Data Processing Addendum

1. Definitions

• “Addendum Effective Date” means the effective date of the Services Agreement, unless this DPA is separately executed in which case it is effective on the date of the last signature on which the parties agreed to this Addendum.
• “Applicable Data Protection Laws” means, to the extent applicable, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) the Data Protection Act 2018 and EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection (“FADP”); (v) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199.100), together with the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102) which may be amended from time to time (“CCPA”); Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act); Conn. Gen. Stat. Ann. § 42-515 et seq. (the Connecticut Data Privacy and Online Monitoring Act); Mont. Code Ann. §§ 30-14-2801 et seq. (the Montana Consumer Data Privacy Act); Or. Rev. Stat. Ann. §§ 646A.570 (the Oregon Consumer Privacy Act); Tex. Bus. & Com. Code Ann. §§ (the Texas Consumer Data Protection Act); Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act); and VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act), and (vi) any other data protection legislation applicable to the respective party in its role in the processing of Customer Personal Data under the Services Agreement.
• “Customer Personal Data” means any Personal Data which is processed by Supplier on behalf of Customer.
• “Data Subject” means an individual who is the subject of Customer Personal Data.
• “EEA” means the European Economic Area.
• “EU” means the European Union.
• “Information Security Incident” means a breach of Supplier’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Supplier’s possession, custody or control that materially compromises the confidentiality, security, integrity or availability of the Customer Personal Data. “Information Security Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
• “International Data Transfer Agreement” or “IDTA” means the form agreement approved by the UK Information Commissioner’s Office (“ICO”) on March 21, 2022 for transferring Personal Data outside of the UK, usually when there is no need for SCCs because no Personal Data is being transferred outside of the EU.
• “Personal Data” means any data that identifies, relates to, is capable of being associated with, or could reasonably be linked to an identified or identifiable natural person or household.
• “processing, processes, processed or process” means any operation or set of operations which are performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as, collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing, disseminating or otherwise making available, restricting, erasing, destroying Customer Personal Data.
• “Standard Contractual Clauses” or “SCCs” means the updated standard sets of contractual terms and conditions which have been pre-approved by the European Commission on June 4, 2021, as ensuring appropriate contractual data protection safeguards for Personal Data transfers from the EU/EEA to third countries that do not provide adequate protection to Personal Data, and which, in the case of the UK, in combination with the UK Addendum to SCCs meet the requirements of the ICO for Personal Data transfers from the UK to third countries that do not provide adequate protection to Personal Data.
• “Sub-processors” means third parties engaged by Supplier to process Customer Personal Data in relation to the Supplier Services.
• “Supplier Services” means the services and/or products to be provided by Supplier to Customer under the Services Agreement.
• “Technical and Organizational Security Measures” has the meaning given to it in Section 5.1.
• “Term” means the period from the Addendum Effective Date until the end of Supplier’s provision of the Supplier Services.
• “UK Addendum to SCCs” means the form of addendum approved by the ICO for use with customers with UK Personal Data which also requires SCCs due to Personal Data being transferred from the EU.  

2. Duration of Addendum

This Addendum will take effect on the Addendum Effective Date and, notwithstanding the expiration of the Term, will remain in effect until, and automatically expire upon, Supplier’s deletion of all Customer Personal Data as described in this Addendum.

