DATA PROCESSING ADDENDUM

(with Standard Contractual Clauses)

This Data Processing Addendum (DPA) is entered into between CrunchTime Information Systems, Inc., a Delaware corporation (Supplier), and Customer, and is incorporated into and governed by the terms of the Subscription Services Agreement (Agreement) between the parties.

DEFINITIONS. Any capitalized term not defined in this DPA will have the meaning given to it in the Agreement (defined below).

• Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party.
• Agreement means the agreement between Customer and Supplier for the purchase of Supplier’s Services.
• CCPA means the California Consumer Privacy Act of 2018, along with its regulations, and as amended (including by the California Privacy Rights Act).
• Controller means Customer, the entity which determines the purposes and means of the processing of Personal Data.
• Customer Data means data, which may include Personal Data, that is Processed via the Services by Supplier.
• Data Protection Laws means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, but not limited to, the EU GDPR, the UK GDPR, the UK Data Protection Act 2018, the FDPA, the CCPA, the Privacy and the Electronic Communications Regulations 2003 (SI 2003/2426) as amended, and all other applicable data protection and privacy legislation in force from time to time (as may be applicable depending on the location of Customer, data subjects and Processing of the relevant Personal Data).
• Data Subject means the identified or identifiable person to whom Personal Data relates, including, without limitation, a “Consumer” as the term is defined in the CCPA.
• DPA means this data processing addendum and its schedules.
• EEA means the European Economic Area (namely the EU, Norway, Iceland and Lichtenstein together).
• EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
• FDPA means the Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1; FDPA) as amended from time to time.
• Standard Contractual Clauses means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries and published at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN (EU SCCs); (ii) where the UK GDPR applies standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (UK SCCs); and (iii) where Personal Data is transferred from Switzerland to outside of Switzerland or the EEA, the EU SCCs as amended in accordance with guidance from the Swiss Data Protection Authority (Swiss SCCs).
• Personal Data means any information relating to: (i) an identified or identifiable natural person and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws), which is provided as Customer Data.
• Process or Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data by the Processor or any Sub-Processor on behalf of the Processor, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Processor means the entity which Processes Personal Data on behalf of Controller, including, without limitation, a “Service Provider” as that term is defined by the CCPA.

• Restricted Transfer means: (i) where the EU GDPR applies, a transfer of Personal Data via the Services from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data via the Services from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) a transfer of Personal Data via the Services from Switzerland either directly or via onward transfer, to any country or recipient outside of the EEA and/or Switzerland not subject to an adequacy determination by the European Commission.
• Sub-Processor means any third party (including Supplier Affiliates) engaged by Supplier to Process Personal Data under this DPA in the provision of the Services to Customer.
• Supervisory Authority means a governmental or government-chartered regulatory body having binding legal authority over a party.
• Services means the web subscription services provided by Supplier to the Customer pursuant to the Agreement.
• UK GDPR means the EU GDPR as it forms part of the laws of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018.
  

1. PURPOSE.

1. Supplier has agreed to provide the Services to Customer in accordance with the terms of the Agreement. In providing the Services, Supplier will Process Customer Data on behalf of Customer. Customer Data may include Personal Data. Supplier will Process and protect such Personal Data in accordance with the terms of this DPA and the Data Protection Laws.

2. With respect to Customer Data under this DPA, the parties agree that Customer is the Controller and Supplier is the Processor. Customer will comply with its obligations as a Controller and Supplier will comply with its obligations as a Processor under this DPA.
3. Where a Customer Affiliate or a Customer client is the Controller with respect to certain Customer Data, Customer represents and warrants to Supplier that it is authorized to instruct Supplier and otherwise act on behalf of such Customer Affiliate or a Customer client in relation to Customer Data in accordance with the Agreement and this DPA

2. SCOPE.

1. In providing the Services to Customer pursuant to the terms of the Agreement, Supplier will treat Personal Data as confidential and only Process Personal Data on behalf of Customer, and only to the extent necessary to provide Services and in accordance with the Customer’s instructions as documented in the Agreement and this DPA.

