This Data Processing Addendum (hereinafter “DPA”) is effective as of the “Effective Date” specified on the executed Order Form that incorporates this DPA by reference. This DPA is between the Customer (the “Controller”) and AppZen Inc (“AppZen”) having its offices at 6201 America Center Drive Suite 300 San Jose, CA 95002. The Controller and AppZen are individually referred to as a “Party” and collectively as the “Parties”. This DPA supplements the AppZen Services Agreement between the Parties (“Agreement”) under which the Processor provides the Controller software and other services (the “Services”).

The Parties seek to implement this DPA in order to comply with the requirements of GDPR (defined hereunder) in relation to Processor’s Processing of Personal Data as part of its obligations under the Agreement. The terms “Process”, “Processing” and “Personal Data” used in this DPA shall have the same meaning as defined in the GDPR.

This DPA shall apply to AppZen’s processing of Personal Data, whether provided by the Controller or its data subject (the “Subject”) or/and its affiliates, its end users or otherwise, as part of AppZen’s obligations under the Agreement.

Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:

1.1. “Data Transfer” means (1) a transfer of the Personal Data from the Subject to Controller or to AppZen on behalf of the Controller; or (2) an onward transfer of the Personal Data from the Controller to AppZen, or between two establishments of AppZen, or with a Subprocessor by AppZen.

1.2. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.3. “Standard Contractual Clauses” means the contractual clauses attached hereto as Schedule 1 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection.

1.4. “Subprocessor” means a processor/ sub-contractor appointed by AppZen for the provision of all or parts of the Services and who Processes the Personal Data as provided by the Controller and/or AppZen.

2. Purpose of this Addendum

This DPA sets out various obligations of AppZen in relation to the Processing of Personal Data and shall be limited to AppZen’s obligations under the Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.

3. Categories of Personal Data and Data Subjects

The Controller authorizes AppZen to Process such Personal Data the extent of which is determined and controlled by the Controller. The current nature of the Personal Data is specified in Appendix 1 to Schedule 1 to this DPA.

4. Purpose of Processing

The objective of Processing of Personal Data by AppZen shall be limited to AppZen’s provision of the Services to the Controller/ its Subject, pursuant to the Agreement.

5. Controller’s Processing of Personal Data

The Controller warrants that it has the right and authority to request AppZen to Process the Personal Data and that its instructions for the Processing of Personal Data shall comply with applicable data protection laws and regulations. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which the Controller acquired Personal Data.

6. Duration of Processing

AppZen will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the Controller.

7. AppZen’s obligations

a.  AppZen will follow written and documented instructions received, including by email, from the Controller, its affiliate, agents or personnel, with respect to the Processing of Personal Data (each, an “Instruction”).

b.  The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Controller.

c.  At the Controller’s request, AppZen will provide reasonable assistance to the Controller in responding to/ complying with requests / directions by Data Subject in exercising their rights or of the applicable regulatory authorities regarding AppZen’s Processing of Personal Data.

8. Data Secrecy

To Process the Personal Data, AppZen will only use personnel who are (i) informed of the confidential nature of the Personal Data, (ii) actually performing the Services in accordance with the Agreement. Further, AppZen will maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of the Personal Data. For this clause, an email form of communication by the Parties in determining project specific security standards shall be accepted.

9. Audit Rights

a. Upon Controller’s reasonable request, AppZen will make available to the Controller, information as is reasonably necessary to demonstrate AppZen’s compliance with its obligations under the GDPR or other applicable laws in respect of its Processing of the Personal Data. When the Controller wishes to conduct the audit (by itself or through a representative) at AppZen’s site, it shall provide at least fifteen (15) days’ prior written notice to AppZen; AppZen will provide reasonable cooperation and assistance in relation to audits, including inspections, conducted by the Controller or its representative.
b. The Controller shall bear the expense of such an audit.

10. Mechanism of Data Transfers

If the Agreement requires Data Transfer for the purpose of Processing by AppZen from a country in the European Economic Area (the “EEA”) to a country outside the EEA the Parties agree to be bound by the Standard Contractual Clauses. Where the transfer of Personal Data outside of the EEA is required for the performance of the Agreement and such model clauses have not been executed at the same time as the Agreement or this DPA are accepted, the Standard Contractual Clauses shall be deemed in effect for the purposes and duration of the Agreement upon acceptance of the Agreement or this DPA.

11. Subprocessors

a.  The Controller acknowledges and agrees that AppZen may engage third-party Subprocessor(s) in connection with the performance of the Services, provided such Subprocessor(s) take technical and organizational measures to ensure confidentiality of Personal Data shared with them. If Subprocessor(s) do comply with the aforementioned requirement, it will be deemed that the Controller has approved appointment of such Subprocessor(s). In accordance with Article 28(4) of the GDPR, AppZen shall remain liable to Controller for any failure on behalf of a Subprocessor to fulfill its data protection obligations under the DPA in connection with the performance of the Services.
b.  AppZen shall execute the appropriate written agreements with the Subprocessors in accordance with, and not less protective than, the provisions of this DPA.
c.  If the Controller has a concern that the Subprocessor(s) Processing of Personal Data is reasonably likely to cause the Controller to breach its data protection obligations under the GDPR, the Controller may object to AppZen’s use of such Subprocessor and AppZen and Controller shall confer in good faith to address such concern.

12. Personal Data Breach Notification

a.  AppZen shall maintain defined procedures in case of a Personal Data Breach (as defined under the GDPR) and shall without undue delay notify Controller if it becomes aware of any Personal Data Breach, unless such Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons.
b.  AppZen shall provide the Controller with all reasonable assistance to comply with the notification of Personal Data Breach to Supervisory Authority and/or the Data Subject, to identify the cause of such Data Breach and take such commercially reasonable steps as reasonably required to mitigate and remedy such Data Breach.
c.  Processor’s notification of or response to a Personal Data Breach under this DPA will not be construed as an acknowledgement by AppZen of any fault or liability with respect to the data incident.

13. Deletion of Personal Data

Within thirty (30) days of the expiration or termination of the Agreement, AppZen will delete or otherwise destroy all the Personal Data of Controller still in AppZen’s possession.

14. Technical and Organizational Measures

Having regard to the state of technological development and the cost of implementing any measure

15. Unlawful Processing of Personal Data

AppZen will take appropriate technical and organizational measures against the unauthorized or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure a level of security appropriate to: (a) the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage; and (b) the nature of the data to be protected.