3. Processing of Data

• Scope and Roles. This DPA applies when Supplier processes Customer Personal Data in the course of providing the Supplier Services. In this context, Supplier is a “processor” to Customer, who may act as either a “controller” or “processor” with respect to Customer Personal Data. This DPA does not apply when Supplier is the “controller” with respect to any Personal Data. 
• Details of Processing. This Section sets out certain information regarding Supplier’s processing of Customer Personal Data under the Services Agreement:
  • Subject Matter. The subject matter of the processing is Customer Personal Data.
  • Duration of Processing. The duration of the processing of the Customer Personal Data is set forth in the Services Agreement.
  • Nature and Purpose. Supplier will process Customer Personal Data as necessary to perform the Supplier Services pursuant to the Services Agreement.
  • Type of Customer Personal Data. The Customer Personal Data shall consist of Customer’s clients’ account numbers, and any additional Customer Personal Data expressly listed in an order under the Services Agreement.
  • Categories of Data Subjects. The Data Subjects consist of Customer’s clients. 
• Customer Obligations. Customer acknowledges that it controls the nature and contents of the Customer Personal Data. Customer will ensure that it has obtained all necessary and appropriate consents from and provided notices to Data Subjects where required by Data Protection Law to enable the lawful transfer of any Customer Personal Data to Supplier for the duration and purposes of this DPA and the Services Agreement, and shall not provide for processing any Customer Personal Data not expressly set forth or referenced in Section 3.2.4 above without the prior written consent of Supplier.
• Supplier’s Processing. Supplier will process Customer Personal Data only for the purposes of: (i) provisioning the Supplier Services, (ii) processing initiated by Customer in its use of the Supplier Services, and (iii) processing in accordance with the Services Agreement, this DPA, and Customer’s other reasonable documented instructions that are consistent with the terms of the Services Agreement. Any other processing will require prior written agreement between the parties.
• Compliance with Laws. Each party will comply with all Applicable Data Protection Laws.

4. Data Deletion on Termination

Upon the expiration or earlier termination of the Services Agreement, Supplier shall securely destroy all Customer Personal Data in Supplier’s possession, custody, or control; provided, however, that Supplier will delete or overwrite information from any back-up media in the ordinary course of business, as technically feasible.  In the event applicable law does not permit Supplier to comply with the delivery or destruction of the Customer Personal Data, and with respect to information Supplier maintains on back-up media, Supplier shall maintain the confidentiality of the Customer Personal Data and shall not use or disclose any Customer Personal Data after termination of the Services Agreement, except as required by law.

5. Data Security

• Supplier’s Security Measures, Controls and Assistance.
  • Supplier’s Security Measures. Supplier will implement and maintain reasonable technical and organizational measures (“Security Measures”) designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data as described in Schedule 3 (“Security Measures Documentation”). Supplier may update or modify the Security Measures Documentation from time to time provided that such updates and modifications do not materially decrease the overall security of the Supplier Services.
  • Security Compliance by Supplier Staff. Supplier will grant access to Customer Personal Data only to employees, contractors and Sub-processors who need such access for the scope of their performance and are subject to appropriate confidentiality arrangements.
  • Supplier’s Security Assistance. Supplier will (taking into account the nature of the processing of Customer Personal Data and the information available to Supplier) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Customer Personal Data under Applicable Data Protection Laws.
• Information Security Incidents.
  • Information Security Incident Notification. If Supplier becomes aware of an Information Security Incident, Supplier will: (a) notify Customer of the Information Security Incident without undue delay after becoming aware of the Information Security Incident; and (b) take reasonable steps to identify the cause of such Information Security Incident, minimize harm and prevent a recurrence.
  • Details of Information Security Incident. Notifications made pursuant to this Section 5.2 will describe, to the extent available, details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Supplier recommends Customer take to address the Information Security Incident.
  • Notification. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Information Security Incident(s).
  • No Acknowledgement of Fault by Supplier. Supplier’s notification of or response to an Information Security Incident under this Section 5.2 will not be construed as an acknowledgement by Supplier of any fault or liability with respect to the Information Security Incident.
• Customer’s Security Responsibilities and Assessment.
  • Customer’s Security Responsibilities. Customer agrees that, without prejudice to Supplier’s obligations under Sections 5.1 and 5.2 above:
    • Customer is solely responsible for its use of the Supplier Services, including:
      • making appropriate use of the Supplier Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data;
      • securing the account authentication credentials, systems and devices Customer uses to access the Supplier Services;
      • securing Customer’s systems and devices Supplier uses to provide the Supplier Services; and
      • backing up its Customer Personal Data.
    • Supplier has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Supplier’s and its Sub-processors’ systems (for example, offline or on-premises storage).
  • Customer’s Security Assessment.
    • Customer is solely responsible for evaluating for itself whether the Supplier Services, the Security Measures and Supplier’s commitments under this Addendum meet Customer’s needs, including with respect to any security obligations of Customer under the Applicable Data Protection Laws.
    • Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Supplier as set out in the Security Measures Documentation and this Addendum provide a level of security appropriate to the risk in respect of the Customer Personal Data.
  • Reviews and Audits of Compliance.
    • Customer may audit Supplier’s compliance with its obligations under this Addendum up to once per year and in addition upon the occurrence of an Information Security Incident. In addition, to the extent required by Applicable Data Protection Laws, including where mandated by Customer’s supervisory authority, Customer or Customer’s supervisory authority may perform more frequent audits (including inspections). Supplier will contribute to such audits by providing Customer or Customer’s supervisory authority (the UK’s Information Commissioner in the case of the UK, for example) with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Supplier Services.
    • To request an audit, Customer must submit a detailed proposed audit plan to Supplier at least four weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit and shall be confined to the purpose of assessing Supplier’s protection of Customer Personal Data and compliance with this Addendum. Supplier will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Supplier security, privacy, employment or other relevant policies). Nothing in this Section 5.4 shall require Supplier to breach any duties of confidentiality.  
    • The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Supplier’s health and safety or other relevant policies and may not unreasonably interfere with Supplier business activities.
    • Customer will promptly notify Supplier of any non-compliance discovered during the course of an audit and provide Supplier any audit reports generated in connection with any audit under this Section 5.4, unless prohibited by Applicable Data Protection Laws or otherwise instructed by the applicable supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. The audit reports are Confidential Information of the parties under the terms of the Services Agreement.
    • Any audits are at Customer’s expense. Customer shall reimburse Supplier for mutually agreed reasonable expenses for any time expended by Supplier or its Sub-processors in connection with any audits or inspections under this Section 5.4 and to the extent legally permitted, any data protection impact assessments under Section 7.1 below. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

