PROCESSUNITY, INC.
END USER AGREEMENT (200821)

IMPORTANT – READ CAREFULLY: This Subscription Agreement (“Agreement”) is a legal contract between ProcessUnity, Inc. (“ProcessUnity”) and the second party to this Agreement that is accessing ProcessUnity’s Service (“User”). This Agreement governs User’s right to access and use the Service.  User’s right to access and use the Service is strictly conditioned on User’s agreeing to comply with this Agreement. Any actual use or attempt to use the Service shall be deemed to be additional proof of User’s agreement to comply with this Agreement. By signing below, or by accessing or using the Service, User agrees to be bound by this Agreement.  If User does not agree to be bound by this Agreement, User may not access or use the Service. 

“Affiliate” means any entity that directly or indirectly Controls, is controlled by, or is under common Control with such entity.

“Control” of an entity means direct or indirect ownership or control of more than 50% of the voting interests of such entity.

“Authorized Users” means User’s and its Affiliates’ employees and third party providers authorized to access the Service and/or to receive User Data through the Service.

“Competitor” means any entity that may be reasonably construed as offering competitive functionality or services to those offered by ProcessUnity.

“Documentation” means the user guide for the Service, as updated from time to time, accessible via the ProcessUnity Online Help Center.

“Intellectual Property Rights” means all industrial and intellectual property rights and all rights associated therewith, throughout the world, including (1) all patents and applications therefor and all reissues, divisions, renewals, extensions, provisionals, continuations and continuations in part thereof, (2) all inventions (whether patentable or not) and all rights in invention disclosures, (3) improvements, trade secrets, proprietary information, know how, technology, technical data, proprietary processes and formulae, algorithms, specifications, customer lists and supplier lists, (4) all designs and any registrations and applications therefor, all trade names, logos, trade dress, trademarks and service marks, trademark and service mark registrations, trademark and service mark applications, and any and all goodwill associated with and symbolized by the foregoing items, (5) Internet domain name registrations, (6) all copyrights, copyright registrations and applications therefor (including copyrights in Software, and all other rights corresponding thereto, (7) all rights in databases and data collections, (8) all moral rights of authors and inventors, however denominated, and (9) any similar or equivalent rights to any of the foregoing.

“Laws” means all laws (including statutory law, common/case law, codes), regulations and governmental orders.

“Malicious Code” means viruses, worms, time bombs, Trojan horses and other malicious code, files, scripts, agents or programs.

“Parties” shall refer to User and ProcessUnity.  “Party” shall refer to User or ProcessUnity, as context requires.

“Personal Data” means information relating to an identified or identifiable natural person.  An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Service” means ProcessUnity’s software-as-a-service applications as described in the Documentation and subscribed to under an Order Form.

“User Data” means the electronic data or information submitted by User or Authorized Users of the Service.

2.1 ProcessUnity’s Responsibilities. ProcessUnity shall make the Service available to User subject to the terms and conditions of this Agreement.

2.2 User Responsibilities. User shall: (i) have sole responsibility for the accuracy and legality of all User Data; (ii) shall ensure that it has obtained all consents and permissions necessary to disclose any Personal Data within the User Data; and (iii) prevent unauthorized access to, or use of, the Service, and notify ProcessUnity promptly of any such unauthorized access or use. User shall not: (a) use the Service in violation of applicable Laws; (b) send or store infringing, obscene, threatening, or otherwise unlawful material, including material that violates privacy rights; (c) send or store Malicious Code in connection with the Service; (d) attempt to gain access to the Service in a manner not set forth in the Documentation; or (e) use the Service in connection with an effort to develop a competing service. User shall be liable for the acts and omissions of its Authorized Users hereunder. User shall be responsible for acquiring all equipment necessary to make connections to the World Wide Web, including a computer and Internet access.

2.3 Access to the Service. User shall have a non-exclusive, limited, non-transferable (except to Affiliates) right to access and use the Service during the Term solely by Authorized Users and solely for its internal business purposes and not for the benefit of any third parties.

