BRISTOL GLOBAL MOBILITY DATA PROCESSING ADDENDUM

This Bristol Global Mobility Data Processing Addendum (this “Addendum”) is entered into by and between Bristol Global Mobility, LLC, including on behalf of its subsidiaries Bristol Global Mobility Ltd (UK), Bristol Global Mobility (Asia) Pte (Singapore), and Bristol Global Mobility LTD (Canada) (collectively, “Bristol Global Mobility”) and the party with whom Bristol Global Mobility has executed the Relocation and Assignment Services Agreement (the “Services Agreement”) (“You” or the “Customer”) (each a “Party”, and collectively the “Parties”) on the effective date of the Services Agreement or the applicable Bristol Global Mobility Data Processing Addendum Accession Agreement (the “Effective Date”).


RECITALS

WHEREAS, the Parties have entered into the Services Agreement involving the Processing (as defined below) of Shared Personal Data (as defined below) of Data Subjects (as defined below) that the Parties now desire to amend as provided herein;
WHEREAS, in the course of performance of the Services Agreement, Bristol Global Mobility transfers, transmits, and otherwise Processes certain Personal Data of Data Subjects;
WHEREAS, in connection with receiving services under the Services Agreement and operations thereunder, the Customer transfers, transmits, and otherwise Processes certain Personal Data of Data Subjects;
WHEREAS, each of the Parties require the other Party take all necessary measures to handle any information that may be regulated by the Applicable Data Protection Laws and regulations in compliance with such laws; and
WHEREAS, the Parties enter into this Addendum with the intent to comply with the principles and standards for data protection as required by the GDPR and other Applicable Data Protection Laws and regulations, with respect to the Processing of Shared Personal Data under the Services Agreement.

NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum, the Parties hereby agree as follows:

1. Definitions. For the purposes of this Addendum, the following capitalized terms shall have the meanings ascribed to them as set forth below wherever they appear within the provisions of this Addendum:
  (a) “Applicable Data Protection Laws” means all laws applicable to the Processing of Shared Personal Data, including the General Data Protection Regulation (“EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”), other data protection laws of the European Union or any Member State thereof, the laws included in the definition of Applicable Data Protection Laws as provided under the
terms of Exhibit B to this Addendum, and the laws of any other country, state, or region to which the Processing of Shared Personal Data is subject;
  (b) “Data Protection Regulator” means any governmental data protection regulator(s) with valid jurisdiction over the transfer, transmission, or Processing of Personal Data pursuant to this Addendum, including, but not limited to, the California Attorney General, the California Privacy Protection Agency, or a “supervisory authority,” as defined in Article 4(21) of the GDPR;
  (c) “Data Subject Rights” means the rights granted to Data Subjects by Applicable Data Protection Laws;
  (d) “Restricted Transfer” means any transfer of Personal Data that would be prohibited by Applicable Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Data Protection Laws) in the absence of a valid data transfer mechanism, as set out in Section 12 below;

  (e) “Shared Personal Data” means any Personal Data Processed by Bristol Global Mobility, Customer, or a Data Processor, exchanged pursuant to or in connection with the Services Agreement; and
  (f) The terms “Data Controller” or “Controller”, “Data Subject”, “Data Processor” or “Joint Controller”, “Processor”, “Recipient”, “Personal Data”, “Personal Data Breach”, “Processing” and “Sub-Processor” shall have the same meaning as in the EU GDPR, and their cognate terms shall be construed accordingly. For the purposes of this Addendum, Data Controller or Data Controllers, Data Processor or Data Processors, Data Importer, and Data Exporter also refers specifically to a Party or the Parties to this Addendum.