6. Sub-processors
   • Authorized Sub-processors Engagement. Customer generally authorizes the engagement of any other third parties as Sub-processors to the extent Supplier engages such Sub-processors in accordance with Section 6.2.  A current list of Sub-processors is attached hereto as Schedule 2.
   • Requirements for Sub-processor Engagement. When engaging any Sub-processor, Supplier will enter into a written contract with such Sub-processor containing data protection obligations not less protective than those in the Services Agreement (including this Addendum) with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Supplier Services provided by such Sub-processor. Supplier shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor to the extent required by Applicable Data Protection Law.
   • Opportunity to Object to Sub-processor Changes.

When any new Sub-processor is engaged during the Term, Supplier will, at least 30 days before the new Sub-processor processes any Customer Personal Data, notify Customer of the engagement (including a general description of the Sub-processor, the country where the relevant Sub-processor is located and the activities the Sub-processor will perform).Customer may object to any new Sub-processor by providing written notice to Supplier within ten (10) business days of being informed of the engagement of the Sub-processor as described above. In the event Customer objects to a new Sub-processor, Customer and Supplier will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Services Agreement by providing written notice to Supplier.

7. Impact Assessments and Consultations; Requests for Customer Personal Data
   • Cooperation. Supplier will (taking into account the nature of the processing and the information available to Supplier) reasonably assist Customer at Customer’s expense in complying with its obligations under Applicable Data Protection Laws in respect of data protection impact assessments and prior consultation with data protection authorities.
   • Governmental Requests. If Supplier receives a valid and binding legal order (“Request”) from any governmental body (“Requesting Party”) for disclosure of Customer Personal Data, Supplier will use commercially reasonable efforts to redirect the Requesting Party to seek that Customer Personal Data directly from Customer. If, despite Supplier’s efforts, Supplier is compelled to disclose Customer Personal Data to a Requesting Party, Supplier will:
     • if legally permitted, promptly notify Customer of the Request to allow Customer to seek a protective order or other appropriate remedy. If Supplier is prohibited from notifying Customer, Supplier will use commercially reasonable efforts to obtain a waiver of that prohibition;
     • challenge any over-broad or inappropriate Request (including Requests that conflict with the law of the European Union); and
     • disclose only the minimum amount of Customer Personal Data necessary to satisfy the Request.

