These Data Security and Data Privacy Terms (“DSDPT”) are an attachment to, incorporated into and are governed by the ProcessUnity Master Subscription Agreement (“Agreement”) which can be found here. These DSDPT set forth the terms and conditions relating to the privacy, confidentiality, integrity, and availability of data (as defined below) associated with services rendered by, and/or products provided by, ProcessUnity to Customer and/or its Affiliates pursuant to the Agreement. In the event of conflict, these DSDPT supersede the Agreement.

Data Security Terms

1. Definitions

1.1 “Affiliates” means any entity that directly or indirectly controls, is controlled by or is under common control with, another entity.

1.2 “Agreement” means the Master Agreement, and the terms of such other documents as are incorporated by express reference in any of the foregoing (e.g. Exhibits, Schedules, Ordering Documents, etc.).

1.3 “Credentials” means unique pieces of information, such as usernames, passwords, security tokens, or biometric data, that verify a user’s identity and grant them access to a specific system, service, or resource.

1.4 “Customer Data” means data provided to ProcessUnity by or on behalf of Customer that ProcessUnity processes on behalf of Customer.

1.5 “Security Incident” means an act that is known to or is reasonably suspected to have resulted in unauthorized destruction, alteration, disclosure, access to, or loss of, Customer Data Assets managed by ProcessUnity.

1.6 “Service” or “Services” means any and all labor or service provided in connection with the Agreement or any applicable ordering document, including, without limitation, Supplier’s (a) consultation, professional, technical, and engineering services, creation or development of deliverables, installation/implementation and removal services, maintenance, training, technical support, repair, programming, and on-site support ancillary to the acquisition of deliverables, (b) support services and (c) provision of any services-related deliverables, including any documentation.

1.7 “Third Party” means any person or entity other than ProcessUnity and Customer and Customer’s Users.

ProcessUnity shall ensure the following structures and controls are in place to protect the confidentiality, integrity, and availability of Customer Data at all times.

2. Security Program

2.1 Ensure that its security program contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities.

2.2 Implement a security program that is designed to protect the confidentiality, integrity, and availability of Customer Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage or loss of Customer Data.

2.3 Base the program on one or more industry standards for security such as the ISO 27001, NIST CSF, AICPA Trust Service Criteria (SOC 2), etc.

2.4 Implement, publish and periodically review information security policies that document the administrative, technical, and physical controls required of the information security program. Ensure that the security policies address at a minimum the security controls and other requirements described in the Agreement and in accordance with industry standards and provide evidence of the security policies to Customer on request.

2.5 Ensure that the security program is sponsored and approved by ProcessUnity senior leadership.

2.6 Demonstrate and provide evidence of the effectiveness of the program in the form of SOC 2 audit reports, ISO 27001 certificates and SOA, or equivalent independently verified reports, interviews, and assessments.

3. Personnel Security

3.1 Complete background checks on every employee, or cause to be completed on non-employees, before they are granted access to ProcessUnity or Customer data.

3.2 Ensure that background checks cover identity, citizenship, criminal, employment, and education.

3.3 To the extent permitted by law, not permit any person to have access to Customer data who has been convicted of, or entered into a pretrial diversion program arising from prosecution with respect to, crimes involving: 1) dishonesty or false statement (including burglary, larceny, fraud, forgery, theft and perjury); 2) breach of trust (such as embezzlement and endangering the welfare of a minor); 3) violence (such as battery, assault, rape, resisting arrest with violence and gang assault); 4) threats (such as threats to kill or maim and stalking); 5) crimes against another person involving a weapon or the possession of a weapon (such as assault with a deadly weapon); 6) the illegal manufacture, sale or distribution of, or trafficking in, a controlled substance (e.g., criminal sale of controlled substance or trafficking controlled substance); and 7) sex offenses (such as statutory rape, sexual abuse of minor or child and sexual battery).

3.4 If ProcessUnity’s employees or independent contractors are convicted of any such crimes subsequent to the date they first have access to Customer data, remove such person from performing any services to the extent permitted by law.