2.4 Restrictions. User shall not (i) modify, copy or create any derivative works based on the Service or Documentation; (ii) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share, offer in a service bureau, or otherwise make the Service or Documentation available to any third party, other than to Authorized Users as permitted herein; (iii) reverse engineer or decompile any portion of the Service or Documentation, including but not limited to, any software utilized by ProcessUnity in the provision of the Service and Documentation, except to the extent required by law; (iv) access the Service or Documentation in order to build any commercially available product or service; or (v) copy any features, functions, integrations, interfaces or graphics of the Service or Documentation.

3.1 Ownership; Reservation of Rights. ProcessUnity and its licensors own all right, title and interest in and to the Service, Documentation, and other ProcessUnity Intellectual Property Rights. Subject to the limited rights expressly granted hereunder, ProcessUnity reserves all rights, title and interest in and to the Service and Documentation, including all related Intellectual Property Rights. No rights are granted to User hereunder other than as expressly set forth herein. ProcessUnity shall have a royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate into the Service any User feedback provided in connection with its use of the Service. User shall retain all right, title and interest in and to the User Data.

3.2 Use of Aggregated Data. ProcessUnity owns the aggregated and statistical data derived from the operation of the Service, including, without limitation, the number of records in the Service, the number and types of transactions, configurations, and reports processed in the Service and the performance results for the Service (the “Aggregated Data”). Nothing herein shall be construed as prohibiting ProcessUnity from utilizing the Aggregated Data for purposes of operating ProcessUnity’s business and enhancing ProcessUnity’s services, provided that ProcessUnity’s use of Aggregated Data will not reveal the identity, whether directly or indirectly, of any individual or specific data entered by any individual into the Service. In no event does the Aggregated Data include any Personal Data. To the extent that User provides ProcessUnity with Personal Data in conjunction with the Service, the terms of ProcessUnity’s Data Privacy and Data Security Statement, attached as Exhibit A, shall govern.

4.1 Confidential Information. “Confidential Information” is non-public or proprietary information regarding the business, products or services of ProcessUnity, whether oral, written or electronic, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Except as expressly permitted by this Agreement, for a period of seven (7) years from receipt of the applicable Confidential Information, User shall (i) protect such Confidential Information from unauthorized dissemination, using the same degree of care which User uses with respect to its own proprietary information, but in no event with less than reasonable care, (ii) not use the Confidential Information for any purpose not expressly permitted by this Agreement and (iii) limit the disclosure of such Confidential Information to the employees, consultants, or agents of User who have a need to know such Confidential Information for purposes of this Agreement, and who are, with respect to such Confidential Information, bound in writing by confidentiality terms no less restrictive than those contained herein. With respect to Confidential Information that is a “trade secret” under applicable Law, the use and disclosure limitations of this Section shall continue for as long as such information continues to constitute a trade secret. Nothing in this Agreement shall limit any rights and remedies the Parties have under applicable laws governing trade secrets and confidential information.

5.1 Disclaimer.  THE SERVICE IS PROVIDED AS-IS AND PROCESSUNITY DISCLAIMS ALL CONDITIONS, REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AS TO ANY MATTER WHATSOEVER OR ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS. EXCEPT AS SPECIFICALLY SET FORTH IN THIS AGREEMENT OR ANY APPLICABLE ORDER FORM, PROCESSUNITY AND ITS LICENSORS MAKE NO REPRESENTATION OR WARRANTY THAT ALL ERRORS HAVE BEEN OR CAN BE ELIMINATED FROM THE SERVICE OR ANY PROFESSIONAL SERVICES, THAT THE SERVICE WILL OPERATE WITHOUT INTERRUPTION OR LATENCY, OR THAT THE SERVICE WILL OPERATE WITH ANY NETWORK, HARDWARE OR THIRD PARTY SOFTWARE. THE WARRANTY HEREIN IS LIMITED ONLY TO USER AND ITS AFFILIATES AND EXCLUDES ANY THIRD PARTY.