1. Supplier must take reasonable steps designed to ensure that any natural person acting under the authority of Supplier who has access to Personal Data does not Process the Personal Data except as specified in this DPA unless required to do so by Data Protection Laws.

3. SUPPLIER OBLIGATIONS.

1. Supplier may collect, Process, or use Personal Data only in accordance with the scope of the Agreement, this DPA, and Customer's instructions. The Agreement and this DPA are Customer's complete and final documented instructions to Supplier in relation to Personal Data. Additional instructions outside the scope of this DPA (if any) require prior written agreement between Supplier and Customer, including agreement on any additional fees payable by Customer to Supplier for carrying out such instructions.
2. Supplier will implement and maintain processes designed to ensure that all employees involved in the handling of Personal Data: (i) are aware of the confidential nature of Personal Data and are contractually bound to keep Personal Data confidential; and (ii) have received appropriate training on their responsibilities as the Processor.
3. Supplier must maintain appropriate managerial, operational, and technical safeguards designed to preserve the integrity and security of Personal Data while in its possession and control hereunder, while taking into account the state of the art, costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
4. Supplier must maintain appropriate measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymization and encryption of Personal Data; (ii) the on-going confidentiality, integrity, availability and resilience of Processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. In assessing the appropriate level of security, Supplier takes into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed, as further set forth in Schedule 2.
5. Customer agrees that, in the course of providing the Services to Customer, it may be necessary for Supplier to access Personal Data to respond to any technical problems, Customer queries, security monitoring, and to ensure the proper working of the Services. All such access by Supplier will be limited to those purposes and performed by authorized personnel.
6. Supplier must promptly inform Customer, if in Supplier’s opinion, any of the instructions regarding the Processing of Personal Data provided by Customer, breach Data Protection Laws.
7. Upon Customer’s request, Supplier will reasonably assist Customer in meeting the Customer’s obligation to carry out Data Protection Impact Assessments related to Customer’s use of the Services, to the extent that Customer does not otherwise have access to the relevant information, and taking into account the nature of Processing and the information available to Supplier.
8. Customer and Supplier and, where applicable, their representatives, will cooperate, upon request, with a Supervisory Authority in the performance of their respective obligations under this DPA and Data Protection Laws.
9. Supplier will notify Customer promptly of any request or complaint regarding the processing of Personal Data, which adversely impacts Customer, unless such notification is not permitted under applicable law or a relevant court order.
10. Supplier may not (i) sell Personal Data; (ii) retain, use, or disclose Personal Data for commercial purposes other than providing the Services under the terms of the Agreement; (iii) retain, use, or disclose Personal Data outside of the Agreement; or (iv) except as otherwise permitted by Data Protection Laws, combine Personal Data provided under this DPA with Personal Data that Supplier receives from or on behalf of another person or persons, or collects from its own interactions with a Data Subject. Supplier understands these restrictions.
11. Customer will have the right to take reasonable and appropriate steps to ensure that Supplier uses Personal Data in a manner consistent with Customer’s obligations under Data Protection Laws.
12. Supplier will notify Customer promptly if Supplier determines that it can no longer meet its obligations under applicable Data Protection Laws.

4. CUSTOMER OBLIGATIONS.

1. Customer represents and warrants, in its use of the Services, that: (i) it complies with the terms of the Agreement, this DPA, and Data Protection Laws; (ii) it provides notice to and obtains all necessary authorizations and consents from Data Subjects for Processing of Personal Data by Supplier, Supplier Affiliates, and Sub-Processors; and (iii) its use of the Services does not violate the rights of any Data Subjects. All Affiliates of Customer who use the Services will comply with the obligations of Customer set out in this DPA.
2. Customer represents and warrants that its instructions comply with Data Protection Laws.
3. Customer must inform Supplier of any notice or inquiry (including any notice, investigation, complaint, or request) relating to Supplier’s Processing of Personal Data and provide Supplier with a copy thereof within 48 hours of receipt by Customer of such notice or inquiry. Notices should be sent to: privacy@crunchtime.com.

