Data Protection Addendum

Data Protection Addendum

INTRODUCTION

This Data Protection Addendum (“ DPA”) is part of the PowerToFly Master Services Agreement (the “Agreement”). To the extent of any conflict between this DPA and the other terms of this Agreement, the order form will govern. This DPA survives termination of the Agreement for so long as either party continues to Process the Personal Data transferred under this DPA.

Definitions

1. In this DPA:
   
   
   1. “Applicable Law” means all laws, regulations and other legal requirements applicable to either (i) PowerToFly as provider of the Services or (ii) Customer as user of the Services, in each case as may be amended from time to time. For example, to the extent applicable, this includes the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the UK General Data Protection Regulation (collectively “UK Data Protection Law”); the Swiss Federal Act on Data Protection (“Swiss FADP”); the California Consumer Privacy Act, as amended by the California Privacy Rights Act and together with associated regulations (“CCPA”); as well as U.S. state laws, regulations and other legal requirements similar to or modeled on the CCPA (together with the CCPA, as they become effective and applicable, the “U.S. State Privacy Laws”).
      
   2. “Controller” means the entity that alone or jointly with others determines the purposes and means of Processing Personal Data. It includes the sort of entities designated as “controllers” under the GDPR and the sort designated as “businesses” under the CCPA.
      
   3. “Designated Address” means Customer’s email address for legal notices set forth in the Order Form.
      
   4. “Personal Data” means any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies), any information that qualifies as “personal information” under the CCPA (regardless of whether the CCPA applies) and any other information defined as “personal information,” “personal data,” or an analogous term in Applicable Law.
      
   5. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, disclosure or other Processing of, or access to, Personal Data.
      
   6. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      
   7. “Processor” means an entity that Processes Personal Data on behalf of a Controller. The term includes entities designated as “processors” under the GDPR and those designated as “service providers” under the CCPA.
      
   8. “Services” means the PowerToFly Services and Professional Services that Customer orders through an Order Form.
      
   9. “Standard Contractual Clauses” refers to the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available as of 19 April 2023 at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
      
   10. “Subprocessor” means a subcontractor engaged by PowerToFly for the Processing of Personal Data.
       
   11. “UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 19 April 2023 at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as described in the “Data Transfers” section below.
       
       
2. For ease of reading, some other terms are defined later in the DPA. Capitalized terms not otherwise defined in the DPA will have the meaning set forth in this Agreement.

Background

3. PowerToFly is home to a large online community of diverse professionals. To join that community, a member of the public can open a personal PowerToFly account (“Personal PTF Account”) and use that account to engage in career and professional development opportunities, such as networking with others, connecting with employers, finding a mentor, and finding a job. The services that PowerToFly itself provides to individuals through or in connection with their Personal PTF Account (“Personal PTF Accountholders”) are not part of the Services.
   
   
4. PowerToFly also provides various Services to employers relating to attracting, retaining, and training talent. Some of these Services involve use of PowerToFly’s proprietary database of professionals, which includes Personal Data about all Personal PTF Accountholders and Personal Data about other professionals who have not yet established a Personal PTF Account (collectively, the “PTF Talent Database”). For some Services that Customer may choose to purchase, PowerToFly may issue Customer-controllable accounts for Customer’s workforce members to use, i.e., “Customer-Controlled Accounts.” These are accounts for which a Customer-designated administrator (other than the account holder her/himself) has administrative rights, such as a right to add, delete, or change the password on the account.
   
   
5. Customer is a Controller of all Personal Data it Processes in connection with the Agreement. PowerToFly is Customer’s Processor with respect to certain Personal Data it Processes for certain types of Services, and PowerToFly is a Controller with respect to other Personal Data.
   