TERMS
2. Effective Date. The terms of this Addendum shall take effect on the Effective Date and continue on concurrently for the term of the Services Agreement.
3. Scope. This Addendum serves as a framework for Shared Personal Data Processing under the Services Agreement, as well as for the transfer of Shared Personal Data between the Parties as Data Controllers and defines the principles and procedures that the Parties shall adhere to and the respective responsibilities of the Parties.
4. Applicability. This Addendum will apply to all the Processing of Shared Personal Data carried out by the Parties pursuant to the Services Agreement.
5. Controllership Representations and Warranties. Each Party represents, warrants, and covenants that:
(a) with respect to the Processing of Shared Personal Data under the Services Agreement, it is a separate independent Data Controller within the meaning of this Addendum and the GDPR. For the avoidance of doubt, the Parties are not Joint Controllers.;
(b) all Shared Personal Data has been and will be collected, transferred, and otherwise Processed in compliance with the Applicable Data Protection Laws;
(c) it will independently determine its obligations under the Applicable Data Protection Laws;
(d) it will only conduct transfers of Shared Personal Data, where such transfers would be subject to any transfer or export restriction under the Applicable Data Protection Laws (and no lawful exemption or derogation applies), in compliance with all applicable conditions laid down in the Applicable Data Protection Laws; and
(e) it will, in instances where it acts as a “data exporter” (as defined in Section 11(b)), upon request, inform the other Party, in that other Party’s capacity as a “data importer” (as defined in Section 11(b)), of all Applicable Data Protection Laws governing the receipt of Shared Personal Data from the data exporter, including citations to and the text of such laws.
6. Records of Processing Activities. Each Party agrees to maintain a record of Processing activities of Shared Personal Data for which it is responsible, in accordance with Article 30 of the GDPR and Applicable Data Protection Laws.
7. Processing of Personal Data. Processing of Shared Personal Data by each of the Data Controllers within the scope of this Addendum is subject to the following:
(a) Processing is limited to Processing necessary for the provision of the Services (as defined under Exhibit A).
(b) Each Party shall ensure that the Processing of the Shared Personal Data for the purposes set out in the Services Agreement is performed only on lawful grounds pursuant to Article 6 of the GDPR, and as further limited by Article 9 of the GDPR, or the equivalent provisions of any Applicable Data Protection Laws, as the case may be.
(c) Each Party must ensure that persons it authorizes to Process the Shared Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8. Security Measures. Both Parties will implement appropriate technical and organizational security measures to ensure and to be able to demonstrate that Processing is performed in accordance with the GDPR and, in particular, in accordance with Article 32 of the GDPR. Such measures shall be reviewed and updated where necessary.
9. Requests to Exercise Data Subject Rights. Each Party will be responsible for responding to requests it receives for the exercise of Data Subject Rights, with regard to the Shared Personal Data Processed by that Party. Each Party will designate an appropriate point of contact for Data Subject requests within its organization. Each Party will maintain a record of Data Subjects’ requests to exercise their Data Subject Rights, the decisions made, and any information that was exchanged with the Data Subject. The Parties agree to provide prompt and reasonable assistance to each other, upon the request of the other Party, to enable them to comply with Data Subject requests, as contemplated by this section.
10. Security of Processing and Personal Data Breach Notifications. Both Parties agree to implement and maintain technical and organizational security measures to ensure that the level of security of Shared Personal Data Processed by them is appropriate to the risk, pursuant to Articles 32 to 36 of the GDPR, or the relevant provisions of any Applicable Data Protection Laws, as the case may be, taking into account the nature of Processing and the information available to each Party. Each Party shall provide notification of a Shared Personal Data Breach to the applicable Data Protection Regulator and the affected Data Subject(s), as required by Articles 33 and 34 of the GDPR and any other Applicable Data Protection Laws, as well as all legally required assistance to the other Party.
11. Restricted Transfers.
(a) With regard to any Restricted Transfer from one Party to the other Party within the scope of this Addendum, the following data transfer mechanisms shall apply, in the following order of precedence:
i. A valid adequacy decision adopted by the relevant authority under the Applicable Data Protection Laws that provides that the third country, a territory, or one or more specified sectors within that third country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection.
ii. A valid certification held by the receiving Party under the Privacy Shield Framework held by the receiving Party, or any replacement framework as may be applicable, only to the extent that such certification constitutes an “appropriate safeguard” under Applicable Data Protection Laws, as the case may be ; or
iii. The SCCs, as defined under the applicable sections of Exhibit B (“SCCs”) (as may be updated or modified from time to time), as well as any exhibits or additional terms that may be necessary to provide additional safeguards to the Personal Data.
(b) Where the SCCs are used as the data transfer mechanism, this Addendum hereby incorporates the text of the applicable SCCs by reference. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the annexes thereto). Bristol Global Mobility (as the “data exporter” and the “data importer”, as applicable) and the Customer (as the “data exporter” and the “data importer”, as applicable). For the purposes of clarity, as used in this Addendum and the SCCs Clauses, a Party is a “data importer” where that Party is the receiving party and a “data exporter” where it is the sending party, as applicable. Furthermore, with regards to any one particular transfer operation, a Party may only be either a “data exporter” or a “data importer”. For the purposes of clarity, as used in this Addendum and the SCCs, a Party is a “data importer” where that Party is the receiving party and a “data exporter” where it is the sending party, as applicable. Furthermore, with regards to any one particular transfer operation, a Party may only be either a “data exporter” or a “data importer”. In consideration of the fact that both Parties may send or receive Shared Personal Data to and from the other, each Party is deemed to have entered into the SCCs twice, as outlined above – once as a “data exporter” with the other Party being a “data importer”, and once with such roles reversed.
(c) Additional required information for the completion of the SCCs is contained in Exhibits A and B to this Addendum.
12. Liability. Without prejudice to any form of direct liability of a Party to Data Subjects, each Party shall be liable to the other non-defaulting Party for damages the defaulting Party has caused to the non-defaulting Party by any breach of its obligations pursuant to this Addendum.