5. NOTIFICATION OF SECURITY BREACH.

1. Supplier will notify Customer without undue delay after becoming aware of (and in any event within 72 hours of discovering) any accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to Customer’s Personal Data (Personal Data Breach).

1. Supplier will take all commercially reasonable measures to secure Personal Data, to eliminate the Data Breach, and to assist Customer in meeting the Customer’s obligations under Data Protection Laws. In the event of a Personal Data Breach, Supplier's System Administration Team and Security Team will perform a risk-based assessment of the situation and develop appropriate strategies in accordance with Supplier incident response procedures, which include contacting Customer’s primary (technical or business) point of contact or Security Operation Center (SOC) to brief them on the situation and provide resolution status updates.

6. AUDIT.

1. Supplier will make available to Customer all information reasonably necessary to demonstrate compliance with its Processing obligations and allow for and contribute to audits and inspections.

2. Any audit conducted under this DPA will consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor. In the event that provision of the same is not deemed sufficient in the reasonable opinion of Customer, Customer may conduct a more extensive audit which will be: (i) at the Customer’s expense; (ii) limited in scope to matters specific to Customer and agreed in advance; (iii) carried out during Supplier’s business hours and upon reasonable notice which must be not less than 4 weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does not interfere with Supplier’s day-to-day business. Any such audit must be conducted remotely, except Customer and/or its Supervisory Authority may conduct on on-site audit at Supplier’s premises if so required by the Data Protection Laws. In no event will any audit of a Sub-Processor, beyond a review of reports, certifications and documentation made available by the Sub-Processor, be permitted without the Sub-Processor’s consent. This Section does not modify or limit the rights of audit of Customer, instead it is intended to clarify the procedures in respect of any audit.

7. DATA SUBJECTS.

1. Supplier must, to the extent legally permitted, promptly notify Customer if Supplier receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing (Data Subject Request).
2. Taking into account the nature of the Processing and the information available to Supplier, Supplier must assist Customer by having in place appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under the Data Protection Laws.
3. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier must upon Customer’s request, and to the extent possible, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer must be responsible for any costs arising from Supplier's provision of such assistance.

8. SUB-PROCESSORS.

1. The Customer agrees that: (i) Affiliates of Supplier may be used as Sub-Processors; and (ii) Supplier and its Affiliates respectively may engage Sub-Processors in connection with the provision of the Services. The current list of Sub-Processors is in Schedule 3, and Customer authorizes Supplier to use the Sub-Processors set out in Schedule 3.
2. During the term of this DPA, Supplier will provide Customer with prior notification, via email, of any changes to the list of Sub-Processors before authorizing any new or replacement Sub-Processors to process Personal Data in connection with the provision of the Services.
3. Customer may object to the use of a new or replacement Sub-Processor, by notifying Supplier promptly in writing within 10 business days after receipt of Supplier’s notice. If Customer objects to a new or replacement Sub-Processor, and that objection is not unreasonable, Customer may terminate the Agreement or applicable order with respect to those Services which cannot be provided by Supplier without the use of the new or replacement Sub-Processor. Supplier will refund Customer any prepaid and unused fees covering the remainder of the term of the applicable order following the effective date of termination with respect to such terminated Services.