8. Data Subject Rights
   • Supplier’s Data Subject Request Assistance. Supplier will (taking into account the nature of the processing of Customer Personal Data) provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to requests by Data Subjects (“Data Subject Request”).
   • Customer’s Responsibility for Requests If a Data Subject contacts Supplier with a Data Subject Request that identifies Customer, to the extent legally permitted, Supplier will promptly notify Customer. Solely to the extent that Customer is unable to access Customer Personal Data itself, and Supplier is legally permitted to do so, Supplier will provide commercially reasonable assistance to Customer in responding to the Data Subject Request. To the extent legally permitted, Customer will be responsible for any costs arising from Supplier’s provision of such assistance, including any fees associated with the provision of additional functionality.
9. Data Transfers
   • Data Storage and Processing Facilities. Supplier may, subject to Section 9.2, store and process Customer Personal Data anywhere Supplier or its Sub-processors maintain facilities.
   • Restricted Transfers of Data. Supplier shall at all times comply with Applicable Data Protection Laws and the terms of this Addendum with respect to cross border transfer of Customer Personal Data. To the extent that any storage and/or processing of Customer Personal Data by either Supplier or any Sub-processor  involves a transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to a territory which has not been recognized by the relevant data protection authorities as providing an adequate level of protection for personal data according to Applicable Data Protection Laws, Supplier agrees to process that Customer Personal Data in compliance with the provisions set out in Schedule 1, which forms an integral part of this DPA.
10. CCPA Obligations.
    • Service Provider. For purposes of this Section 10, Customer Personal Data shall include “personal information” (as that term is defined under CCPA) that Customer uploads into the Supplier Services that is processed by Supplier as a “service provider” as defined in CCPA and this Section 10 shall apply to the extent that such “personal information” being processed is not “nonpublic information” under the Graham-Leach-Bliley Act, as amended (“GLBA”) with Customer as a “financial institution” subject to GLBA.  This Section 10 shall only apply if Supplier expressly permits Customer to provide for processing such “personal information” to Supplier in accordance with Section 3.2.4 above.
    • Supplier Obligations. Supplier will not:
      • retain, use, or disclose Customer Personal Data for any purpose other than providing the Supplier Services;
      • retain, use, or disclose Customer Personal Data outside of the direct business relationship between Supplier and Customer;
      • sell or share Customer Personal Data (as the terms “sell” and “share” are defined in CCPA); or
      • combine Customer Personal Data with personal information that Supplier has received from another Supplier customer, except as permitted under CCPA.
    • Unauthorized Use. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information that is protected under CCPA.
11. Analytics

Customer acknowledges and agrees that Supplier may create and derive from processing related to the Supplier Services anonymized and/or aggregated data that does not identify Customer or any natural person, and use, publicize or share with third parties such data to improve Supplier’s products and services and for its other legitimate business purposes.

12. Notices

Notwithstanding anything to the contrary in the Services Agreement, any notices required or permitted to be given by Supplier to Customer may be given (a) in accordance with the notice clause of the Services Agreement; (b) to Supplier’s primary points of contact with Customer; and/or (c) to any email provided by Customer for the purpose of providing it with Supplier Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.

13. Limitation of Liability

To the extent permitted under law, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum whether in contract, tort or under any other theory of liability, is subject to the “Limitations on Liability” section of the Services Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Services Agreement and this Addendum.

14. Effect of These Terms; Governing Law

Notwithstanding anything to the contrary in the Services Agreement, to the extent of any conflict or inconsistency between this Addendum and the remaining terms of the Services Agreement, this Addendum will govern.  The parties agree that (1) the governing law of this Addendum, and (2) the forum for all disputes in respect of this Addendum, shall be the same as set out in the Services Agreement, unless otherwise required by Applicable Data Protection Laws.

Schedule 1

CROSS BORDER DATA TRANSFERS

1. Definitions

Upon the effective date of adoption for any revised Standard Contractual Clauses by the European Commission, all references in this DPA to the “Standard Contractual Clauses” shall refer to that latest version thereof.“Alternative Transfer Mechanism” means a mechanism, if any, other than the Standard Contractual Clauses, that enables the lawful cross-border transfer of Customer Personal Data to a territory which has not been recognized by the relevant data protection authorities as providing an adequate level of protection for Customer Personal Data in accordance with Data Protection Law, for example, any replacement international instruments for the invalidated EU-U.S. and Switzerland-U.S. Privacy Shield Frameworks or Binding Corporate Rules under Article 47 of EU GDPR.