3.5 Certify that its employees, independent contractors, and subcontractors are insured, including insurance that covers risks arising from ProcessUnity’s performance of the services.

3.6 Ensure that all personnel performing services complete online security and compliance training within 14 days of being hired, and at least annually thereafter. Training may include, but not be limited to, topics such as data protection and handling, incident response, code of ethics, privacy compliance, and fraud. Annual training will also include review and acknowledgement of all ProcessUnity security and compliance policies.

3.7 Regularly monitor its personnel to ensure the acceptable use of systems associated with the delivery of services and Customer data, and that information security practices are effectively applied.

4. Environmental and Physical Security

4.1 Ensure environmental and physical security controls are in place at all facilities where Customer Data is processed, including third-party cloud hosting locations.

4.2 Restrict access to facilities housing systems and data to authorized personnel only.

4.3 Use access control mechanisms such as keycards, biometric scanners, and PINs to control physical access.

4.4 Deploy security guards to monitor facilities and respond to unauthorized access attempts.

4.5 Ensure areas where data processing takes place are covered by CCTV and alarm systems to detect and respond to unauthorized physical entry/exit, and that video surveillance is retained for a minimum of 90 days.

4.6 Escort visitors at all times within sensitive areas.

4.7 Document physical access logs, retain for at least one year, and periodically review.

4.8 Ensure adequate emergency power backups and redundancies are in place to satisfy uptime requirements.

4.9 Implement fire and water suppression and alerting systems.

4.10 Develop clean desk policies and include them in employee training assignments.

4.11 Secure Customer Data when being printed, faxed, or copied.

4.12 Store Customer Data destined for disposal in a secure container prior to destruction.

5. Access Control

5.1 Manage user IDs, passwords, tokens, secret phrases, and other identification and authentication objects (collectively, “Credentials”) as part of the security function, via a managed, auditable process.

5.2 Implement and maintain credentials that meet or exceed current industry standards. All credentials shall be unique to a single user and follow the principle of least privilege (e.g. role-based access controls).

5.3 Prohibit and prevent unencrypted transmission or storage of any Credentials that are not part of public key schemes.

5.4 By the end of the current work day where there is a change of the role or employment status of personnel, assess access to information systems and Customer Data in the personnel’s possession to determine whether it is still relevant to the new role and removed if it is not. Validate and adjust access rights where necessary to reflect access appropriate for the new role or to completely terminate all access.

5.5 In the event that an employee termination is non-amiable, terminate access immediately upon notification from the Human Resources department.

5.6 At monthly, quarterly, semi-annual, or annual intervals based on the criticality of privileges, review those Personnel authorized to access Customer Data and verify whether each individual still requires access and the individual’s present access level. Where applicable, remove access from individuals who no longer require access due to job or role change. Retain proof of the attestation for user access in accordance with industry best practices.

5.7 Retain and review audit trails of access to Customer Data for anomalous activity.

5.8 Use Multi-Factor Authentication (MFA) and Single-Sign-On (SSO) for all remote access to production systems and environments.

6. Asset and Data Management

6.1 Maintain a record of the categories and data elements of Customer Data stored by ProcessUnity.

6.2 Maintain up-to-date inventory records of all assets related to the Services.

6.3 Provide, upon request, a certificate evidencing the secure destruction of Customer Data by:
(a) a destruction service certified by the National Association for Information Destruction; or
(b) an equivalent, nationally recognized destruction service.

6.4 If internal tools or software are used to destroy the Customer Data, they shall meet the standards detailed in the NIST SP 800-88, Guidelines for Media Sanitization.

6.5 Securely erase all Customer Data, if it exists, prior to the re-use, redeployment, sale, donation, recycling, or disposal of, or moving off site, a device containing Customer Data (including hard drives, optical discs, tapes, etc.).

6.6 Use technical mechanisms to prohibit by default and only allow by exception the use of any removable storage media.

7. Endpoint Security

7.1 Maintain an endpoint security policy and implement controls on all ProcessUnity workstations and endpoints used to access Customer Data or production environments.