13. Contact Points for Notices and Data Protection Inquiries.

(a) Bristol Global Mobility:

Data Protection Officer: VeraSafe, LLC 100 M Street S.E., Suite 600 Washington, D.C. 20003 USA +1 (617) 398-7067

experts@verasafe.com https://www.verasafe.com/about-verasafe/contact-us/

Representative in the EU: VeraSafe Ireland Ltd Unit 3D North Point House North Point Business Park New Mallow Road Cork T23AT2P Ireland
https://www.verasafe.com/about-verasafe/contact-us/ +1-617-398-7067

Representative in the UK: VeraSafe United Kingdom Ltd. 37 Albert Embankment London SE1 7TL United Kingdom

https://www.verasafe.com/about-verasafe/contact-us/ +44 (20) 4532 2003

Data protection registration information: ICO Data Protection Register: Registration number: Z9891695 Date registered: 16 July 2007 Payment tier: Tier 1 Data controller: Bristol Global Mobility Limited   Address: 17 & 18 Riverside House Lower Southend Road Wickford Essex SS11 8BB
https://ico.org.uk/ESDWebPages/Entry/Z9891695

(b) Customer: The Customer shall provide without undue delay, by way of sending an email to authorizations@bristolglobal.com, the following contact information for data protection inquiries: • E-mail address; • Name; • Title; • Identity and contact details of the data protection representative in the EU (if applicable) and in the UK (if applicable); • Identity and contact details of the data protection officer; and • Data protection registration information (if applicable). (c) The Parties shall use the contact point indicated in this Section 14 for all matters related to this Addendum and the SCCs. Each Party shall promptly update, when necessary, all such information, and keep all such information complete and up to date.

14. Accountability. If either Party, acting as a data importer, determines that it can no longer meet its obligations to provide the level of protection as required by this Addendum or as required by the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework, it shall: (i) promptly notify the other Party of that determination; and (ii) either cease the Processing or take other reasonable and appropriate steps to remediate the situation.

15. Representations and Warranties of the Customer Regarding Local Laws. The Customer represents and warrants that it has no reason to believe, at the time of entering into this Addendum, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under this Addendum or Applicable Data Protection Laws, and it will inform Bristol Global Mobility if it becomes aware of any such laws.

16. Resolution of Disputes with Data Subjects or Data Protection Regulators

(a)  In the event of a dispute or claim brought by a Data Subject or a Data Protection Regulator concerning the Processing of the Shared Personal Data against either or both of the Parties, the Parties will promptly inform each other about any such disputes or claims and will cooperate with a view to settling them amicably and in a timely fashion.

(b) The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the applicable Data Protection Regulator. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation, or other dispute resolution proceedings developed for data protection disputes. (c) Each Party shall abide by a decision of a competent court of the applicable data exporter’s country of establishment or of the applicable Data Protection Regulator which is final and against which no further appeal is possible.

17. DPA and the Exhibits.
  (a) This Addendum includes the following exhibits:
(i) Exhibit A (Details of Processing of Shared Personal Data).

(j) Exhibit B (Jurisdiction Specific Terms); and

(k) Exhibit C (Supplementary Terms to the SCCs).

   (b) Bristol Global Mobility reserves the right to update the exhibits mentioned in Section 17(a) from time to time by posting updated terms to the page where the exhibits and this DPA are posted. In particular, Bristol Global Mobility may update:

i. Exhibit A to reflect changes to the details of Processing of Shared Personal Data resulting from changes to the Services or to provide additional information required to conclude the SCCs;
ii. Exhibit B to reflect changes in or additions to Applicable Data Protection Laws to which the Processing of Shared Personal Data may be subject to, including the requirements to carry out transfers of Shared Personal Data.
iii. Exhibit C reflect changes to the supplementary measures required to conduct transfers of Shared Personal Data under the SCCs.

(c) Conflicts between the Addendum and the exhibits. In case of any conflict or ambiguity between the terms in Exhibit C and any other terms of this DPA, the applicable terms in Exhibit C will prevail.

18. No Further Amendment. Except as expressly provided in this Addendum, the Parties intend no amendment or modification of the Services Agreement or in any other document signed or otherwise entered into by the Parties.
19. Primary Agreement. The terms of the Services Agreement, together with any other addendum or supplemental agreement executed prior to this Addendum, are preserved and remain in full force and effect. To the extent that any terms of this Addendum conflict with any terms contained within the Services Agreement, the terms of this Addendum shall control with respect to the subject matter described herein.
20. Confidentiality. This Addendum is confidential information. Each Party agrees:
(a) not to disclose this Addendum to any third party except (1) to legal counsel or privacy consultants who have executed a nondisclosure agreement or who are under a statutory obligation of confidentiality; (2) as permitted or reasonably anticipated by this Addendum; or (3) as required by the GDPR or other Applicable Data Protection Laws or the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks (each, a “Permitted Disclosure”); and
(b) to exercise at least the same degree of care that each Party generally uses to protect its own information of similar nature, to protect this Addendum from any possession, use, or disclosure that is not a Permitted Disclosure, but in no case less than a reasonable degree of care.

                                                                                             EXHIBIT A
                                                                 Details of Processing of Shared Personal Data
1. Further details of the Processing, in addition to the ones laid down in the Services Agreement and the Addendum, include:
(a) The role of the Parties is:

(a) Bristol Global Mobility: Controller
(b) Customer: Controller

1.2. The activities of each Party relevant to the processing of Shared Personal Data are:

(a) Bristol Global Mobility: Relocation management activities (the “Services”).

(b) Customer: Human resources activities.