2. Order of Precedence for Transfer Mechanisms

If Supplier adopts an Alternative Transfer Mechanism for any transfers that are subject to Section 9.2 of the DPA, then Supplier will inform Customer of the relevant Alternative Transfer Mechanism and ensure that such transfers are made in accordance with it; and/or if Supplier has not adopted, or informs Customer that Supplier is no longer adopting, an Alternative Transfer Mechanism for such transfers, then the Standard Contractual Clauses shall apply in accordance with Section 3 below.

3. Incorporation of the Standard Contractual Clauses.

3.1. When the Standard Contractual Clauses are the applicable transfer mechanism in accordance with Section 2 above, the parties agree that:3.1.1 Clause 7 will not apply.3.1.2 In Clause 9(a), Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set forth in Section 4.1 of the DPA.3.1.3 In Clause 11(a), the optional language will not apply.3.1.4 In Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland.3.1.5 In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland.3.2. For purposes of Annex I, Part A of the Standard Contractual Clauses (List of Parties):3.2.1 Data Exporter: Customer.Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive legal communications.Data Exporter Role: Data Exporter’s role is outlined in Section 2 of the DPA.Signature & Date: By entering into the Services Agreement, Data Exporter is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule I to the DPA, as of the effective date of the Services Agreement.3.2.2 Data Importer: Eventus Systems, Inc., on its own behalf and on behalf of its non-EEA Affiliates.Contact Details: Supplier’s DPO at privacy@eventus.com.Data Importer Role: Data Importer’s role is outlined in Section 3 of the DPA.Signature & Date: By entering into the Services Agreement, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule 1 to the DPA, as of the effective date of the Services Agreement.3.3. For purposes of Annex I, Part B of the Standard Contractual Clauses (Description of Transfer):3.3.1 The categories of data subjects are described in Section 3.2.5 of the DPA.3.3.2 The forms of Customer Personal Data transferred are described in Section 3.2.4 of the DPA.3.3.3 The frequency of the transfer is on a continuous basis for the duration of the Services Agreement.3.3.4 The nature and purpose of the processing is described in Section 3.2.3 of the DPA.3.3.5 The period of retention of Customer Personal Data in relation to the processing will end upon termination of the Services Agreement.3.3.6 For transfers to Subprocessors, the subject matter and nature of the processing is described on this Schedule 1. The duration of processing by Subprocessors is the same as by Data Importer.3.4. For purposes of Annex I, Part C of the Standard Contractual Clauses (Competent Supervisory Authority), the competent supervisory authority/ies shall be determined in accordance with EU GDPR and Clause 13 of the Standard Contractual Clauses.3.5. Section 5 to the DPA and Schedule 3 to the DPA contain the information required under Annex II of the Standard Contractual Clauses (Technical and Organizational Measures).3.6. In addition to the above stipulations, each of the following forms part of the Standard Contractual Clauses and sets out the parties’ understanding of their respective obligations under the Standard Contractual Clauses:3.6.1 Clause 8.9 of the Standard Contractual Clauses: Audit. Data Exporter acknowledges and agrees that it exercises its audit right(s) under Clause 8.9 by instructing Data Importer to comply with the audit measures described in Section 5.4 (Reviews and Audits of Compliance) of the DPA.3.6.2 Clause 9(c) of the Contractual Clauses: Disclosure of Subprocessor agreements. The parties acknowledge that, pursuant to subprocessor confidentiality restrictions, Data Importer may be restricted from disclosing onward subprocessor agreements to Data Exporter. Even where Data Importer cannot disclose a subprocessor agreement to Data Exporter, the parties agree that, upon the request of Data Exporter, Data Importer shall (on a confidential basis) provide all information it reasonably can in connection with such subprocessing agreement to Data Exporter.3.6.3 Clause 12 of the Standard Contractual Clauses: Liability. To the greatest extent permitted under Data Protection Law, any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Services Agreement.