7.2 Install antivirus programs capable of detecting, removing, and protecting against all known types of malicious software on all endpoints and update signatures as they become available, at minimum every three (3) hours.

7.3 Ensure that a content-aware solution (i.e., data loss prevention, CASB, Web Content Filtering) is in place to discover, monitor and block data during transit and at rest across network, storage and endpoint systems to protect data from being transferred using unauthorized transfer methods.

8. Logging and Monitoring

8.1 Implement and maintain operating system and application user-level audit logging of Personnel.

8.2 Collect logs from all security-relevant assets, including all network devices, centralized authentication servers, production servers and hosts, firewalls, and security systems.

8.3 Include date and time stamps, user or system IDs, activity types, event outcomes, source(s), and target(s) in all logs wherever possible.

8.4 Configure all logging systems to synchronize time stamping utilizing the NTP protocol.

8.5 Ensure that logs are secured against unauthorized access, alteration, or deletion.

8.6 Retain security-relevant logs for a minimum of 365 days.

8.7 Ensure all logs are replicated to one or more secure, centralized locations.

9. Encryption

9.1 Encrypt all Customer Data both at-rest and in-transit.

9.2 Use only FIPS-approved, or NIST-recommended cryptographic algorithms as defined in current NIST standards, or other Customer-approved encryption mechanism that protects Customer Data during storage and in transit.

9.3 Protect and manage encryption keys throughout their lifecycle, ensuring rotation at least annually.

9.4 Maintain industry standard, centrally managed full disk encryption on all employee workstations.

10. Vulnerability and Threat Management

10.1 Deploy, manage, and maintain a current, proven, real-time intrusion detection system to monitor all traffic at the perimeter as well as at critical points inside the environment where Customer Data is stored.

10.2 Actively monitor the intrusion detection system for suspicious activity that may indicate an attack or attempts at breaking the security of the Services provided. Along with the deployment of such system(s), adopt and follow operational procedures to stop or mitigate any real or reasonably anticipated threat, such as by disabling or limiting connectivity.

10.3 Ensure that firewalls are operational at all times and are installed at the network perimeter between ProcessUnity’s internal and public networks.

10.4 Maintain the capability to remove from service and the network any workstation, file, disk, or other resource on which a virus, threat or security vulnerability is detected until the issue is resolved.

10.5 Maintain, and be able to provide upon request, a plan to manage security vulnerabilities, including all relevant policy documents.

10.6 Continuously monitor and scan for security vulnerabilities and upon discovery, prioritize and execute a treatment plan according to applicable policies and procedures.

10.7 Treat all vulnerabilities within the timeframes detailed below.

	Infrastructure (External)	Infrastructure (Internal)	Production Applications
Critical	As soon as possible, not to exceed 30 days	As soon as possible, not to exceed 30 days	As soon as possible, not to exceed 30 days
High	As soon as possible, not to exceed 60 days	As soon as possible, not to exceed 60 days	As soon as possible, not to exceed 60 days
Medium	As soon as possible, not to exceed 60 days	As soon as possible, not to exceed 60 days	As soon as possible, not to exceed 120 days
Low	Not less than commercially reasonable effort – Patching is discretionary	Not less than commercially reasonable effort – Patching is discretionary	Not less than commercially reasonable effort – Patching is discretionary

11. Secure Software Development

11.1 Ensure the Secure Software Development Lifecycle (SDLC) policy and associated procedures indicate how code should be formatted, structured and commented and specific guidance on avoiding common security vulnerabilities, such as OWASP Top 10 or SANS Top 25 Coding Errors.

11.2 Maintain separate environments dedicated to development, testing, QA, and production.

11.3 Where production data is required to be used in a test environment, the level of control must be consistent with production controls. Conduct code vulnerability scans periodically, and at minimum prior to production, to identify and prevent flaws from being pushed into production applications.

11.4 Implement a formal change management and change control process to ensure changes to operational systems and applications, including security related systems, are performed in a controlled and approved way.