6.1 Indemnification. User agrees to defend, indemnify and hold ProcessUnity and its officers, directors, employees, affiliates, agents, and business partners harmless from and against all third party claims, losses, damages and expenses, including reasonable attorney’s fees arising as a result of: (i) User’s use of the Service in violation of the terms of this Agreement, (ii) claims that the User Data infringes the rights of, or has caused harm to, a third party or violates any law, or (iii) User’s willful misconduct; provided, however, that ProcessUnity: (a) promptly gives written notice of any third party claim to User; (b) gives User sole control of the defense and settlement of the third party claim (provided that User may not settle any claim unless it unconditionally releases ProcessUnity of all liability); and (c) provides to User, at User’s cost, reasonable assistance in connection with the third party claim.

7.1 Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL PROCESSUNITY’S (OR PROCESSUNITY’S THIRD PARTY LICENSORS’) AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR OTHERWISE, EXCEED THE SUBSCRIPTION FEES ACTUALLY PAID BY USER IN CONSIDERATION FOR SERVICE DURING THE IMMEDIATELY PRECEDING TWELVE (12) MONTH PERIOD FROM WHICH THE CLAIM AROSE (OR, FOR A CLAIM ARISING BEFORE THE FIRST ANNIVERSARY OF THE EFFECTIVE DATE, THE AMOUNT PAID FOR THE FIRST TWELVE MONTH PERIOD).

7.2 Exclusions.   IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED, OR FOR ANY LOST PROFITS, LOSS OF USE, COST OF DATA RECONSTRUCTION, COST OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, WHETHER IN CONTRACT, TORT OR OTHERWISE, ARISING OUT OF, OR IN ANY WAY CONNECTED WITH THE SERVICE, INCLUDING BUT NOT LIMITED TO THE USE OR INABILITY TO USE THE SERVICE, ANY INTERRUPTION, INACCURACY, ERROR OR OMISSION, EVEN IF THE PARTY FROM WHICH DAMAGES ARE BEING SOUGHT OR SUCH PARTY’S LICENSORS HAVE BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.

8.1 Term of Agreement; Term of Access to the Service. The term of this Agreement commences on the Effective Date and continues for as long as User has the right to use the Service.

8.2 Termination. ProcessUnity may terminate this Agreement: (i) upon thirty (30) days prior written notice to User of a material breach by User if such breach remains uncured at the expiration of such notice period; or (ii) immediately in the event that User becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.

8.3 Effect of Termination. Upon any termination of this Agreement, User shall, as of the date of such termination, immediately cease accessing and otherwise utilizing the applicable Service and ProcessUnity Confidential Information.

8.4 Access to User Data. Upon request by User made within thirty (30) days after any expiration or termination of this Agreement, ProcessUnity will make User Data available to User through the Service on a limited basis solely for purposes of User retrieving User Data for a period of up to thirty (30) day after such request is received by ProcessUnity. After such thirty (30) day period, ProcessUnity will have no obligation to maintain or provide any User Data and may thereafter, unless legally prohibited, delete all User Data.

8.5 Survival. Notwithstanding anything to the contrary in this Section, the provisions of Sections 1-5 and 8-11 shall survive termination of this Agreement.

9.1 Entire Agreement. This Agreement contains the entire agreement and understanding of the Parties with respect to the subject matter hereof and shall supersede and merge all prior and contemporaneous communications and agreements with respect to the subject matter hereof. No addition to or modification of any provision of this Agreement shall be binding upon the Parties unless in a written agreement signed by the Parties. No quote, purchase order, invoice or similar document will modify the terms of this Agreement even if accepted by the receiving Party.