   
6. Specifically, PowerToFly acts as Customer’s Processor with respect to:
   
   1. Personal Data about individuals acting in their capacity as Customer’s workforce members which PowerToFly Processes to provide a Service to Customer, such as (depending on whether these Services are ordered):
      
      1. Personal Data about a Customer employee featured in a video that PowerToFly produces as a Service to Customer;
      2. Personal Data about participants in an internal Chat and Learn session provided as Service to Customer by PowerToFly;
      3. Personal Data about participants in an internal training session provided as Service to Customer by PowerToFly;
      4. Data about individuals acting as users of Customer-Controlled Accounts; and
         
   2. Job application data that PowerToFly receives for Customer as a paid Service to Customer.
      
      
7. PowerToFly acts as a Controller with respect to:
   
   1. All Personal Data in Personal PTF Accounts, and All Personal Data about use of Personal PTF Accounts, except:
      
      1. Job applications that the Personal PTF Accountholder submits to Customer through a paid Service.
   2. All other Personal Data in the PTF Talent Database;
      
   3. Personal Data about individuals acting in their capacity as speakers at events that PTF organizes, except for members of Customer’s workforce speaking at events that PowerToFly organizes as a Service to Customer;
      
   4. Personal Data about Customer personnel acting in their capacity as representatives of Customer in managing the Customer/PowerToFly relationship (for example, Customer’s main liaison to Customer, and Customer personnel involved in payment for PowerToFly Services) (“Customer Relationship Personnel”).
      
      
8. The “PowerToFly as Customer’s Processor” and “PowerToFly as Controller” portions of this DPA below apply when PowerToFly is a Processor and a Controller, respectively. The “Data Transfers” section has provisions applicable to both situations, as described in more detail in that section.

POWERTOFLY AS CUSTOMER’S PROCESSOR

This section applies to PowerToFly’s processing of Personal Data as Customer’s Processor, as described in the Introduction to this DPA.

Data Use Limitations

9. Unless required by Applicable Law, PowerToFly will Process the Personal Data only to (i) provide the Services; and (ii) carry out Customer’s reasonable written instructions that are consistent with this Agreement. Without limiting the foregoing, PowerToFly:
   1. shall not “sell” the Personal Data, as such term is defined in the U.S. State Privacy Laws (regardless of whether such laws apply);
      
   2. shall not “share” the Personal Data, as such term is defined in the CCPA (regardless of whether the CCPA applies);
      
   3. shall not retain, use, or disclose any such data outside of the direct business relationship between Customer and PowerToFly, or for any purpose (including any commercial purpose) other than the limited business purposes specified in this DPA;
      
   4. shall comply with any applicable restrictions under Applicable Law on combining the Personal Data that PowerToFly receives from, or on behalf of, Customer with Personal Data that PowerToFly receives from, or on behalf of, another person or persons, or that PowerToFly collects from any other interaction between PowerToFly and a data subject;
      
   5. shall provide the same level of protection for the Personal Data subject to the CCPA as is required under the CCPA; and
      
   6. hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
10. If Applicable Law requires PowerToFly to engage in Processing not permitted by the above, PowerToFly will first inform Customer of the relevant legal requirement, unless the Applicable Law prohibits such notification on important grounds of public interest. PowerToFly will notify Customer as soon as legally permissible if, for any other reason, PowerToFly determines that PowerToFly can no longer meet its obligations under Applicable Law.
    
    
11. Customer has the right to take reasonable and appropriate steps to (a) ensure that PowerToFly is using the Personal Data consistent with Customer’s obligations under Applicable Law, and (b) stop and remediate unauthorized use of the Personal Data.

Confidentiality and Training

12. PowerToFly will ensure that the persons PowerToFly authorizes to Process the Personal Data are contractually required to maintain the confidentiality of such data. PowerToFly will train relevant employees regarding privacy, confidentiality, and data security.

Security

13. Each Party will comply with the security obligations of Applicable Law. PowerToFly will assist Customer in Customer’s compliance with such obligations by implementing technical and organizational measures that comply with Applicable Law and Schedule B.

Subprocessors

14. PowerToFly may subcontract the collection or other Processing of Personal Data (i) only in compliance with Applicable Law regarding subprocessing, (ii) only with Customer’s consent and (iii) only if PowerToFly has imposed contractual obligations on the Subprocessor that are substantially the same as, or more restrictive than, those imposed on PowerToFly under this DPA.
    