1.3. The subject matter of the Processing of Shared Personal Data is:
(a) The subject matter of the Processing of Shared Personal Data pertains to the provision of the Services to Data Subjects.
1.4. The duration of the Processing of Shared Personal Data is:
(a) The duration of the Processing of Shared Personal Data is generally determined by the Party providing the Shared Personal Data and is further subject to the terms of this Addendum and the Services Agreement, respectively, in the context of the contractual relationship between the Parties. Duration of the Processing is limited to the time period necessary for provision of Services.
1.5. The nature and purpose of the Processing of Shared Personal Data is:
(a) The nature and purpose of Processing of Personal Data pertains to the provision of the Services under the Services Agreement, namely facilitating the use of the Bristol Global Mobility Services.
1.6. Depending on the Services chosen by Customer, the types of Shared Personal Data to be Processed by Bristol Global Mobility may include:
(a) Biographical information;
(b) Contact information;
(c) Professional information;
(d) Compensation data;
(e) National ID / social insurance number;
(f) Financial data (bank account);
(g) Geographic location
(h) Information contained on photo page of passport
(i) Citizenship
(j) Marital status
(k) Travel information
(l) Education data
1.7. Depending on the Services chosen by Customer, the categories of Data Subjects to whom the Shared Personal Data that will be processed by Bristol Global Mobility Global relates may include:
(a) Relocating employees
(b) Spouse/dependents of relocating employees.
1.8. The recipients that the Shared Personal Data may be transferred to by Bristol Global Mobility:
(a) The Processors engaged by Bristol Global Mobility; and
(b) The suppliers engaged by Bristol Global Mobility to provide the Services.
1.9. Description of the technical and organizational security measures implemented by Bristol Global Mobility:
(i) Written policies and procedures requiring Bristol Global Mobility employees to maintain the privacy, security, and confidentiality of Shared Personal Data.
(ii) Contractual requirements for Bristol Global Mobility vendors that may receive Shared Personal Data to uphold baseline security and confidentiality measures.
(iii) Network and database activity are logged and actively monitored for potential security events including intrusion.
(iv) Bristol Global Mobility-authored applications and IT systems are regularly scanned/monitored for vulnerabilities.
(v) Regular vulnerability and penetration testing is performed on the applicable IT systems and applications.
(vi) Bristol Global Mobility restricts physical and logical access to IT systems, accounts, voicemail, and other applicable documents or systems that process Shared Personal Data to those officially authorized persons with an identified need for such access.
(vii) External points of connectivity in the Bristol Global Mobility network architecture are protected by firewall(s).
(viii) All information within the systems and applications is encrypted in transit and at rest using at least Advanced Encryption Standard (AES) 256-level encryption.
(ix) Encryption of email messages containing sensitive information through the Barracuda encryption service.
(x) Known exploitable vulnerabilities in Bristol Global Mobility-authored applications and IT systems are patched expeditiously.
(xi) All devices that may process Shared Personal Data are outfitted with protective software, must use a VPN, and implement security measures such as automatic lock time and disk encryption.
1.10. Further Processing:
(a) The Party receiving Shared Personal Data shall not carry out further Processing on Personal Data. 1.11. The frequency of the transfer (e.g., whether the Shared Personal Data is transferred on a one-off or continuous basis):
(a) The frequency of the transfer of Shared Personal Data is determined by the Parties. Personal Data may be transferred each time it is required for the provision of the Services.
1.12. Maximum data retention periods, if applicable:
(a) The retention period of Personal Data is generally determined by the Parties and is subject to the term of this Addendum and the Services Agreement, respectively, in the context of the contractual relationship between the Parties.
1.13. The basic Processing activities to which the Personal Data will be subject include, without limitation: (a) Collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction for the purpose of providing the Services to Syndigo in accordance with the terms of the Agreement.
1.14. The identity and contact information of the Data Protection Officer of Bristol Global Mobility is:
(a) As set forth in Section 14 of the Addendum.
1.15. The identity and contact information of the EU and UK representatives of Bristol Global Mobility are:
(a) As set forth in Section 14 of the Addendum.
1.16. The identity and contact information of the Data Protection Officer of Customer is:
(a) As set forth in Section 14 of the Addendum.
1.17. The identity and contact information of the EU and UK representatives of Customer are:
(a) As set forth in Section 14 of the Addendum.
1.18. The data protection registration information of Bristol Global Mobility and Customer is:
(a) As set forth in Section 14 of the Addendum.

                                                                                                     EXHIBIT B

                                                                                      Jurisdiction Specific Terms

1. Transfers of EEA Personal Data
  (a) Definitions.
(a) “EU 2021 SCCs” (as used in the Addendum and this Section) means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
(b) “Restricted Transfer of EEA Personal Data” (as used in this Section) means any transfer of Personal Data (including data storage in foreign servers) subject to the GDPR to a Third Country or an international organization.
(c) “SCCs” (as used in the Addendum and this Section) includes the EU 2021 SCCs.
(d) “Third Country” (as used in this section) means a country outside the European Economic Area.