9.2 Assignment. Neither Party shall be entitled to assign or otherwise transfer rights or obligations under this Agreement, including use of the Service, whether in whole or in part, except with the prior written consent of the other Party, such consent not to be unreasonably withheld or delayed. Notwithstanding the foregoing, either Party may assign this Agreement in its entirety without consent of the other Party in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets provided the assignee has agreed to be bound by all of the terms of this Agreement and all past due fees are paid in full, except that User shall have no right to assign this Agreement to a Competitor of ProcessUnity. Any attempt by a Party to assign its rights or obligations under this Agreement in breach of this section shall be void and of no effect. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns.

9.3 Force Majeure. Neither Party shall be liable for, or be considered to be in breach of or default on account of, any delay or failure to perform as a result of any cause or condition beyond such Party’s reasonable control (including, but not limited to, computer attacks or malicious acts, such as attacks on or through the Internet, or delays caused by an Internet service provider, telecommunications or hosting facility).

9.4 Notices. All notices and other communications under this Agreement shall be in writing and shall be effective when received or, if delivery is not accomplished by reason of or some fault of the addressee, when tendered, and may be transmitted by (i) personal delivery, (ii) express mail by registered or certified mail, (iii) by courier or delivery service, or (iv) by fax or email with a receipt confirmed in writing by the receiving Party, to ProcessUnity at  ProcessUnity, Inc., 33 Bradford Street, Concord, MA 01742, attn: Legal, or email address [email protected] or to User at its corporate address, or to such other addresses as either Party may from time to time notify the other Party of in accordance with this Section.

9.5 Relationship between the Parties. In all matters relating to this Agreement, User and ProcessUnity shall act as independent parties and nothing in this Agreement shall be construed to create a partnership, joint venture, agency relationship or employment or franchise relationship between the Parties. Neither Party has the right, power or authority to bind the other or incur, assume or create any obligation on behalf of the other Party.

9.6 Choice of Law and Venue. This Agreement shall be governed by the laws of the Commonwealth of Massachusetts, without regard to any of its conflict of laws provisions. Any action or proceeding relating to this Agreement must be brought in a federal or state court in the Commonwealth of Massachusetts (provided, however, that nothing in this Agreement shall prevent a Party from seeking injunctive relief to enforce the terms of this Agreement in any venue or jurisdiction as determined in such Party’s sole discretion and convenience), and each Party irrevocably submits to the jurisdiction and venue of any such court in any such action or proceeding.

9.7 Export Controls. Each Party shall comply with the export laws and regulations of the United States and other applicable jurisdictions in providing and using the Service. Without limiting the generality of the foregoing, User shall not make the Service available to any person or entity that: (i) is located in a country that is subject to a U.S. government embargo; (ii) is listed on any U.S. government list of prohibited or restricted parties; or (iii) is engaged in activities directly or indirectly related to the proliferation of weapons of mass destruction.

9.8 Headings; Counterparts; “Includes” and “Including”. All captions, titles or section headings of this Agreement are for ease of reference only, shall not affect the interpretation or construction of any provisions of this Agreement and shall not be deemed part of this Agreement. This Agreement may be executed in counterparts, each of which shall be deemed to be an original and all of which shall be deemed to be an original instrument. Wherever the word “including” or “include” shall appear in this Agreement, such term shall be construed to mean “including without limitation” or “include without limitation,” as the case may be.

9.9 Waiver. No waiver by either Party to this Agreement of any provision of this Agreement, and no failure by either Party to exercise any of such Party’s rights or remedies under this Agreement, shall be deemed to constitute a waiver of such provision, right, or remedy in the future, or of any other provision, right, or remedy hereunder, unless such waiver shall be set forth in a written instrument signed by the Party against whom such waiver is sought to be enforced.

9.10 Miscellaneous. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof. The provisions of this Agreement prevail over those of any other document, printed or electronic, in the event of a conflict. This Agreement supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by the Party against whom the modification, amendment or waiver is to be asserted. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect. Notwithstanding any language to the contrary therein, no terms or conditions stated in a User purchase order or in any other User order documentation shall be incorporated into or form any part of this Agreement, and all such terms or conditions shall be null and void. Except as otherwise specified in writing by User, ProcessUnity may use User’s name and logo in lists of customers, on marketing materials and on its website.