    
15. Current Subprocessors are listed in our TOMS documentation. When any new Subprocessor is engaged, PowerToFly will notify Customer by email to the Designated Address (“Subprocessor Notification”) at least 30 days prior to giving the Subprocessor access to the Personal Data (the “Subprocessor Notification Period”).
    
    
16. If Customer has any reasonable objection to the new Subprocessor, Customer has 20 days from the date of the Subprocessor Notification to email PowerToFly at privacy@powertofly.com explaining in reasonable detail the basis of the objection and (if Customer desires) Customer’s intent to terminate Customer’s subscription to the Service if it is not resolved to Customer’s satisfaction by the end of the Subprocessor Notification Period. PowerToFly will give prompt attention to this objection, and, if Customer indicates an intent to terminate and does not withdraw the termination notice in writing to privacy@powertofly.com by the end of that period, the termination will take effect at that time. Promptly after termination, PowerToFly will refund any unused prepaid fees if PowerToFly’s use of the Subprocessor would have been a breach of the Agreement. Customer is deemed to consent to the new Subprocessor if Customer does not terminate the subscription as set forth above.
    
    
17. PowerToFly remains liable for its Subprocessors’ acts and omissions to the same extent PowerToFly is liable for its own.

Assistance Responding to Individuals’ Requests to Exercise Rights

18. If PowerToFly receives a request from an individual or their representative to exercise Personal Data-related rights under Applicable Law (a “Data Subject Request”), such as rights to access, correct, or delete their Personal Data, or a Personal Data-related complaint from an individual or their representative, and the communication identifies Customer, PowerToFly will forward the communication to Customer at the Designated Address:
    1. as soon as commercially practicable; but
    2. no later than within 72 hours of receipt if the communication arrives via privacy@powertofly.com or any other contact method specified in PowerToFly’s then-current publicly available Privacy Policy.
19. Customer will be responsible for addressing the Data Subject Request to the extent it applies to data for which Customer is a controller, and PowerToFly will provide prompt, reasonable cooperation to Customer in this regard.

Personal Data Breach Notification

20. PowerToFly will comply with the Personal Data Breach-related obligations applicable to it under Applicable Law. PowerToFly will assist Customer in complying with those applicable to Customer by informing Customer of a confirmed Personal Data Breach without undue delay and in any event within 72 hours of becoming aware and by otherwise complying with this “Personal Data Breach Notification” section of this DPA.
    
    
21. PowerToFly will provide such notification to Customer at the Designated Address.
    
    
22. Such notification is not an acknowledgement of fault or responsibility. The notification will include PowerToFly’s then current assessment of the following:
    1. The nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
    2. The likely consequences of the Personal Data Breach; and
    3. Measures taken or proposed to be taken by PowerToFly to address the Personal Data Breach including, where applicable, measures to mitigate its possible adverse effects.
       
23. PowerToFly will provide prompt updates to such information as it becomes available.

Assistance with DPIAs and Consultation with Supervisory Authorities

24. PowerToFly will provide reasonable assistance to and cooperation with Customer for (i) Customer’s performance of any data protection impact assessment of the Processing or proposed Processing of the Personal Data involving PowerToFly, and (ii) related consultation with supervisory authorities.

Data Return and Destruction

25. PowerToFly will destroy all Personal Data within 90 days after the termination of this Agreement except to the extent Applicable Law requires storage of the Personal Data.
    
    
26. In the event of such legally required retention of the Personal Data, (i) PowerToFly will inform Customer as soon as legally permitted, (ii) PowerToFly will retain only Personal Data that it is legally required to retain and will retain it only as long as is legally required, (iii) during the retention period, PowerToFly will refrain from Processing the Personal Data and will continue to comply with this DPA with respect to the Personal Data, to the extent legally permitted, and (iv) PowerToFly will destroy the Personal Data and inform Customer of such destruction as soon as legally permissible.
    