12. Data Backup and Recovery

12.1 Identify the locations, including all Custom Data stores, where data backups must occur in order to meet recovery objectives.

12.2 Create backups of production data stores on an ongoing basis, but in no case less frequently than once a day.

12.3 For the TPRM Workflow Platform, perform backups as follows:
(a) Incremental backups are performed hourly.
(b) Full backups are performed nightly.
(c) Nightly backups are retained for 30 days.
(d) Backups from the first of the month are kept for 12 months.
(e) Backups from the first day of the year are kept for the length of the contract.

12.4 For the Global Risk Exchange, perform backups as follows:
(a) Continuous point in time recovery backups are performed
(b) Snapshots are taken daily, monthly, and annually.
(c) Daily backups are retained for 30 days.
(d) Monthly backups are retained for 12 months.
(e) Annual backups are retained indefinitely.

12.5 Regularly test data backup and recovery processes to ensure accuracy and completeness on an ongoing basis, but in no case less frequently than once quarterly.

12.6 Ensure backups are stored in locations that are geographically diverse from the primary location of the data.

12.7 Encrypt all backups to ensure information confidentiality.

13. Disaster Recovery and Business Continuity

13.1 Develop and continuously maintain a Disaster Recovery and Business Continuity Plan that describes the specific business continuity processes, resource requirements, and recovery procedures applicable to the Services supplied to Customer and necessary to resume or restore such Services in accordance with the Agreement in the event of emergencies, disasters, crises, or other unplanned events that may result in a service interruption, loss, or other business continuity event.

13.2 Upon request, provide a summary of the Disaster Recovery and Business Continuity Plan to Customer.

13.3 Promptly at the start of a business continuity event impacting Customer, but no later than four (4) hours after the start of the business continuity event, provide to the Customer designated representative an initial report that includes the nature of the business continuity event and an estimate of the time it will take to return to Agreement-required service levels.

13.4 Following restoration of Agreement-required functions to normal, provide to the Customer-designated representative a detailed report within ten (10) business days of such restoration, including a description of all Agreement-required service levels, products or services that were not provided or only partially provided as a result of the business continuity event; the specific corrective action taken; the material effect, if any, on Customer; and whether or not the plan was adhered to and, if not, what changes will be made to ensure future adherence to the plan.

13.5 Exercise the Disaster Recovery and Business Continuity Plan not less than once every twelve (12) months.

13.6 Document a report detailing the results of each plan exercise. The report must include systems tested, the results of the tests, and corrective actions that will be taken to resolve any issues.

13.7 Notify Customer at least sixty (60) days in advance of any plan exercise that requires Customer’s participation or that may impact the delivery of services under the Agreement.

13.8 Ensure a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour from the last recovery point for the ProcessUnity TPRM Platform and RTO of forty-eight (48) hours and RPO of twenty-four (24) hours for the Global Risk Exchange.

14. Incident Response

14.1 During the term of the Agreement, ProcessUnity shall maintain an incident response function with the capability to perform activities such as prevention, planning, detection, analysis, containment, investigation, eradication, recovery, and follow-up of Incidents. If forensic research is required, it may be done through a validated third party engaged by ProcessUnity. If Customer objects to the third party selected by ProcessUnity, Customer may pay for an alternate third-party provider.

14.2 ProcessUnity shall establish and maintain relevant application and system logs under its domain to sufficiently support and facilitate the detection and investigation of an incident.

14.3 ProcessUnity shall notify Customer within forty-eight (48) hours of verification of an incident. Any notice hereunder shall specify where known or readily identifiable:
(a) the nature of the Incident;
(b) the categories and approximate number of people and records concerned;
(c) as the case may be, the remedial actions taken or proposed to be taken to address the Incident, to mitigate its effects and to prevent recurrence.
(d) the identity and contact details of the Chief Information Security Officer or another contact person from whom more information can be obtained.

14.4 If an Incident occurs, ProcessUnity shall promptly take necessary steps to prevent further damage to, or exposure of Customer Data Assets, as well as to prevent future Incidents of a similar nature.