    (b) Restricted Transfers of EEA Personal Data.
(a) When the SCCs apply to Restricted Transfers of Personal Data of EEA Personal Data in accordance with the terms of Section 11 of the Addendum, the EU 2021 SCCs shall the applicable model clauses for the transfer as follows:
(i) The information in Exhibit A to this Addendum includes the information required for completion of Annexes 1 and 2 to EU 2021 SCCs. For the purposes of the EU 2021 SCCs:
(ii) The Parties agree to apply module 1 of the EU 2021 SCCs (Controller to Controller).
(iii) The Parties elect to include Clause 7 of the EU 2021 SCCs.
(iv) With respect to Clause 11, the Parties agree not to provide the right to lodge a complaint with an independent dispute resolution body.
(v) For the purpose of Clause 13 and Annex I.C, the competent supervisory authority shall be the competent supervisory authority in the jurisdiction where the data exporter is established. If the data exporter is not located in the EEA, the competent supervisory authority shall the competent supervisory authority in the jurisdiction where data exporter's data protection representative in the EEA under Article 27 GDPR is established. If the data exporter is not established in an EEA country and its activities related to the Processing of Shared Personal Data are subject to the GDPR by virtue of application of Article 3(2) GDPR, and the data exporter does not have a data protection representative under Article 27 GDPR, the data exporter chooses the Data Protection Commission (Ireland) as its competent supervisory authority for the purposes of Clause 13 and Annex I.C. With respect to Clause 18 of the EU 2021 SCCs, the Parties agree that any dispute arising from the EU 2021 SCCs shall be resolved by the courts of the Republic of Ireland.
(vi) The additional safeguards identified in Exhibit C supplement the EU 2021 SCCs.
(vii) In cases where the EU 2021 SCCs apply and there is a conflict between the terms of the Addendum, including its exhibits, and the terms of the EU 2021 SCCs, the terms of the EU 2021 SCCs shall prevail.
2. California
(a) Definitions.
(i) “Applicable Data Protection Laws” includes the California Consumer Privacy Act of 2018 (“CCPA”), , the California Privacy Rights Act of 2020 (“CPRA"), and Sections 1798.29 and 1798.82 of the California Civil Code.
(ii) “Business Purpose” (as used in this Section) shall have the same meaning as in the CCPA.
(iii) “Commercial Purpose” (as used in this Section) shall have the same meaning as in the CCPA.
(iv) “Controller” (as used in the Addendum) includes “business” as defined under the CCPA.
(v) “CPRA” means the California Privacy Rights Act of 2020.
(vi) “Personal Data” (as used in the Addendum) includes “personal information” as defined under the CCPA.
(vii) “Personal Data Breach” (as used in the Addendum) includes “breach of the security of the system” as defined under Section1798.82 of the California Civil Code.
(viii) “Processor” (as used in the Addendum) includes “service provider” as defined under the CCPA.

(b) Customer discloses Personal Data to Bristol Global Mobility solely for: (i) valid Business Purposes as allowed by the Applicable Data Protection Laws, such as enabling the performance of the Services and tasks outlined in the Services Agreement and any subsequent orders, statements of work, or work orders executed between the Parties, and the Business Purposes permitted under the CCPA; and (ii) to enable Supplier to perform the Services.

(c) Bristol Global Mobility shall not:
(i) sell or share (as those terms are defined under the CPRA) Shared Personal Data;
(ii) retain, use, or disclose Shared Personal Data for a commercial purpose other than providing the services specified in the Agreement or as otherwise permitted by the CCPA; nor
Bristol Global Mobility Controller to Controller Data Processing Addendum Page 15 of 24
(iii) retain, use, or disclose Shared Personal Data except where permitted under the Agreement between Bristol Global Mobility and Customer.
(iv) Bristol Global Mobility certifies that it understands the restrictions set forth under Section 2(c) and will comply with them.
(d) Each Party shall assist the other Party in verifying that the Processing of Shared Personal Data protected by the CCPA and the CPRA is Processed in a manner consistent with the requirements under the CCPA and the CPRA. In particular:
(i) Each Party may request, and the other Party will provide (subject to obligations of confidentiality), a current SOC 2 audit report, ISO 27001 certificate, or other substantially similar audit report that the other Party might have been issued and related documentation that Syndigo may request to confirm Service Provider’s compliance with the CCPA and the CPRA.
(ii) If after having reviewed such audit report(s) and related documentation, the Party still consider that it requires additional information (for example, the other Party’s policies and procedures regarding data protection, information from the other Party’s Processors, or any other relevant information) the other Party shall further assist and make available to the Party all other information and/or documentation (including but not limited relevant information security policies, copies of contracts with Processors -with commercial terms redacted-) necessary to demonstrate compliance with the CCPA and the CPRA. The other Party shall complete any questionnaire sent by the Party within forty-five (45) business days following the receipt of the questionnaire and the other Party shall proactively provide supporting documentation requested by Party.
(iii) In addition, the other Party shall allow for and contribute to audits, including remote inspections of the services, by the Party (on behalf of itself or its clients) or an auditor mandated by the Party (on behalf of itself or its clients) with regard to the Processing of the Shared Personal Data by the other Party.

3. United Kingdom
(a) Definitions.
(i) “Applicable Data Protection Laws” (as used in the Addendum) includes the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (“UK GDPR”).
(ii) “EU 2004 SCCs” (as used in this Section) means the contractual clauses adopted by the Commission of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries.
(b) “EU 2021 SCCs”(as used in the Addendum and this Section) means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
(iii) “Restricted Transfer of UK Personal Data” (as used in this Section) means any transfer of Shared Personal Data (including data storage in foreign servers) subject to Data Protection Act 2018 and the United Kingdom General Data Protection Regulation to a Third Country or an international organziation.
(iv) “SCCs” (as used in the Addendum) include the EU 2004 SCCs.
(v) “Third Country” (as used in this Section) means a country outside the United Kingdom.