4. Transfers of Customer Personal Data Protected by FADP.

4.1. With respect to transfers of Customer Personal Data protected by FADP, the Standard Contractual Clauses will apply in accordance with Sections 2 and 3 above, with the following modifications:4.1.1 any references in the Standard Contractual Clauses to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to FADP;4.1.2 references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and4.1.3 references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.

5. Transfers of Customer Personal Data Protected by UK GDPR.

5.1. With respect to transfers of Customer Personal Data protected by UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under S119A(1) Data Protection Act 2018 (“UK Addendum”), shall apply and be incorporated by reference into this DPA, with Part 1: Tables completed in accordance with the applicable stipulations in Section 3 of this Schedule 1. Either data exporter or data importer may terminate the UK Addendum pursuant to Section 19 of the UK Addendum if, after a good faith effort by the parties to amend the DPA to account for the approved changes and any reasonable clarifications to the UK Addendum, the parties are unable to come to agreement. To the extent of any conflict between Section 3 of this Schedule 1 and any mandatory clauses of the UK Addendum, the UK Addendum shall govern to the extent UK GDPR applies to the transfer.

Schedule 2LIST OF SUB-PROCESSORSThe Customer has authorised the use of the following Sub-processors:

Schedule 3

SECURITY MEASURES

Eventus will take, at a minimum, the security measures described in this Appendix 2 (or, as these measures are updated by Eventus from time to time, measures that are of substantially similar stringency) in order to ensure compliance with such security provisions with regard to the Processing of Personal Data on behalf of Customer. Information SecurityEventus maintains documented information security policies and procedures to help guide personnel in information security activities including information access control, data handling and classification, and information security. The policies are reviewed by executive management on an annual basis and updated as necessary.Employees are required to complete security awareness training annually to re-emphasize existing security policies and review any updates to the security policies. The security awareness training is provided using a third-party platform and includes topics such as handling of data, a review of technology use, email usage, internet usage, and secure networking. Management reviews the training completion report at least annually to help ensure each employee completes security awareness training and acknowledges the aforementioned policies.

Access Administration

Access to system information is protected by authentication and authorization mechanisms. Network and application access requires the use of unique user IDs and passwords. Network account policies are configured to enforce minimum length and complexity requirements, while application account policies are configured to enforce minimum length, complexity, password history, and lockout requirements. A best in class third party application is used as an additional level of security to provide authentication to the AWS environments as well as other applications based on assigned groups and permissions.A VPN service is used to remotely connect to the network and application and inherits its authentication requirements from the third party authentication application. The VPN is configured to enforce multi-factor authentication (MFA) upon login. Once authenticated, authorization to system components and environments are controlled via defined groups within the VPN. Eventus uses the VPN to provide a whitelisted IP address which is used to access hosts within the AWS environments.The IT team is responsible for assigning and maintaining access rights to applications and systems. The IT team requires HR to submit an access request ticket prior to granting or modifying employees’ access to the environment. Logical access requests for new hires are required to be submitted to the IT Team via an access request ticket by HR management. The IT team grants an initial group of access rights for the new hires that contains a standard set of access permissions for applications needed to perform company-wide functions. The initial group of access rights are approved prior to access through the creation of the request ticket. If access outside of the standard permission set is required for new hires, then additional access requests are submitted by management to IT. Modifications to assigned logical access privileges are submitted to the IT team by management. Upon notification of an employee termination, the IT team revokes user accounts assigned to terminated employees as a component of the termination procedures. The ability to add, modify, or revoke access to the production network and systems is restricted to IT operations personnel. Quarterly, the review of user access permissions is conducted by management. The results of these reviews are documented within the HR platform.