14.5 Upon the conclusion of all investigative, corrective, and remedial actions, ProcessUnity shall prepare and deliver to Customer a final report that includes the extent of the Incident; a description of Customer Data Assets disclosed, destroyed, or otherwise compromised or altered; a description of all corrective and remedial actions; and an assessment of the security impact to Customer.

14.6 ProcessUnity shall respond promptly to any reasonable request from Customer for detailed information pertaining to any Incident, its impact, and any investigative, corrective, or remedial actions taken or planned and will provide a written incident report within five (5) days of the Incident and at regular intervals thereafter as warranted under the circumstances.

14.7 ProcessUnity shall not communicate with Customer’s customers or employees about any Incident without prior approval from the designated Customer security contact, unless required to by law.

15. Security Reviews, Audits, and Independent Assessments

15.1 ProcessUnity shall undergo independent assessment of its security program on an annual basis, at minimum. This requirement may be met by the following annual audits:
(a) SSAE 18 SOC 2 Type II audit of the security, availability and confidentiality trust services principles; or
(b) ISO 27001 audit of ProcessUnity’s Information Security Management System (ISMS).

15.2 No less frequent than annually, ProcessUnity shall have penetration testing performed by an accredited third party, including with respect to internet-facing devices, interfaces, and applications. ProcessUnity shall provide an executive summary of the results of these tests as requested by Customer.

16. Security Point of Contact

16.1 ProcessUnity shall provide Customer with a single point of contact in ProcessUnity’s security organization as Customer’s primary contact for information security issues and incidents. The [email protected] email address is the primary contact mechanism for security related incidents and inquiries.

Data Privacy Terms

1. Definitions

1.1 “Agreement” means this DSDPT together with the Service Agreement.

1.2 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing” have the meanings given to them in the Data Protection Laws.

1.3 “Data Processing Schedule” means Schedule 1 (and any future Schedule agreed by the parties in the format set out in Schedule 1), which provides details of the Processing activities and related information as required under Data Protection Laws.

1.4 “Data Protection Laws” means (a) where Processor Processes any European Data, the European Data Protection Laws, and/or (b) all other data protection and privacy legislation in force in any other jurisdiction applicable to the Service Agreement relating to the use of Personal Data and including in each case the guidance and codes of practice issued by any relevant regulatory authority and which are applicable to a party.

1.5 “EU GDPR” the General Data Protection Regulation ((EU) 2016/679).

1.6 “Europe” or the “EU” means the European Union, European Economic Area and/or their member states, plus Switzerland and the United Kingdom.

1.7 “European Data Protection Laws” means collectively (i) the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 as amended or replaced from time to time (the “EU GDPR”), (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); (iv) the UK Data Protection Act 2018 and EU GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (v) the Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DSDPT”) (each as amended or replaced from time to time).

1.8 “Permitted Purpose” has the meaning given to it in Schedule 1 (and in any future Data Processing Schedule that is entered into between the parties).

1.9 “Records” has the meaning given to it in Clause 9.1.

1.10 “Service Agreement” means the agreement for services entered into between the parties as described in Schedule 1.

1.11 “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 for the transfer of personal data to third countries, a copy of which is currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (plus, where applicable, the UK Addendum).

1.12 “Term” the contractual term as set out in the Service Agreement.

1.13 “UK Addendum” or “IDTA” means the UK Commissioner’s addendum to the Standard Contractual Clauses details of which are set out in Schedule 3, or the International Data Transfer Agreement issued under s.119A(1) of the Data Protection Act 2018.

1.14 “UK Commissioner” means the UK’s Information Commissioner (see Article 4(A3), UK GDPR and section 114, UK Data Protection Act 2018).

The Schedules form part of this DSDPT and shall have effect as if set out in full in the body of this DSDPT. Any reference to this DSDPT includes the Schedules. In the case of conflict or ambiguity between any provision contained in the body of this DSDPT and any provision contained in the Schedules, the provision in the body of this DSDPT shall prevail.