(b) Restricted Transfers of UK Personal Data.
(i) When the SCCs apply to Restricted Transfers of Personal Data of UK Personal Data in accordance with the terms of Section 11 of the Addendum, the following order of preference shall apply:
1. The EU 2021 SCCs (insofar as their use constitutes an “appropriate safeguard” under the UK GDPR and the Data Protection Act 2018).
2. The EU 2010 SCCs (insofar as their use constitutes an “appropriate safeguard” under the UK GDPR and the Data Protection Act 2018).
(ii) If the relevant UK authorities recognize the EU 2021 SCCs as a valid data transfer mechanism for Restricted Transfers of UK Personal Data, the Parties shall be deemed to have accepted the EU 2021 SCCs and any necessary addenda to make them applicable to Restricted Transfers of UK Personal Data and agree to replace the EU 2004 SCCs with EU 2021 SCCs as of the day the relevant UK authorities recognize the EU 2021 SCCs as a valid data transfer mechanism for Restricted Transfers of UK Personal Data.
(f) For the purposes of the EU 2004 SCCs:
(i) When the EU 2004 SCCs apply and there is a conflict between the terms of the Addendum and the terms of the EU 2004 SCCs, the terms of the EU 2004 SCCs shall prevail.
(ii) Each Party, as a data importer, elects Clause II(h)(iii) as its choice pursuant to Clause II(h) of the EU 2004 SCCs.
(iii) When a Party exercises its rights under Clause II(g) of the EU 2004 SCCs (the “Clause II(g) Obligee”), the other Party (the “Clause II(g) Obligor”), subject to obligations of confidentiality, shall provide the findings or report of any relevant third-party audit(s) to which it may have been subject. If the Clause II(g) Obligee, after having reviewed such audit report(s), reasonably deems that it requires additional information, the Clause II(g) Obligor shall submit its data processing facilities, data files, and documentation needed for Processing to reviewing, auditing, and/or certifying by the Clause II(g) Obligee (or any independent or impartial inspection agents or auditors, selected by the Clause II(g) Obligee and not reasonably objected to by the Clause II(g) Obligor) to ascertain compliance with the warranties and undertakings in the EU 2004 SCCs, with reasonable notice and during regular business hours. Any such request will be subject to any necessary consent or approval from the applicable Data Protection Regulator within the country of the Clause II(g) Obligor, which consent or approval the Clause II(g) Obligor will attempt to obtain in a timely fashion. The Clause II(g) Obligee agrees to pay the Clause II(g) Obligor, upon receipt of invoice, a reasonable fee based on the time spent and materials expended in relation to the Clause II(g) Obligee exercising its rights under Clause II(g) of the EU 2004 SCCs.
(iv) When a Party exercises its rights under Clause II(f) of the EU 2004 SCCs (the “Clause II(f) Obligee”), the other Party (the “Clause II(f) Obligor”) may elect to provide the Clause II(f) Obligee with its choice of: (a) copies of recent audited financial reports that are publicly available; (b) subject to obligations of confidentiality, recent non-publicly available audited financial reports; (c) a certification by the Clause II(f) Obligor’s treasurer of its financial condition; or (d) other relevant documentation or evidence. If the Clause II(f) Obligee, after having reviewed the aforementioned evidence, reasonably deems that it requires additional information, the Clause II(f) Obligor shall provide the Clause II(f) Obligee with additional evidence of financial resources sufficient to fulfill its responsibilities under Clause III of the EU 2004 SCCs (which may include insurance coverage). The Clause II(f) Obligee agrees to pay the Clause II(f) Obligor, upon receipt of invoice, a reasonable fee based on the time spent and materials expended in relation to the Clause II(f) Obligee exercising its rights under Clause II(f) of the EU 2004 SCCs.
(b) The additional safeguards identified in Exhibit C supplement the EU 2004 SCCs.