Incident Response

Eventus maintains documented incident response and data breach response plans, in efforts to ensure that identified security events or data breach incidents are identified, contained, remediated timely, and to ensure regulatory requirements are met. Notifications regarding confirmed data breaches are provided to affected data subjects, regulators, and other parties (as applicable) within an acceptable timeframe to meet the organization’s confidentiality commitments.Eventus utilizes CrowdStrike’s Falcon protection services for security incident detection and prevention. The Falcon Complete team is responsible for monitoring, and investigating, and the triaging of detections made by the Falcon Agent. If it is determined that further investigation is needed by the Falcon Complete Team, then escalation to the Eventus Infrastructure Team is required. Once escalated to the infrastructure team, Eventus’ incident response procedures are initiated.Personnel that have a job requirement to aid in incident response events are required to participate in a table-top exercise on an annual basis to ensure the accuracy of the plan and account for updates that should be made due to changes in the operating environment.

Change Management

Management maintains documented change management policies and procedures to guide personnel in performing required activities for standard and emergency changes. Change requests are recorded within Zendesk, the IT helpdesk ticketing system, by the requestor. Zendesk is integrated into Jira, where change requests are ticketed and tracked throughout the lifecycle of the change request. Change request tickets document information about the requested change which includes a unique change request number, description of the change, reason for the change, systems affected, and required approvals.The Product Team and Infrastructure Team meet on a bi-weekly basis to discuss and review scheduled production change requests and patches. Operational issues and scheduled changes are reviewed based on the priority initially set by the Product Team and action plans are recorded.Eventus’ management has documented a roll-back strategy for each change request in the event that changes are required to be rolled back after implementation. Change requests are required to go through peer review Quality Assurance (QA) testing prior to approval, and project supervisors are responsible for approving the change request tickets prior to implementation. Approval is documented within the change request ticket and assigned to the Senior Manager of Infrastructure and Information Systems or the Cloud Engineer. The ability to implement changes into production is restricted to user accounts accessible by authorized personnel. After implementation, appropriate personnel are alerted via Slack, the results of the implementation are recorded, and the change request ticket is closed. Release notes and change information are communicated and made available to external users via the application portal.

Systems Availability

Eventus leverages tools that are configured to monitor availability related metrics and report on if thresholds are exceeded. These metrics include individual system capacity (CPU usage, disk space, memory usage, etc.) as well as network performance.

Backups

Documented procedures are in place to guide personnel in performing system backups. Eventus utilizes an automated backup system to schedule backups of production systems. The automated backup system is configured to alert key personnel if a backup job were to fail. Incremental system backups are performed daily, and the backups are encrypted and maintained across multiple availability zones for redundancy. Restorations of production backup data are performed at least quarterly as a component of normal business operations. The results of backup restorations are reviewed by IT personnel to verify that data can successfully be recovered from backup media.

Disaster Recovery and Business Continuity

Eventus maintains a documented disaster recovery and business continuity plan that defines the roles and responsibilities of personnel. The plans also include the standard processes to follow should there be an event that were to occur that could affect system operations. Using a combination of the availability tools that Eventus utilizes, and the coordination of efforts between personnel allows the organization to recover from an adverse event with minimal downtime and loss of data. Testing of the disaster recovery and business continuity plans are performed on an annual basis and lessons learned applied to the updated plan.

Data

Eventus has a formal data classification policy in place to guide personnel in identifying confidential information and the requirements for handling such information. Management classifies data into the following categories: Public, Sensitive, or Confidential. The classifications are defined to assist personnel in categorizing and handling and security requirements based on the data classification.Data CommunicationsIndustry standard encryption protocols are used and include the following:

• Secure File Transfer Protocol (SFTP): encrypts sensitive data between Eventus and clients when uploading data.
• HTTPS: encrypts using TLSv1.2 or higher on the platform to protect data transmissions between user sessions.
• VPN: provides secure remote access to the network and secure point-to-point network connections when necessary.
• Mobile Device Disk Encryption: full disk encryption solutions are deployed on the mobile computing environment to protect data if a laptop computer is lost or stolen.

Eventus has a data retention and disposal policy in place that defines retention schedules based on the data classification category to ensure data is maintained according to its source and use. Data destruction and disposal procedures are defined within the policy to guide personnel in securely disposing of data once it has exceeded the defined retention period. Customer master service agreements (MSAs) define the data retention and destruction requirements which is required to be signed by both parties prior to execution of services