2. Data processing

2.1 ProcessUnity and the Customer agree and acknowledge that for the purpose of the Data Protection Laws:
(a) Customer is the Controller and ProcessUnity is the Processor under this DSDPT.
(b) Schedule 1 describes the subject matter, duration, nature and purpose of the Processing and the Personal Data categories and Data Subject types in respect of which the Processor may process the Personal Data to fulfil the Permitted Purpose.

2.2 ProcessUnity shall only process the Personal Data to the extent, and in such a manner, as is necessary for the Permitted Purpose in accordance with Controller’s written instructions. The Processor shall not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Laws. The Processor must promptly notify Controller if, in its opinion, Controller’s instructions do not comply with the Data Protection Laws.

2.3 The Processor must comply promptly with any written instructions from Controller requiring the Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized Processing.

2.4 The Processor must notify Controller promptly of any changes to the Data Protection Laws that may reasonably be interpreted as adversely affecting the Processor’s performance of the Service Agreement or this DSDPT.

2.5 If applicable law requires the Processor (or, for avoidance of doubt, any Sub-Processor) to conduct Processing that is or could be construed as inconsistent with Controller’s instructions, Processor will promptly notify Controller of such inconsistency prior to commencing (or continuing) the Processing, unless notification is prohibited by law.

2.6 If the Processor collects any Personal Data directly from Data Subjects, it shall only do so using a data privacy notice or method that Controller specifically pre-approves in writing. The Processor shall not modify or alter the notice in any way without Controller’s prior written consent.

2.7 If the EU GDPR or UK GDPR is applicable to the Processing, the Processor shall maintain records of processing as required by Article 30 of the EU GDPR.

3. Confidentiality

3.1 The parties agree that Controller Personal Data shall be deemed Controller’s confidential information and subject to any obligations of confidentiality defined under the Service Agreement.

3.2 The Processor shall maintain the confidentiality of the Controller Personal Data and shall not disclose the Controller Personal Data to third parties unless Controller or this DSDPT specifically authorizes the disclosure, or as required by domestic law, court or regulator (including the UK Commissioner). If a domestic law, court or regulator (including the UK Commissioner) requires the Processor to process or disclose the Controller Personal Data to a third party, the Processor must first inform Controller of such legal or regulatory requirement and give Controller an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

3.3 The Processor shall ensure that all of its personnel (employees, officers, contractors and temporary workers):
(a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
(b) have undertaken training on the Data Protection Laws and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
(c) are aware both of the Processor’s duties as a Processor and their personal duties and obligations under the Data Protection Laws and this Agreement.

3.4 The Processor shall take reasonable steps to ensure the reliability, integrity and trustworthiness of all personnel with access to Controller Personal Data.

4. Security obligations

4.1 The Processor must at all times implement appropriate technical and organizational measures against accidental, unauthorized or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data, including those set out in Schedule 2.

4.2 The Processor must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

4.3 The Processor shall document its security measures in writing and review them at least annually to ensure they remain current and complete.

5. Personal data breach

5.1 The Processor shall within forty-eight (48) hours (and in any event without undue delay) notify Controller in writing if it becomes aware of:
(a) the loss, unintended destruction or damage, corruption, or usability of part or all of the Personal Data. The Processor shall restore such Personal Data at its own expense as soon as possible.
(b) any accidental, unauthorized or unlawful Processing of the Personal Data; or
(c) any Personal Data Breach.

5.2 Where the Processor becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide Controller with the following written information:
(a) description of the nature of (a), (b) and/or (c) in clause 5.1 above, including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
(b) whether the Controller Personal Data is lost, stolen or compromised (if known);
(c) the likely consequences;
(d) a description of the corrective action taken or proposed to be taken by Processor to address (a), (b) and/or (c) in clause 5.1 above, including measures to mitigate its possible adverse effects; and
(e) the Processor point(s) of contact responsible for managing or responding to the Personal Data Breach.

5.3 The Processor shall co-operate fully with Controller, at no additional cost to Controller, in Controller’s handling of the matter, including but not limited to:
(a) assisting with any investigation;
(b) facilitating interviews with the Processor’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors and Sub-Processors;
(c) making available relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably required by Controller; and
(d) taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach or accidental, unauthorized or unlawful Personal Data Processing.