This Data Privacy & Data Security Statement (the “Statement”), is provided by ProcessUnity, Inc. (“ProcessUnity”) to its Users (each, a “User”). This Statement describes ProcessUnity’s commitments with regard to data privacy and data security.  ProcessUnity may update this Statement from time to time.  Updated versions will be published on ProcessUnity’s website.

“Authorized Persons” means ProcessUnity’s employees, agents, and contractors that have a need to know or otherwise access User Data to enable ProcessUnity to provide the Service.

“Controller” means a controller as defined under the GDPR.

“Data Protection Laws” means all international, federal, national and state privacy and data protection laws and regulations to the extent applicable to ProcessUnity and the Service.  The Data Protection Laws include GDPR, to the extent applicable to ProcessUnity.

“Data Security Incident” means any accidental, unauthorized or unlawful access, acquisition, theft, destruction, or disclosure of User Data that occurs while such User Data is in the possession of or under the control of ProcessUnity.

“GDPR” means the EU General Data Protection Regulation 2016/679.

“Personal Data” means information relating to an identified or identifiable natural person.  An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Process” or “Processing” means any operation or set of operations that are performed upon User Data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the applicable Data Protection Laws.

“Processor” means a processor as defined under the GDPR.

“Service” means ProcessUnity’s cloud-based governance, risk and compliance solutions.

“Sub-Processor” shall mean an entity engaged by ProcessUnity to assist it in Processing the User Data in fulfillment of its obligations with regard to the Service.

“User Data” means all data relating to a ProcessUnity User or its authorized users (“Users”) that is provided to ProcessUnity by a User or that is otherwise obtained or accessed by ProcessUnity in connection with the Service.  User Data may include Personal Data.

“Third Party” is any person or entity other than ProcessUnity and User and User’s Users.

A. Compliance with Laws.  ProcessUnity is committed to complying with its obligations under all Data Protection Laws that are applicable to ProcessUnity and the Service.

B. Distribution of User Data.  Users and Users should provide ProcessUnity only with Personal Data that is requested by ProcessUnity or that is otherwise necessary for ProcessUnity to provide the Service.  ProcessUnity is not responsible for any other Personal Data.

C. Limitations on Use of Personal Data.  ProcessUnity will not Process User Data other than for the purpose of providing the Service or as otherwise specified by Users. ProcessUnity will not Process User Data for the benefit of any Third Party. ProcessUnity will access only the User Data that it needs to perform the Service (i.e., no more than necessary). ProcessUnity will not store User Data longer than necessary to achieve the permitted purposes specified by User.

D. Restrictions.  Except with a User’s prior, written approval, on a case-by-case basis, ProcessUnity will not: (a) use User Data other than as necessary for ProcessUnity to provide the Service, (b) disclose, sell, assign, lease or otherwise provide User Data to Third Parties (other than to its affiliates or Sub-Processors) except to the extent required or permitted by Data Protection Laws, or (c) merge User Data with other data, modify or commercially exploit any User Data.

E. Sensitive Personal Data.  Users and Users are advised never to provide ProcessUnity with Sensitive Personal Data.  “Sensitive Personal Data” means (a) information that reveals a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, (b) information or data concerning a natural person’s health or sex life or sexual orientation; or (c) genetic data or biometric data about a natural person.

3. Sub-Processors.  ProcessUnity may engage Sub-Processors in connection with the provision of the Service, provided, however, that ProcessUnity will not provide a Sub-Processor with access to User Data unless the Sub-Processor has: (i) a business need to know / access the relevant User Data, as necessary for the purposes of the Service; (ii) signed a written obligation of confidentiality or are under professional obligations of confidentiality; and (iii) implemented technical, operational, physical, and organization safeguards to protect User Data against accidental or unlawful destruction or alteration and unauthorized disclosure or access.