4. All Sub-Processors who Process Personal Data must comply with the applicable obligations of Supplier set out in this DPA. Supplier must, prior to the relevant Sub-Processor carrying out any Processing activities in respect of Personal Data: (i) appoint each Sub-Processor under a written contract containing materially the same obligations to those of Supplier in this DPA enforceable by Supplier; and (ii) ensure each such Sub-Processor complies with all such obligations.
5. Customer agrees that Supplier and its Sub-Processors may make Restricted Transfers of Personal Data to countries outside of the EEA, UK, or Switzerland, for the purposes of providing the Services to Customer in accordance with the Agreement. Supplier confirms that such Sub-Processors (i) are located in a third country or territory recognized by the EU Commission or a Supervisory Authority, as applicable, to have an adequate level of protection; or (ii) have entered into the applicable Standard Contractual Clauses with Supplier; or (iii) have other legally recognized appropriate safeguards in place.

9. RESTRICTED TRANSFERS.

1. The parties agree that, when the transfer of Personal Data from Customer to Supplier or from Supplier to a Sub-Processor is a Restricted Transfer, it will be subject to the applicable Standard Contractual Clauses.
2. The parties agree that the EU SCCs apply to Restricted Transfers from the EEA. The EU SCCs are deemed entered into (and incorporated into this DPA by reference) and completed as follows:

1. 1. Module Two (Controller to Processor) applies where Customer is a Controller of Customer Data and Supplier is Processing Customer Data;
   2. Module Three (Processor to Processor) applies where Supplier is a Processor of Customer Data and Supplier uses a Sub-Processor to Process Customer Data;
   3. Module Four (Processor to Controller) does not apply;
   4. in Clause 7 of the EU SSCs, the optional docking clause will not apply;
   5. in Clause 9 of the EU SSCs, Option 2 applies, and the time period for notice of Sub-Processors must be as set out in Section 8.c. of this DPA;
   6. in Clause 11 of the EU SSCs, the optional language does not apply;
   7. in Clause 17 of the EU SSCs, Option 1 applies, the EU SCCs are governed by Irish law, and for the Swiss SCCs, Swiss law;
   8. in Clause 18(b) of the EU SSCs, disputes must be resolved by: the courts of Ireland for the EU SCCs, and the courts of Switzerland for the Swiss SCCs;
   9. Annex I of the EU SCCs are deemed completed with the information set out in Schedule 1 of this DPA; and
   10. Annex II of the EU SCCs are deemed completed with the information set out in Schedule 2 of this DPA.

c. The parties agree that the EU SCCs as amended in clause 9(b) above, shall be adjusted as set out below where the FDPA applies to any Restricted Transfer:

1. The Swiss Federal Data Protection and Information Commissioner (FDPIC) shall be the sole Supervisory Authority for Restricted Transfers exclusively subject to the FDPA;
2. Restricted Transfers subject to both the FDPA and the EU GDPR, shall be dealt with by the EU Supervisory Authority named in Schedule 1 of this DPA;
3. The term ’member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
4. Where Restricted Transfers are exclusively subject to the FDPA, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA;
5. Where Restricted Transfers are subject to both the FDPA and the EU GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA insofar as the Restricted Transfers are subject to the FDPA; and
6. The Swiss SCCs also protect the Personal Data of legal entities until the entry into force of the revised FDPA.

d. The parties agree that the UK SCCs apply to Restricted Transfers from the UK and the UK SCCs are deemed entered into (and incorporated into this DPA by reference), completed as follows: (i) Appendix 1 of the UK SCCs are deemed completed with the information set out in Schedule 1 of this DPA; and (ii) Appendix 2 of the UK SCCs are deemed completed with the information set out in Schedule 2 of this DPA.

e.  If any provision of this DPA contradicts any Standard Contractual Clauses, the provisions of the applicable Standard Contractual Clauses prevail over this DPA.

10. LIABILITY.

1. The parties agree that Supplier is liable for any breaches of this DPA caused by the acts and omissions of its Sub-Processors to the same extent Supplier would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.
2. The parties agree that Customer is liable for any breaches of this DPA caused by the acts and omissions of its Affiliates and users as if such acts and omissions had been committed by Customer itself.
3. The limitations of liability in the Agreement apply to all claims related to or arising under this DPA.