5.4 The Processor shall not inform any third-party of any accidental, unauthorized or unlawful Processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining Controller’s written consent, except when required to do so by Data Protection Laws.

5.5 The Processor agrees that Controller has the sole right to determine:
(a) whether to provide notice of the accidental, unauthorized or unlawful Processing and/or the Personal Data Breach to any Data Subjects, the UK Commissioner or other Supervisory Authority, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in Controller’s discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

5.6 The Processor shall cover all reasonable expenses associated with the performance of the obligations under clause 5.1 to clause 5.3 unless the matter arose from Controller’s specific written instructions, negligence, willful default or breach of the Agreement, in which case Controller shall cover all reasonable expenses.

5.7 The Processor shall also reimburse Controller for actual reasonable expenses that Controller incurs when responding to an incident of accidental, unauthorized or unlawful Processing and/or a Personal Data Breach to the extent that the Processor caused such, including all costs of notice and any remedy as set out in Clause 5.5.

6. Sub-Processors

6.1 Other than those approved Sub-Processors as set out in Schedule 1, the Processor may not authorize any other third-party or Sub-Processor to process the Controller Personal Data unless it has notified Controller at least 30 days prior to the use of the new third-party or Sub-Processor.

6.2 The Processor warrants that it has in place a written contract with each of the approved Sub-Processors set out in Schedule 1 which contains equivalent data protection clauses to those set out in this DSDPT. On Controller’s written request, the Processor shall provide Controller with a copy of the relevant excerpts from its contract with the Sub-Processor.

6.3 The Processor shall remain fully liable for its Sub-Processors’ compliance with the terms of this Agreement and Data Protection Laws, and for any acts or omissions of its Sub-Processors.

7. International data transfers

7.1 If the services and/or products provided by Processor under the Agreement involve an international transfer of Controller Personal Data governed by Data Protection Laws, such transfer shall only occur if (as applicable): (i) the country or territory to which the transfer is to be made is within Europe; (ii) the European Commission, applicable Supervisory Authority, or relevant government official or government department has deemed the country or territory to which the data is being transferred as adequate for data protection purposes; or (iii) Controller can provide appropriate safeguards in accordance with applicable Data Protection Laws. Such appropriate safeguards may include, but are not limited to, having in place Binding Corporate Rules, by Processing in a manner consistent with the APEC Cross Border Privacy Rules System (if applicable to the Personal Data processed), or by adhering to a certification mechanism, a contractual mechanism or code of conduct which has been approved by the applicable Supervisory Authority.

7.2 If the Processing by the Processor involves any European Data, the parties have agreed the Standard Contractual Clauses, as set out in Schedule 2 shall apply (and are deemed incorporated into this DSDPT) and the Processor shall ensure that any transfer or Processing of Controller Personal Data outside of Europe shall only be made in accordance with the Standard Contractual Clauses.

7.3 The Processor shall ensure that any approved Sub-Processor shall not transfer or otherwise process the Personal Data outside of Europe unless it has put in place a lawful basis for transfer (such as the Standard Contractual Clauses or UK IDTA) to comply with the Data Protection Laws.

8. Subject access requests, complaints and enquiries

8.1 The Processor shall assist Controller, at no additional cost to Controller, with meeting Controller’s compliance obligations under the Data Protection Laws, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the UK Commissioner (or other Supervisory Authority) under the Data Protection Laws.

8.2 The Processor must notify Controller immediately in writing (and no later than 5 days) if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party’s compliance with the Data Protection Laws, whether from a Data Subject, the UK Commissioner or other relevant Supervisory Authority or other third party.

8.3 The Processor shall give Controller, at no additional cost to Controller, reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request, including:
(a) subject access requests, or a request to rectify, port, erase, object to Processing or automated Processing of Personal Data, or to restrict Processing of Personal Data; and
(b) information or assessment notices from the UK Commissioner or other Supervisory Authority.