4. Data Subject Rights; Cooperation.  ProcessUnity will use commercially reasonable efforts to cooperate and assist with a User’s exercise of his/her rights under applicable Data Protection Laws with respect to Personal Data Processed by ProcessUnity, including, without limitation, the right to be forgotten, the right to data portability, and the right to access data under the GDPR.

5. Return or Destruction of User Data.  Upon the written request of a User, ProcessUnity will return User Data to a User or securely delete User Data as soon as reasonably practicable. However, if ProcessUnity is required by law to retain User Data or if User Data is stored in a manner such that it cannot readily be returned or destroyed without affecting other data, then ProcessUnity will continue to protect such User Data in accordance with this Statement and limit any use to the purposes of such retention.

A. Security Program Requirements.  ProcessUnity will maintain a security program that contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities. ProcessUnity’s security program shall be designed to protect the security and confidentiality of User Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage or loss of User Data.  At a minimum, ProcessUnity’s security program shall include: (a) limiting access of User Data to Authorized Persons; (b) implementing network, application, database, and platform security; (c) means for securing information transmission, storage, and disposal within ProcessUnity’s possession or control; (d) means for encrypting User Data stored on media within ProcessUnity’s possession or control by using modern acceptable cyphers and key lengths, including backup media; (e) means for encrypting User Data transmitted by ProcessUnity over public or wireless networks by using modern acceptable cyphers and key lengths; and (f) means for keeping firewalls, routers, servers, personal computers, and all other resources current with appropriate security-specific system patches.

B. Regular Reviews.  ProcessUnity will ensure that its security measures are regularly reviewed and revised to address evolving threats and vulnerabilities.

A. Notification.  ProcessUnity shall notify User as promptly as reasonably feasible, but in any event within forty-eight (48) hours of becoming aware of a Data Security Incident.  ProcessUnity shall provide User with a detailed description of the Data Security Incident, the type of data that was the subject of the Data Security incident and, to the extent known to ProcessUnity, the identity of each affected person, as soon as this information can be collected or otherwise becomes available, as well as all other information and cooperation that User may reasonably request relating to the Data Security Incident.

B. Mitigation.  ProcessUnity agrees to take action immediately, at its own expense, to investigate the Data Security Incident and to identify, prevent, and mitigate the effects of the Data Security Incident and, with User’s prior agreement, to carry out any recovery or other action necessary to remedy the Data Security Incident.  ProcessUnity will inform User of the steps it is taking to mitigate the effects of the Data Security Incident and to minimize the chances of another Data Security Incident happening again.

C. Publicity.  ProcessUnity will not issue, publish or make available to any third party any press release or other communication concerning the Data Security Incident without User’s prior written approval or request.

D. Cooperation.  ProcessUnity shall provide full cooperation and assistance to User to enable User to fulfill its obligations to enable Data Subjects affected by the Data Security Incident to exercise their rights under the Data Protection Laws.  ProcessUnity will notify User within three (3) business days of all communications User receives from an affected Data Subject seeking to exercise his/her right in connection with the Data Security Incident.

A. Location.  ProcessUnity systems and ProcessUnity’s Processing of User Data will occur within the following jurisdictions: United States of America and Ireland  (the “Processing Jurisdictions”).  ProcessUnity will not transfer any User Data outside of the Processing Jurisdictions without the prior written agreement of User and Users.

B. Sub-Processors.  Before providing User Data of a European citizen to Sub-Processors, ProcessUnity will use commercially reasonable efforts to ensure that the Sub-Processors will either be certified under the EU-US Privacy Shield or that the Sub-Processors execute EU-prescribed Standard Contractual Clauses.

9. Audits Reports.  If ProcessUnity engages a third party auditor to perform a Statement on Standards for Attestation Engagements No. 16 (SSAE 16) or other data security audit of ProcessUnity’s operations, information security program or disaster recovery/business continuity plan, ProcessUnity shall provide a copy of the audit report to User within a reasonable period of time after receipt of a request from User for such a report. Any such audit reports shall be ProcessUnity’s confidential information.