4. Switzerland
(a) Definitions.
(i) “Applicable Data Protection Laws” (as used in the Addendum) includes Swiss Data Protection Laws.
(ii) “Restricted Transfer of Swiss Personal Data” (as used in this Section) means any transfer of Shared Personal Data (including data storage in foreign servers) subject to Swiss Data Protection Laws to a Third Country or an international organization.
(iii) “SCCs” (as used in the Addendum) includes the 2021 EU Controller to Controller SCCs.
(iv) “Swiss Data Protection Laws” (as used in this Section) includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“OFADP”), as may be amended from time to time.
(b) Restricted Transfers of Swiss Personal Data.
(c) When the SCCs apply to Restricted Transfers of Personal Data of Swiss Personal Data in accordance with the terms of Section 11 of the Addendum, the EU 2021 SCCs shall the applicable model clauses for the transfer as follows:
(i) The information in Exhibit A to this Addendum includes the information required for completion of Annexes 1 and 2 to EU 2021 SCCs. For the purposes of the EU 2021 SCCs.
(ii) The Parties agree to apply module 1 of the EU 2021 SCCs (Controller to Controller).
(iii) The Parties elect to include Clause 7 of the EU 2021 SCCs.
(iv) With respect to Clause 11, the Parties agree not to provide the right to lodge a complaint with an independent dispute resolution body.
(v) With respect to Clause 13 and Annex I.C, the competent authority shall be the Swiss Federal Data Protection and Information Commissioner, insofar as the data transfer constitutes a Restricted International Transfer of Swiss Personal Data.
(vi) With respect to Clause 17, the Parties select, under Option 1, the law of law of the Swiss Confederation.
(vii) With respect to Clause 18, the Parties agree that any dispute arising from the EU 2021 SCCs shall be resolved by the courts of the Republic of Ireland. The Parties choose the Swiss courts as an alternative place of jurisdiction for Data Subjects habitually resident in Switzerland.
(viii) The term ’member state’ included in the EU 2021 SCCs must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 (c) of the EU 2021 SCCs.
(ix) The Parties acknowledge that the EU 2021 SCCs also protect the data of legal entities until the entry into force of the revised FADP.
(x) In cases where the EU 2021 SCCs apply, and there is a conflict between the terms of the Addendum and the terms of the EU 2021 SCCs, the terms of EU 2021 SCCs shall prevail.
(xi) The additional safeguards identified in Exhibit C supplement the EU 2021 SCCs.

5. Brazil
   (a) Definitions.
(i) “Applicable Data Protection Laws” includes the LGPD (as defined below).
(ii) “LGPD” means Lei Geral de Proteção de Dados, Law No. 13.709 of 14 August 2018, Brazil’s General Data Protection Law.
(iii) “Controller” (as used in the Addendum) includes “Controlador” as defined under the LGPD.
(iv) “Personal Data Breach” (as used in the Addendum) includes “Incidente de segurança” as used under the LGPD.
(v) “Processor” (as used in the Addendum) includes “Operador” as defined under the LGPD.

6. Canada
(a) Definitions.
(i) “Applicable Data Protection Laws” (as used in the Addendum) includes “Canadian Data Protection Laws” (as defined below).
(ii) “Canadian Data Protection Laws” includes the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).
(iii) “Processor” (as used in the Addendum) includes “third party organization” as defined under PIPEDA.
(iv) “Personal Data” (as used in the Addendum) includes “Personal Information” as defined under PIPEDA.
(v) “Personal Data Breach” (as used in the Addendum) includes “Breach of Security Safeguards” as defined under PIPEDA.

                                                                                    EXHIBIT C

                                                                Supplementary Terms to the SCCs

By this Exhibit C (this “Exhibit”), the Parties provide additional safeguards and redress to the Data Subjects whose Shared Personal Data is transferred pursuant to SCCs in case of a Restricted Transfer of EEA Personal Data. This Exhibit supplements and is made part of, but is not in variation or modification of, the SCCs that may be applicable to a Restricted Transfer of EEA Personal Data.

1. Applicability of this Exhibit
1.1. This Exhibit only applies with respect to Restricted Transfers of EEA Personal Data when the Parties have concluded the SCCs pursuant to the Addendum and its exhibits.

2. Definitions
2.1. For the purpose of interpreting this Exhibit, the following terms shall have the meanings set out below:
(a) “Data Exporter” and “Data Importer” shall have the same meaning as provided under the SCCs.
(b) “EO 12333” means U.S. Executive Order 12333.
(c) “Disclosure Request” means any request from law enforcement authority or other governmental authority with competent authority and jurisdiction over the Data Importer for disclosure of Shared Personal Data processed under the Addendum.
(d) “FISA” means the U.S. Foreign Intelligence Surveillance Act.
(e) “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.

3. Applicability of Surveillance Laws to Data Importer
3.1. U.S. surveillance laws:
(a) Data Importer represents and warrants that, as of the Effective Date have not received any national security orders of the type described in paragraphs 150-202 of the Schrems II judgment.
(b) Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
(i) No court has found Data Importer to be an entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication Data Importer” within the meaning of 50 U.S.C. § 1881(b)(4); or (ii) a member of any of the categories of entities described within that definition. (ii) If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment. (c) EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to U.S. Executive Order 12333.
3.2. General provisions about surveillance laws applicable to Data Importer:

a) Data Importer commits to provide, upon request, information about the laws and regulations in the destination countries of the transferred data applicable to Data Importer and the Contracted Processors directly contracted by Data Importer that would permit access by public authorities to the Shared Personal Data, in particular in the areas of intelligence, law enforcement, or administrative and regulatory supervision applicable to the Shared Personal Data. In the absence of laws governing the public authorities’ access to Shared Personal Data, Data Importer shall provide Data Exporter with information and statistics based on the experience of Data Importer or reports from various sources (such as partners, open sources, national case law, and decisions from oversight bodies) on access by public authorities to Personal Data in situations of the kind of the data transfer at hand. Data Importer may choose the means to provide the information.
(b) Data Importer shall monitor any legal or policy developments that might lead to its inability to comply with its obligations under the SCCs and this Exhibit, and promptly inform Data Exporter of any such changes and developments. When possible, Data Importer shall inform Data Exporter of any such changes and developments ahead of their implementation.