    
27. If requested by Customer within 10 days after the termination of this Agreement, PowerToFly will first return a copy of the Personal Data to Customer in any reasonably requested format before the destruction described above.
    
    
28. PowerToFly will provide certification of the destruction and/or return within 10 days of Customer’s written request.

Compliance Verification and Audits

29. PowerToFly will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and, subject to Section 26 below, allow for and contribute to audits of such compliance, including inspections, conducted by an independent third-party auditor mutually agreed upon by the parties, who shall be subject to a confidentiality and security agreement acceptable to PowerToFly. Such audit or inspection will take place not more than once per calendar year. It shall be conducted at Customer’s expense during normal business hours, at a mutually agreed date, in a manner that will not interfere with PowerToFly’s normal business activities. PowerToFly shall not be required to provide access to its systems, or to any information the disclosure of which could compromise or pose risk to the security, confidentiality, or integrity of PowerToFly’s systems or data, or to any information sought for any reason other than good faith fulfillment of a legal obligation to audit compliance under this DPA. Customer will promptly provide PowerToFly with a copy of all drafts of the audit report, which shall be confidential information of PowerToFly.
    
    
30. If the requested audit scope is addressed in an ISO or other audit report issued by a third-party auditor within the prior twelve months and PowerToFly provides such report to Customer and confirms in writing that there are no known material changes in the controls audited, Customer will accept the findings presented in the report in lieu of requesting an audit of the same controls covered by the report.

CONTROLLER TO CONTROLLER TERMS

This section applies where PowerToFly processes Personal Data as a Controller, as described in the Introduction to this DPA.

31. Each Party is an independent Controller and will independently determine its purposes and means of Processing, subject to the limitations in this Agreement.
    
    
32. With respect to the Personal Data that a party (“Receiving Party”) receives from the other party (“Providing Party”) under the Agreement:
    
    1. The Receiving Party shall be solely responsible for its Processing of such Personal Data, which must comply with Applicable Law;
    2. The Receiving Party shall process the Personal Data only for the limited purposes of the transfer, as set forth this DPA and the Order Form, and, where no further detail is specified in the Order Form, these purposes are:
       1. For Personal Data Transferred from PowerToFly to Customer: the lawful recruiting, human resources, and staff development of Customer and its eligible affiliates; and
       2. For Personal Data Transferred from Customer to PowerToFly: the lawful provision of PowerToFly Services;
    3. The Receiving Party shall not “sell” the Personal Data within the meaning of U.S. State Privacy Laws and shall not “share” such Personal Data within the meaning of the CCPA;
    4. The Receiving Party shall, with respect to Personal Data that is subject the CCPA, comply with with all applicable sections of the CCPA, including by providing the same level of privacy protection as is required of businesses under the CCPA, and shall notify the Providing Party if the Receiving Party determines that it no longer can meet its obligations under the CCPA with respect to such Personal Data;
    5. The Providing Party has the right to take to take reasonable and appropriate steps to ensure that the Receiving Party uses Personal Data subject to the CCPA in a manner consistent with the Providing Party’s obligations under the CCPA, and the Providing Party make take reasonable measures to stop and remediate unauthorized use of such Personal Data;
    6. The Receiving Party shall implement and maintain reasonable security procedures, as appropriate to the level of sensitivity and confidentiality applicable to such Personal Data;
    7. The Receiving Party shall notify the Providing Party without undue delay upon becoming aware of a Personal Data Breach of the Personal Data it received from the Providing Party. Such notice shall include, to the extent available, sufficient information to allow the Providing Party to meet any obligations to report or inform data subjects thereof or third parties under Applicable Law, and the parties will provide each other with reasonable cooperation in the investigation, mitigation and remediation of such Personal Data Breach.
       
33. Each Party is solely responsible for complying with any applicable legal obligation to make its own privacy policy (or other legally mandated information regarding its Processing of Personal Data) available to the subjects of such Personal Data.
    
