Data Processing Addendum ("DPA")

1. Definitions.
   ‍
   a) “CPRA” means the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder (to the extent applicable).
   ‍
   b) “DPA Data” means any information Processed by Company solely on behalf of Customer, including without limitation any EU Personal Data, UK Personal Data, and/or California Personal Data.
   
   c) “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.
   
   d) “GDPR” means the General Data Protection Regulation (EU) 2016/679.
   
   e) “Personal Data” means any information relating to any identified or identifiable individual or household
   
   f) “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   
   g) “UK” means the United Kingdom.
   
   h) “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).
   
   i) “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.
2. To the extent Company Processes Personal Data regulated by the GDPR solely on behalf of Customer (“EU Personal Data”), and to the extent Customer is a controller (as defined in the GDPR) and the Company is a processor (as defined in the GDPR) on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, the Module 2 Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Module 2 Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Company and to Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Module 2 Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, except as set forth in Exhibit A. In the event of a conflict between the Agreement and the Module 2 Controller to Processor Standard Contractual Clauses, the Module 2 Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
   ‍
3. To the extent Company Processes EU Personal Data, and to the extent Customer is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and the Company is a processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, the Module 3 Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Module 3 Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Company and to the Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Module 3 Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, except as set forth in Exhibit B. In the event of a conflict between the Agreement and the Module 3 Processor to Processor Standard Contractual Clauses, the Module 3 Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
   ‍
4. To the extent Company Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Customer (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, Version B1.0, in force from March 21, 2022, at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx (the “UK DTA”) will apply to the transfer of such UK Personal Data by Customer to Company and to the Company’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK DTA, which is hereby incorporated into the Agreement in its entirety and as set forth in Exhibit C. In the event of a conflict between the Agreement and the UK DTA, the UK DTA will control to the extent applicable to the UK Personal Data.
   ‍
5. To the extent Customer makes available to Company Personal Data regulated by the CPRA for a business purpose pursuant to the Agreement and/or to the extent Company Processes Personal Data regulated by the CPRA solely on behalf of Customer (collectively, “California Personal Data”), then to the extent required by the CPRA, the California Data Exhibit (attached hereto as Exhibit D, the “California Data Exhibit”) will apply to the Company’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the California Data Exhibit, the California Data Exhibit will control to the extent applicable to the California Personal Data.
   ‍
6. Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all DPA Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Company to lawfully Process DPA Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the DPA Data available to Company under the Agreement and this DPA; and (iii) Company's Processing of the DPA Data in accordance with the Agreement, this DPA, and/or Customer's instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend and hold Company harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 6. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 6 shall not be subject to any limitations of liability set forth in the Agreement.
   ‍
7. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Company shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the European Data Protection Laws), then, to the extent Company is subject to the European Data Protection Laws as a controller (as defined in the European Data Protection Laws), Company is the controller (as defined in the European Data Protection Laws) of such data and accordingly shall Process such data in accordance with the European Data Protection Laws. To the extent any such data is considered personal information (as defined in, and regulated by, the CPRA), then, to the extent Company is subject to the CPRA as a business (as defined in the CPRA), Company is the business (as defined in the CPRA) with respect to such data and accordingly shall Process such data in accordance with the CPRA. 
   ‍
8. To the extent that other data protection and privacy laws apart from the GDPR, UK Data Protection Laws, or CPRA (the “Other Privacy Laws”) apply to Company’s Processing of Personal Data under the Agreement, Customer will provide Company with written notice of such Other Privacy Laws, and the parties will negotiate in good faith to supplement this DPA with provisions relating to, and to the extent required by, such Other Privacy Laws.
   ‍
9. This DPA (together with the Agreement), constitutes the entire agreement between the parties and supersedes all prior undertakings and agreements between the parties, whether written or oral, with respect to the subject matter of this DPA.  Company reserves the right, in its sole discretion, to change, modify, replace, add to, supplement or delete any terms and conditions of this DPA at any time by posting an updated version of this DPA on this webpage.
   ‍
10. In this DPA, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by the Agreement; (iii) reference to any gender includes each other gender; (iv) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (vi) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; (vii) “including” (including grammatically inflected forms thereof) means including without limiting the generality of any description preceding such term; (viii) all references to “days” refer to calendar days; and (ix) the word "or" is not exclusive. This DPA has been executed in English and the English language version shall control notwithstanding any translations of this DPA.
    ‍

Exhibit A

Standard Contractual Clauses 

(Module 2 – Controller To Processor)

‍

For the purposes of the Module 2 Controller to Processor Standard Contractual Clauses:

a) Clause 7. The parties agree that the optional language in Clause 7 is included. 

b) Clause 9(a). The parties agree that under Option 2, Company has Customer’s general authorization to subcontract its processing activities to the list of subprocessors set out in Section (k)(i) . Company will inform Customer in writing of any intended changes to the list of subprocessors set out in Section (k)(i) at least 10 days’ prior to engaging with any other subprocessor. 

c) Clause 11. The parties agree that the optional language in Clause 11 is excluded.

d) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable. 

e) Clause 17. The Module 2 Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.

f) Clause 18. The parties agree that any dispute arising from the Module 2 Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.

g)____Annex I.A.
‍
(i.) The name and address of Company (which is the data importer) and Customer (which is the data exporter), and the name and contact details of their respective contact persons are as set forth on the signature page to the Agreement.

