Data Processing Addendum

Overview

This Data Processing Addendum (including its Attachments) (“Addendum”) forms part of and is subject to the terms and conditions of the Software Subscription Agreement (the “Agreement”) by and between Customer and SurePath AI, Inc. (“SurePath“, the “Company,” “we,” “our,” or “us”).

1. Subject Matter and Duration

1.1 Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with SurePath’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Attachments conflicts with the Agreement, this Addendum shall control.

1.2 Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement. SurePath will Process Customer Personal Data until the relationship terminates as specified in the Agreement.

2. Definitions

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

2.1 "Customer Personal Data" means Customer Materials that are Personal Data Processed by SurePath on behalf of Customer.

2.2 “Data Protection Laws” means the applicable privacy and data protection laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; the United Kingdom Data Protection Act 2018; and the Virginia Consumer Data Protection Act (in each case, as amended, adopted, or superseded from time to time).

2.3 “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.

2.4 “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2.5 “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to SurePath. ‍

3. Processing Terms for Customer Personal Data

3.1 Documented Instructions. SurePath shall Process Customer Personal Data to provide the Subscription Services in accordance with the Agreement, this Addendum, any applicable Order Form, and any instructions agreed upon by the parties. SurePath will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.

3.2 Authorization to Use Subprocessors. To the extent necessary to fulfill SurePath’s contractual obligations under the Agreement, Customer hereby authorizes SurePath to engage Subprocessors. Customer acknowledges that Subprocessors may further engage vendors.

3.3 SurePath and Subprocessor Compliance. SurePath shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this Addendum; and (ii) remain responsible to Customer for SurePath’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data. 

3.4 Right to Object to Subprocessors. Where required by Data Protection Laws, SurePath will notify Customer via email prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.

3.5 Confidentiality. Any person authorized to Process Customer Personal Data must be subject to a duty of confidentiality,  contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality. 

3.6 Personal Data Inquiries and Requests. Where required by Data Protection Laws, SurePath agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.

3.7 Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation. Where required by Data Protection Laws, SurePath agrees to provide reasonable assistance and information to Customer where, in Customer’s judgement, the type of Processing performed by SurePath requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities. Customer shall reimburse SurePath for all non-negligible costs SurePath incurs in performing its obligations under this Section.

3.8 Demonstrable Compliance. SurePath agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Customer’s reasonable request.

3.9 California Specific Terms. To the extent that SurePath’s Processing of Customer Personal Data is subject to the CCPA, this Section shall also apply. Customer discloses or otherwise makes available Customer Personal Data to SurePath for the limited and specific purpose of SurePath providing the Subscription Services to Customer in accordance with the Agreement and this Addendum. SurePath shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than to provide the Subscription Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and SurePath; and (vii) unless otherwise permitted by the CCPA, not combine Customer Personal Data with Personal Data that SurePath (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Customer may: (1) take reasonable and appropriate steps agreed upon by the parties to help ensure that SurePath Processes Customer Personal Data in a manner consistent with Customer’s CCPA obligations; and (2) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Customer Personal Data by SurePath.

3.10 Service Optimization. Where permitted by Data Protection Laws, SurePath may Process Customer Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.

4. Information Security Program

SurePath shall use commercially reasonable efforts to implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data.

5. Security Incidents

‍Upon becoming aware of a Security Incident, SurePath agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. 

6. Cross-Border Transfers of Customer Personal Data

6.1 Cross-Border Transfers of Customer Personal Data. Customer authorizes SurePath and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States. 

6.2 EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to SurePath in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Attachment 1 attached hereto, the terms of which are incorporated herein by reference. Each party’s signature to the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

7. Audits and Assessments

‍Where Data Protection Laws afford Customer an audit or assessment right, Customer (or its appointed representative) may carry out an audit or assessment of SurePath’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit or assessment must be: (i) conducted during SurePath’s regular business hours; (ii) with reasonable advance notice to SurePath; (iii) carried out in a manner that prevents unnecessary disruption to SurePath’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority having proper jurisdiction.

8. Customer Personal Data Deletion

‍At the expiry or termination of the Agreement, SurePath will delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with SurePath’s data retention schedule), except where SurePath is required to retain copies under applicable laws, in which case SurePath will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.

9. Processing Details

9.1 Subject Matter. The subject matter of the Processing is the Subscription Services pursuant to the Agreement.  

9.2 Duration. The Processing will continue until the expiration or termination of the Agreement. 

9.3 Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Agreement. 

9.4 Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by SurePath is the performance of the Subscription Services. 

9.5 Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Agreement.

10. Contact Information

Customer and SurePath agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:

• Customer Designated POC: As set forth in the Notices section of the Agreement.
• SurePath Designated POC: As set forth in the Notices section of the Agreement.

Effective Date

This Policy was last modified as of the effective date printed above. This version of the privacy policy replaces and supersedes any prior privacy policies applicable to the Site and our Services.