    
34. Taking into account the nature of the processing, each party shall assist the other by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the other party’s obligations, to respond to requests to Data Subject Requests. This includes, where legally permissible and appropriate, promptly notifying the other party (and/or directing the requesting data subject to do so) when it receives such a request that refers to or impacts Personal Data in the possession of the other party.

DATA TRANSFERS

This portion of the DPA applies both when PowerToFly processes Personal Data as a Processor and when it processes Personal Data as a Controller. Where explicitly noted, certain provisions are applicable only in one or the other of those circumstances.

35. The parties authorizes each other to make international transfers of the Personal Data only if (i) Applicable Law for such transfers is respected and (ii) the transfer is otherwise permitted by this DPA.
    
    
36. To the extent legally required, the Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and, except as set forth in Sections 29 or 30, they will be deemed completed as follows:
    1. Where PowerToFly acts as Customer’s Processor, as described in the Introduction to this DPA:
       1. Customer, the exporter, acts as a controller and PowerToFly, the importer, acts as Customer’s processor with respect to the Personal Data subject to the Standard Contractual Clauses, and its Module 2 applies. Their contact information is set forth in Schedule A.
       2. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in our TOMS document and PowerToFly shall update that list at least 30 days in advance of any intended additions or replacements of sub-processors.
    2. Where PowerToFly acts as a Controller, as described in the Introduction to this DPA:
       1. Each party is a controller, they each may act as exporter or importer depending on the Service with respect to Personal Data subject to the Standard Contractual Clauses, and its Module 1 applies. Their contact information is set forth in Schedule A.
    3. In all cases where the Standard Contractual Clauses apply:
       1. Clause 7 (the optional docking clause) is not included.
       2. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
       3. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland.
       4. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
       5. Annexes I and II of the Standard Contractual Clauses are set forth in Schedule A of the DPA.
       6. Annex III of the Standard Contractual Clauses (List of subprocessors) is inapplicable.
37. With respect to Personal Data for which UK Data Protection Law governs the transfer, to the extent legally required, the UK SCC Addendum forms part of this DPA and takes precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows (with capitalized terms not defined elsewhere having the definition set forth in the UK SCC Addendum):
    1. Table 1 of the UK SCC Addendum: The Parties, their details, and their contacts are those set forth in Schedule A.
    2. Table 2 of the UK SCC Addendum: the “Approved EU Standard Contractual Clauses” shall be the Standard Contractual Clauses as set forth in Section 28 of this DPA.
    3. Table 3 of the UK SCC Addendum: Annexes I(A), I(B), and II are in Schedule A of the DPA, and, where PowerToFly acts as a Processor, Annex III is in our TOMS document.
    4. Table 4 of the UK SCC Addendum: neither party may exercise the right set forth in Section 19 of the UK SCC Addendum.
38. With respect to Personal Data for which the Swiss FADP governs the transfer, the Standard Contractual Clauses shall be deemed to have the following differences to the extent required by the Swiss FADP:
    
    1. References to the GDPR in the Standard Contractual Clauses are to be understood as references to the Swiss FADP insofar as the data transfers are subject exclusively to the Swiss FADP and not to the GDPR.
    2. The term “member state” in Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.
    3. References to personal data in the Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the Swiss FADP that eliminate this broader scope.
    4. Under Annex I(C) of the Standard Contractual Clauses (Competent supervisory authority):
       1. Where the transfer is subject exclusively to the Swiss FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
       2. Where the transfer is subject to both the Swiss FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority is as set forth in the Standard Contractual Clauses insofar as the transfer is governed by the GDPR.

Schedule A to DPA

Annexes I and II of the Standard Contractual Clauses

ANNEX I

A. LIST OF PARTIES

MODULE ONE: Transfer controller to controller
MODULE TWO: Transfer controller to processor

Customer’s role is Controller.

PowerToFly acts as Customer’s Processor in the situations described in Section 6 of the DPA. In those situations, Customer is the exporter and PowerToFly is the importer.

PowerToFly acts as an independent Controller in the situations described in Section 7 of the DPA. In those case, the parties transfer Personal Data to each other, each acting as exporter and importer, depending on the situation.