8.4 The Processor must not disclose the Controller Personal Data to any Data Subject or to a third-party other than in accordance with Controller’s written instructions, or as required by the Data Protection Laws.

8.5 The Processor will notify Controller of any warrant, subpoena, or other similar request to the Processor regarding any Controller Personal Data promptly following receipt, unless prohibited by applicable law. The Processor will reject the request unless required by law to comply. The Processor will also attempt to redirect the third party to request the Controller Personal Data directly from Controller and will provide Controller with a copy of the request unless legally prohibited from doing so.

9. Record keeping and audit

9.1 The Processor shall keep detailed, accurate and up-to-date written records regarding any Processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, its approved Sub-Processors, the Processing purposes, categories of Processing, and a general description of the technical and organizational security measures referred to in Clause 4.1 (“Records”).

9.2 The Processor shall ensure that the Records are sufficient to enable Controller to verify the Processor’s compliance with its obligations under this DSDPT.

9.3 At Controller’s request, the Processor shall:
(a) conduct an information security audit before it begins Processing Controller Personal Data and provide a copy of the audit report (including its plans to remedy any security defects identified in the audit);
(b) provide copies of its third party audit reports or certifications (such as SOC2, ISO); and/or
(c) conduct audits or inspections and provide all necessary information as set out in this clause in relation to the Processor’s Sub-Processors.

10. Term and termination

10.1 This DSDPT shall remain in full force and effect so long as the Service Agreement remains in effect, or for so long as the Processor retains any Controller Personal Data, if later.

10.2 Controller may terminate this DSDPT and the Service Agreement at any time immediately on written notice to the Processor if the Processor breaches any term of this DSDPT.

10.3 Any provision of this DSDPT that expressly or by implication should come into or continue in force on or after termination of the Agreement (including without limitation clauses 3, 5, 9, 11, 10.3, 12 and 13) shall survive termination.

11. Data retention, return and deletion

11.1 The Processor will not retain Controller Personal Data any longer than is reasonably necessary to accomplish the intended purposes for which the Controller Personal Data was Processed pursuant to the Agreement

11.2 At any time on process Controller’s written request, or on expiry or termination of the Agreement for any reason:
(a) the Processor shall, and shall immediately instruct its Sub-Processors to, stop Processing Controller Personal Data;
(b) the Processor shall (and shall procure that its Sub-Processors shall) securely delete or destroy or, if directed in writing by Controller, return and not retain, any Controller Personal Data in its possession or control, including erasing all the Controller Personal Data from its computer and communications systems and devices used by it; and
(c) the Processor shall certify in writing to Controller that it (and its Sub-Processors) have returned, deleted or destroyed the Controller Personal Data within 5 days after it completes the return, deletion or destruction.

12. Warranties and indemnity

12.1 Controller warrants and represents that:
(a) it has the right to enter into this DSDPT and perform its obligations;
(b) the person signing the DSDPT on behalf of the Processor has the legal authority to bind the company to its obligations; and
(c) it shall comply at all times with its obligations under this DSDPT and with all applicable laws and regulations.

12.2 The Processor agrees to indemnify, keep indemnified and defend at its own expense Controller against all costs, claims, liabilities, damages or expenses incurred by Controller (including reasonable legal costs) due to any failure by the Processor or its employees, Sub-Processors or agents to comply with any of its obligations under this DSDPT and/or the Data Protection Laws.

13. General
13.1 Any notice given to a party under or in connection with this DSDPT must be in writing and delivered to the address of that party set out above.

13.2 This DSDPT is personal to Controller and it shall not assign, transfer, mortgage, charge, or deal in any other manner with any of its rights and obligations under this DSDPT without the prior written consent of the Processor.

13.3 Except as expressly provided in this DSDPT, no variation of this DSDPT shall be effective unless it is in writing and signed by both parties (or their authorized representatives).

13.4 If any provision of this DSDPT is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.

13.5 This DSDPT constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

13.6 This DSDPT and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales and the parties hereby irrevocably agree that the courts of England shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).