4. Obligations on Data Importer in the Event of Receiving a Disclosure Request

4.1. In the event Data Importer receives a Disclosure Request for Shared Personal Data that has been transferred under the SCCs, Data Importer shall comply with the following, unless prohibited under the law applicable to Data Importer:   

(a)  Promptly (and, when possible, before disclosing the Shared Personal Data) notify Data Exporter, unless prohibited by law, or, if prohibited from notifying Data Exporter, Data Importer shall use all lawful efforts to obtain the right to waive the prohibition to communicate information relating to the order to Data Exporter as soon as possible. This includes, but is not limited to, informing the requesting public authority of the incompatibility of the order with the safeguards contained in the SCCs and the resulting conflict of obligations for Data Importer and documenting this communication.

(b)  Ask the public authority that issued the Disclosure Request to redirect its request to the Data Exporter to control conduct of the disclosure;

(c) Use all lawful efforts to challenge the Disclosure Request the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable EEA Member State law or any other Applicable Data Protection Law and demand that the public authority aims to obtain such information via co-operation with government bodies in each jurisdiction (such as using an alternative established treaty or mechanism to allow government-government sharing of information). For the purpose of this Exhibit, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

(d) Seek interim measures with a view to suspend the effects of Disclosure Request until the competent court has decided on the merits.

(e) Not disclose the requested Shared Personal Data until required to do so under the applicable procedural rules.

(f) Provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request.

(g) Document all the steps taken by Data Importer related to the Disclosure Request.

5. Information on Disclosure Requests Received by Data Importer

5.1. Where allowed by law and upon the Data Exporter’s request, Data Importer commits to provide Data Exporter with sufficiently detailed information on all requests of access to Personal Data by public authorities which Data Importer has received over the last ten (10) years in particular in the areas of intelligence, law enforcement, administrative, and regulatory supervision applicable to the transferred data and comprising information about the requests received, the data requested, the requesting body, and the legal basis for disclosure and to what extent Data Importer has disclosed the requested data. Data Importer may choose the means to provide this information.

6. Backdoors

6.1. Data Importer certifies that:

(a) It has not purposefully created backdoors or similar programming that could be used to access Data Importer’s systems or Shared Personal Data subject to the SCCs;

(b) It has not purposefully created or changed its business processes in a manner that facilitates access to Shared Personal Data or systems; and

(c) National law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Shared Personal Data or systems.

6.2. Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.

7. Information about Legal Prohibitions
7.1. Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under this Exhibit. Data Importer may choose the means to provide this information.

8. Other Measures to Prevent Authorities from Accessing Shared Personal Data

8.1. Notwithstanding the application of the security measures set forth in the Addendum, Data Importer will implement, where feasible, the following technical, organizational, administrative, and physical measures designed to protect the Shared Personal Data from unauthorized disclosure or access: (a) Encryption of the transferred Shared Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption;
(b) Encryption at rest within Data Importer’s software applications using a minimum of AES-256;
(c) Active monitoring and logging of network and database activity for potential security events, including intrusion;
(d) Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Data Importer; (e) Restriction of physical and logical access to IT systems that Process transferred Shared Personal Data to those officially authorized persons with an identified need for such access;
(f) Firewall protection of external points of connectivity in Data Importer’s network architecture;
(g) Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Data Importer; and
(h) Internal policies establishing that:

i. Where Data Importer is prohibited by law from notifying Data Exporter of an order from a public authority for transferred Shared Personal Data, Data Importer shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent supervisory authorities;
ii. Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting public authority before it will consider a request for access to transferred Shared Personal Data;
iii. Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid; and
iv. If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request.

9. Inability to Comply with this Exhibit
9.1. Data Importer shall promptly inform Data Exporter of its inability to comply with the SCCs and this Exhibit.

9.2. If Data Importer determines that is no longer able to comply with its contractual commitments under this Exhibit, Data Exporter can swiftly suspend the transfer of data and/or terminate the Agreement.

9.3. If Data Importer determines that it is no longer able to comply with the SCCs or this Exhibit, Data Importer shall return or delete the Shared Personal Data received in reliance on the SCCs. If returning or deleting the Shared Personal Data received is not possible, Data Importer must securely encrypt the data without necessarily waiting for Data Exporter’s instructions.

9.4. Data Importer shall provide the Data Exporter with sufficient indications to exercise its duty to suspend or end the transfer and/or terminate the contract.

10. Conflicts with the SCCs

10.1. In cases where there is a conflict between the terms of this Exhibit and the terms of the SCCs, the terms of the SCCs shall prevail.

11. Termination

11.1. This Exhibit shall automatically terminate with respect to the Shared Personal Data transferred in reliance of the SCCs if the European Commission or a competent supervisory authority approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the SCCs (and, if such mechanism applies only to some of the data transfers, this Exhibit will terminate only with respect to those Restricted Transfers of EEA Personal Data) and that does not require the additional safeguards set forth in this Exhibit.

NoteIf you would like to execute the Client Data Processing Addendum, please contact your Bristol Client Engagement Representative for more information.

Stay in touch with Bristol