1. Name: Customer, as specified in the Agreement.
   
   Address: as set forth in the Order Form
   
   Contact person’s name, position and contact details: as set forth in the Order Form
   
   Activities relevant to the data transferred under these Clauses: Use of the importer’s Services.
   
   Signature and date: The Parties are deemed to have signed this Annex I by signing the Agreement.
   
   Role (controller/processor): Controller

Data importer(s):Identity and contact details of the data importer(s), including any contact person with responsibility for data protection.

1. Name: PowerToFly, Inc.
   
   Address: 228 Park Avenue South, Suite 75391, New York, NY 10003
   
   Contact person’s name, position and contact details: Edith Hsu, CFO, privacy@powertofly.com
   
   Activities relevant to the data transferred under these Clauses: Provider of the Services.
   
   Signature and date: The Parties are deemed to have signed this Annex I by signing the Agreement.
   
   Role (controller/processor): As set forth in Sections 6 and 7 of the DPA.

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred: Current and potential members of Customer’s workforce

Categories of personal data transferred: Contact details, professional and educational information, other details found in job applications, and the results of participation in PowerToFly-facilitated events, surveys, training, and other activities

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Details relevant to diversity, inclusion, and belonging, which may include data about health, religious or philosophical beliefs, union membership, sexual orientation, political beliefs. The importer will restrict access to this data on a need-to-know basis.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): On a continuous basis.

Nature of the processing: Receipt, transmission, organization, analysis, display, and storage of data.

Purpose(s) of the data transfer and further processing:

• For Personal Data Transferred from PowerToFly to Customer: the lawful recruiting, human resources, and staff development of Customer and its eligible affiliates.
• For Personal Data Transferred from Customer to PowerToFly: the lawful provision of PowerToFly Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

For Personal Data transferred from Customer to PowerToFly where PowerToFly acts as Customer’s processor: Until 90 days after the Customer no longer is engaging PowerToFly to provide the Services.

For other transfers: until the purpose of processing has been satisfied and retention no longer is necessary.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As set forth at in our TOMS documentation.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

Identify the competent supervisory authority/ies in accordance with Clause 13:

The parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

See Schedule B immediately below.

Schedule B to DPA

Information Security Addendum

The company maintains the following information security measures but may make future replacements or updates to the measures, so long as the measures continue to comply with Applicable Law and do not lower the level of security provided for the Personal Data.

• Administrative and Organizational Safeguards
  • The company maintains policies and procedures for the security of Personal Data, including the following:
    • Written information security policies that set forth procedures with regard to maintaining the safeguards set forth in this Information Security Addendum.
    • Incident response plan, which sets forth the company’s procedures to investigate, mitigate, remediate, and otherwise respond to security incidents.
  • The company conducts regular assessments of the risks and vulnerabilities to the confidentiality and security of Personal Data.
  • The company regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
  • The company maintains role-based access restrictions for its systems, including restricting access to only those employees that require access, consistent with the concepts of least privilege, need-to-know, and separation of duties.
  • The company periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for employees that no longer need such access.
  • The company assigns unique usernames to authorized employees and requires that passwords satisfy minimum length and complexity requirements.
  • The company regularly provides training to employees, as relevant for their roles, on confidentiality and security.
• Technical Security
  
  • The company logs certain system activity—including authentication events, changes in authorization and access controls—and regularly reviews and audits such logs.
  • The company maintains network security measures, including but not limited to firewalls, to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert Supplier to suspicious network activity, and anti-virus and malware protection software.
  • The company has implemented workstation protection policies for its systems, including automatic logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.
  • The company conducts periodic vulnerability scans and assessments on systems storing, processing, or transmitting Personal Data to identify potential vulnerabilities and risks to Personal Data.
  • The company remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, transmitting, or otherwise Processing Personal Data.
• Physical Security
  
  • The company restricts access to its facilities, equipment, and devices to employees with authorized access on a need-to-know basis.
  • The company tracks the location of its equipment, devices, and electronic media and maintains a record of such locations.