete or return all Customer Personal Data and all copies to Customer.
11. Relevant Records and Audit Rights. Company shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Customer or an auditor mandated by Customer, not being competitors of Company (“Mandated Auditor”) of any premises where the Processing of Customer Personal Data takes place in order to assess compliance with this Addendum. Company shall provide reasonable cooperation to Customer in respect of any such audit and shall at the request of Customer, provide Customer with relevant records of compliance with its obligations under this Addendum. Company shall promptly inform Customer if, in its opinion, a request infringes the Data Protection Laws or any other confidentiality obligations with Company’s other clients. Customer agrees that: (1) audits may only occur during normal business hours, and where possible only after reasonable notice to Company (not less than 20 days' advance written notice); (2) audits will be conducted in a manner that does not have any adverse impact on Company's normal business operations; (3) Mandated Auditor will comply with Company's standard safety, confidentiality, and security procedures in conducting any such audits; and (4) any records, data, or information accessed by Mandated Auditor in the performance of any such audit will be deemed to be the Confidential Information of Company. To the extent any such audit incurs in excess of 20 hours of Company personnel time, Company may charge Customer on a time and materials basis for any such excess hours.
12. International Data Transfer. With respect to any transfers of Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland to Altvia in any country or territory not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable Data Protection Laws), and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws, the parties agree to comply with the relevant terms of the Standard Contractual Clauses. In accordance with Clause 2 of the Standard Contractual Clauses, the parties wish to supplement the Standard Contractual Clauses with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of data subjects. Company (as “data importer”) and Customer (as “data exporter”) therefore agree that the applicable terms of the Agreement and this Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the following:
    12.1. Instructions. The instructions described in Clause 8.1(a) of the Standard Contractual Clauses are as set forth in Section 3 of this Addendum.
    12.2. Copies of Clauses. In the event a data subject requests a copy of the Standard Contractual Clauses or this Addendum in accordance with Clause 8.3 of the Standard Contractual Clauses, data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.
    12.3. Certification of Deletion. Certification of deletion of personal data under Clause 8.5 and Clause 16(d) of the Standard Contractual Clauses shall be provided upon the written request of data exporter.
    12.4. Onward Transfer Implementation. Data importer shall be deemed in compliance with Clause 8.8 of the Standard Contractual Clauses to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
    12.5. Audits and Certifications. Any information requests or audits provided for in Clause 8.9 of the Standard Contractual Clauses shall be fulfilled in accordance with Section 11 of this Addendum.
    12.6. Engagement of New Subprocessors. Pursuant to Clause 9(a) Option 2 of the Standard Contractual Clauses, data exporter agrees that data importer may engage new subprocessors as described in Section 6 of this Addendum. With respect to Clause 9 of the Standard Contractual Clauses, the parties select the time period set forth in Section 6 of this Addendum.
    12.7. Liability. The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 12(a), 12(d), and 12(f) of the Standard Contractual Clauses.
    12.8. Supervisor Authority. For purposes of Clause 13 of the Standard Contractual Clauses, the parties agree that the supervisory authority shall be the Netherlands, unless otherwise agreed by the parties as mandated by the established rules of selection of the relevant supervisory authority.
    12.9. Governing Law. With respect to Clause 17 of the Standard Contractual Clauses, the parties select the law of the Netherlands.
    12.10. Choice of Forum and Jurisdiction. With respect to Clause 18 of the Standard Contractual Clauses, the parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Netherlands.
    12.11. Transfers from the United Kingdom. With respect to transfers of personal data originating from the United Kingdom the parties acknowledge and agree that the Standard Contractual Clauses as modified by this Section shall be read and interpreted in light of the provisions of UK Data Protection Laws, and so that this Section provides the appropriate safeguards as required by Article 46 of the UK GDPR: (a) Clause 6 is replaced with: “The details of the transfers and in particular the categories of personal data that are transferred and the purposes for which they are transferred are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer”; (b) references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of the UK Data Protection Laws; (c) references to Regulation (EU) 2018/1725 are removed; (d) references to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”; (e) Clause 13(a) and Annex I.C are not used; (f) the “competent supervisory authority” is the Information Commissioner’s Office (ICO) of the United Kingdom; (g) Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales”; (h) Clause 18 is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.”; and (i) the footnotes to the Clauses shall not apply to the Standard Contractual Clauses as modified by this Section.
    12.12. Transfers from Switzerland. With respect to transfers of personal data originating from Switzerland: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland of suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised Swiss FADP on or about 1 January 2023; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the FADP; and (d) the parties agree that the competent supervisory authority as indicated in Annex I.C shall be the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland.
13. General Terms. Any obligation imposed on Company under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum. To the extent that Data Protection Laws do not apply to the Processing of Customer Personal Data, this Addendum shall be governed by the governing law of the Agreement. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (2) construed in a manner as if the invalid or unenforceable part had never been contained therein. With regard to the subject matter of this Addendum, the provisions of this Addendum shall prevail over the Agreement with regard to data protection obligations for Personal Data of a Data Subject under Data Protection Laws.

EXHIBIT 1: STANDARD CONTRACTUAL CLAUSES ANNEXES

ANNEX I

          A. LIST OF PARTIES

Data exporter(s):

Data importer(s):

          B. DESCRIPTION OF TRANSFER

          C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13
Netherlands
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
Website: https://autoriteitpersoonsgegevens.nl/
The above supervisory authority shall apply unless otherwise agreed by the parties as mandated by the established rules of selection of the relevant supervisory authority, or Sections 12.11 or 12.12 of the Addendum apply.

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The technical and organizational measures to be taken by the data importer and subprocessors is described in https://info.altvia.com/altvia-product-suite-security-overview.