(ii.) The activities relevant to the data transferred are the provision of the Services by data importer to data exporter as further described in the Agreement. 

(iii.) The signature and date are the signature and date set forth on the signature page to the Agreement.

(iv.) The roles of the parties are as follows: Customer is a controller and Company is a processor. 

(h)____Annex I.B. 

(i.) The categories of data subjects whose personal data is transferred are Customer’s employees.

(ii.) The categories of personal data transferred are determined by Customer in its sole discretion and may include, but are not limited to: name, business email, business phone, job title, gender, and any other personal data provided as part of the survey responses submitted through the Services. 

(iii.) The categories of sensitive personal data are, to the extent applicable, any sensitive data that Customer in its sole discretion requests that Customer’s employees submit through the Services and any other sensitive personal data provided as part of the survey responses submitted through the Services.

(iv.) The frequency of the transfer shall be on a continuous basis.

(v.) The nature of processing is such that the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement.

(vi.) The purpose of the data transfer and further processing is the provision of the Services by the data importer to the data exporter.

(vii.) The duration of the processing under these Module 2 Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with the Module 2 Controller to Processor Standard Contractual Clauses).

(viii.) For transfers to subprocessors, personal data will be transferred to subprocessors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such subprocessors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such subprocessors shall continue as long as such subprocessors carry out personal data processing operations on behalf of the data importer.

(i)____Annex I.C.

(i.) The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

(j)____Annex II.

(i.) The data importer shall implement the technical and organizational measures as further described in Exhibit D to the Agreement.

(k)____Annex III. 

(i) Section (k)(i) of Exhibit A is incorporated herein by reference. 

‍

Exhibit C

UK DTA

For the purposes of the UK DTA:

(a) For the purposes of Table 1 of the UK DTA:

i. The start date shall be the later of: (i) the DPA Effective Date or (ii) the date the Agreement is entered into by the parties, and

ii. The names of the parties, their roles and their details shall be, as applicable, as set out in Exhibit A Section (f) and Exhibit B Section (f), respectively;
‍

(b) For the purposes of Tables 2 and 3 of the UK DTA, the Module 2 Controller to Processor Standard Contractual Clauses and the Module 3 Processor to Processor Standard Contractual Clauses, including, as applicable, the information set out in Exhibit A Sections (g) and (i) and (k)(i) and Exhibit B Sections (g) and (i) and (k)(i), respectively, shall apply; and

(c) For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.

‍

Exhibit D

California Data Exhibit

1. This California Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable). 
2. CPRA Provisions.
   
   a. In this Exhibit, the following terms have the meanings given in the CPRA: "business purpose", “personal information”, “processing”, “service provider”, “contractor”, “person”, “share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”.
   
   b. Except as otherwise required by applicable law, Company shall:
   
   i. not sell or share California Personal Data;
   
   ii. not retain, use, or disclose California Personal Data for any purpose other than for the business purposes specified in the Agreement for the Customer, nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CPRA;
   
   iii. not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties;
   
   iv. not combine California Personal Data, which Company receives pursuant to the Agreement or from or on behalf of Customer, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CPRA;
   
   v. reasonably cooperate with Customer in responding to any requests from any individual regarding California Personal Data relating to such individual, including reasonably assisting Customer in deletion, correction, or limitation of the use of such California Personal Data where required under the CPRA, and including instructing Company’s service providers and/or contractors (if any) to so reasonably cooperate in such response;
   
   vi. reasonably assist Customer through appropriate technical and organizational measures in Customer’s complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100 of the CPRA, taking into account the nature of the California Personal Data processing by Company;
   
   vii. implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure;
   
   viii. comply with all applicable obligations under the CPRA and provide the same level of privacy protection with respect to California Personal Data as required by the CPRA; and
   
   ix. notify Customer if Company determines it can no longer meet its obligations under the CPRA.
   
   To the extent Company is a contractor, Company certifies that Company understands the restrictions provided in Sections 2(b)(i), 2(b)(ii), 2(b)(iii), and 2(b)(iv) and will comply with them.

3. Company acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Company further acknowledges and agrees Customer shall have the right: (i) to take reasonable and appropriate steps to ensure that Company uses California Personal Data in a manner consistent with Customer’s obligations under the CPRA; and (ii) upon notice from Customer to Company, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data.
   ‍
4. To the extent required by the CPRA and to the extent Company is a contractor, Company shall permit, subject to agreement of the parties, Customer to monitor Company’s compliance with this Exhibit through measures, including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing once every twelve (12) months (each, an “Audit”), upon reasonable prior notice from Customer, provided that no third-party auditor (each an “Auditor”) shall be a competitor of Company, nor shall any Auditor be compensated on a contingency basis, and provided further that in no event shall Customer have access to the information of any other client of Company and the disclosures made pursuant to this Section 2(d) (“Audit Information”) shall be held in confidence as Company’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no Audit shall be undertaken unless or until Customer has requested, and Company has provided, information about Company’s data protection practices and Customer reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this Exhibit. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of Audit Information by Customer or its agents.
   ‍
5. If Company engages any other person to assist Company in processing California Personal Data for a business purpose on behalf of Customer, Company shall notify Customer of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe substantially similar requirements to those set forth in this Exhibit. Company hereby notifies Customer that Company may engage the persons listed in Section (k)(i) of Exhibit A to this DPA to assist Company in processing California Personal Data for a business purpose on behalf of Customer.

‍