11. TERM AND TERMINATION.

Supplier will only Process Personal Data for the term of this DPA. The term of this DPA coincides with the beginning of the Agreement and this DPA will automatically terminate upon the termination of the Agreement.

12. DELETION AND RETURN OF PERSONAL DATA.

1. Supplier will, upon written request of Customer, at any time during the term of the order or at the time of expiration of the order and within the time periods set out in the Agreement, either: (i) make the Services available to Customer for the export of Personal Data; or (ii) securely delete all Personal Data; unless law applicable to Supplier prevents deletion/destruction of Personal Data. Additionally, upon request, Supplier will provide a certification of deletion/destruction of Personal Data.
2. Where any Personal Data is retained beyond termination of this DPA, Personal Data must be treated as Confidential Information and will no longer be actively Processed.

13. GENERAL.

1. This DPA sets out the entire understanding of the parties, and supersedes all prior and contemporaneous agreements and understandings, with regards to the subject matter. No modification or waiver of any term in this DPA is effective unless both parties sign it.
2. Should a provision of this DPA be invalid or become invalid, then the legal effect of the other provisions will be unaffected. A valid provision is deemed to have been agreed upon, which comes closest to what the parties intended commercially and will replace the invalid provision. The same will apply to any omissions.
3. To the extent of any conflict or inconsistency, the following order of precedence applies: the applicable Standard Contractual Clauses, followed by this DPA, and then the Agreement provided that, in all instances the disclaimer of damages and limitation of liability in the Agreement apply. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
4. Customer may send any questions or concerns regarding this DPA to: privacy@crunchtime.com.

Schedules Attached:

Schedule 1 - List of Parties and Categories of Data

Schedule 2 - Technical and Organizational Security Measures

Schedule 3 - List of Sub-Processors

SCHEDULE 1

LIST OF PARTIES, DESCRIPTION OF PROCESSING AND TRANSFER OF PERSONAL DATA, COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: CONTROLLER TO PROCESSOR

 

A. LIST OF PARTIES

 

The Controller:

 

 

The Processor:

 

 

В. DESCRIPTION OF PROCESSING AND TRANSFERS

 

 

C. COMPETENT SUPERVISORY AUTHORITY

 

 

MODULE THREE: PROCESSOR TO PROCESSOR

 

A. LIST OF PARTIES

 

The Data Exporter: is Supplier

 

The Data Importers: are the Sub-Processors named in the Sub-Processor list which contains the name, address, contact details and activities relevant to the data transferred to each Data Importer.

 

В. DESCRIPTION OF PROCESSING AND TRANSFERS

 

The Sub-Processor list includes the information about the Processing and transfers of Personal Data, for each Data Importer:

• categories of Data Subject;
• categories of Personal Data;
• the nature of the Processing; and
• the purposes of the Processing.

 

Personal Data is Processed by each Sub-Processor:

• on a continuous basis;
• to the extent necessary to provide the Services in accordance with the Agreement and the Data Exporter’s instructions; and
• for the duration of the Agreement and subject to Section 11 of this DPA.

 

C. COMPETENT SUPERVISORY AUTHORITY

 

The competent Supervisory Authority of each Sub-Processor are listed below:

• Where the EU GDPR applies, the Member State in which the Sub-Processor has its EU representative;
• Where the UK GDPR applies, the UK Information Commissioner's Office (ICO); and
• Where the FDPA applies, the Swiss Federal Data Protection and Information Commissioner (FDPIC).

 

SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Below is a description of the technical and organizational measures implemented by the Processor(s) / Data Importer(s) (including any relevant certifications) designed to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.

Where applicable this Schedule 2 will serve at Annex II to the SCCs.

For clarity, this Schedule 2 is applicable only to the cloud environments owned, controlled or managed by Supplier, and not to any customer owned, controlled, or managed environment.

 

SCHEDULE 3

LIST OF SUB-PROCESSORS