This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the terms and conditions of, the Harmonize Terms of Service located at https://harmonize.io/terms-of-service (“Agreement”) between Harmonize Technologies, Inc. (“Harmonize”) and the entity identified as the customer in the Agreement (“Customer”). This DPA applies to the extent Harmonize’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.

1. Definitions

1.1 “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.2 “Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA. 

1.3 “Data Protection Laws” means all laws and regulations, including laws and regulations of: (i) the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom; (ii) the United States (including, but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”)); and (iii) any other jurisdiction in which the parties operate, all (i)–(iii) applicable to the Processing of Personal Data under the Agreement.

1.4 “Data Subjects” means the individuals identified in Schedule 1.

1.5 “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time; 

1.6 “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”);

1.7 “Personal Data” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws.

1.8 “Personal Data Breach” means a material breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.

1.9 “Processor” means the entity which Processes Personal Data on behalf of the Controller. 

1.10 “Sell” has the meaning given in the Data Protection Laws.

1.11 “Share” has the meaning given in the CCPA.

1.12 “UK Addendum” means the International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner for parties making restricted transfers, which entered into force on 21 March 2022 (collectively, with the EU SCCs, “the SCCs”)

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2. Processing of Customer Personal Data

2.1 Customer is a Controller of Customer Personal Data and Harmonize is a Processor of Customer Personal Data. The details of Harmonize’s Processing of Customer Personal Data are described in Schedule 1. 

2.2 Harmonize will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including any instructions provided through Customer’s use of the Harmonize Platform . Customer hereby instructs Harmonize to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA. Harmonize shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Harmonize, including by combining Customer Personal Data with Personal Data Harmonize receives from third parties, other than Customer, except as permitted by the Data Protection Laws; or (3) Sell or Share Customer Personal Data. Upon notice to Harmonize, Customer may take reasonable and appropriate steps to remediate Harmonize’s use of Customer Personal Data in violation of this DPA.

2.3 Harmonize will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws. If applicable laws preclude Harmonize from complying with Customer’s instructions, Harmonize will inform Customer of its inability to comply with the instructions, to the extent permitted by law.

2.4 Each of Customer and Harmonize will comply with their respective obligations under the Data Protection Laws. Harmonize shall notify Customer if it determines that it cannot meet its obligations under the Data Protection Laws. Customer has the right to take reasonable steps to ensure that Harmonize uses Customer Personal Data in a manner consistent with Customer’s obligations under Data Protection Laws by exercising Customer’s audit rights in Section 20.

3. Cross-Border Transfers of Personal Data

3.1 With respect to Customer Personal Data originating from the European Economic Area (“EEA”), the United Kingdom (the “UK”) or Switzerland that is transferred from Customer to Harmonize, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with Customer as the “data exporter” and Harmonize as the “data importer.”

3.2 For purposes of the EU SCCs the parties agree that:

3.2.1 In Clause 7, the optional docking clause will not apply.

3.2.2 In Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.1 of this DPA.

3.2.3 In Clause 11, the optional language will not apply

3.2.4 For the purposes of Clause 15(1)(a), Harmonize shall notify Customer and/or Customer (only) and not the Data Subject(s) in case of government access requests and Customer and/or Customer shall be solely responsible for promptly notifying the affected Data Subjects as necessary.

3.2.5 In Clause 17, Option 1 applies and the EU SCCs shall be governed by the laws of Ireland.

3.2.6 In Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland.

3.2.7 In Annex I, Section A (List of Parties), (i) the Customer is the data exporter and Harmonize is the data importer and their identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller, and Harmonize is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA.

3.2.8 In Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes Harmonize’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Services); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Harmonize uses the Sub-Processors identified at https://harmonize.io/sub-processors (the “Sub-Processor List”) to support the provision of the Services.

3.2.9 In Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Harmonize.

3.2.10 In Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Schedule 2.

3.3 If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection (“FADP”), the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the FADP; (iii) the term “Member State” in the EU SCCs will not prevent Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the FADP.

3.4 With respect to transfers from Customer to Harmonize of Customer Personal Data originating from the UK, the parties agree that the UK Addendum will complement the EU SCCs to the extent required under Data Protection Law. The UK Addendum is incorporated herein by reference. The parties agree that the UK Addendum is completed as follows:

3.4.1 For the purpose of Part 1 of the UK Addendum:

3.4.1.1 Table 1: the start date is the effective date of the Agreement, the exporter is the Customer and the importer is Harmonize, the table is deemed to be completed with the information set out in Section 3.2 of this DPA, and by signing this DPA, parties are deemed to have signed the UK Addendum. 

3.4.1.2 Table 2: the “Approved EU SCCs” which the UK Addendum is appended to are the EU SCCs incorporated into this DPA and completed as set out in Section 3.2 of this DPA.

3.4.1.3 Table 3: the information requested in Annex 1 is provided in Section 3.2.8 and 3.2.9 of this DPA; the security measures requested in Schedule 2; the list of Subprocessors is available at https://harmonize.io/sub-processors.

3.4.1.4 Table 4: the importer may end the UK Addendum as set out in section 19 of the UK Addendum.

4. Confidentiality and Security

4.1 Harmonize will require Harmonize’s personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.

4.2 Harmonize will implement commercially reasonable technical and organisational measures, as further described in Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. 

4.3 To the extent required by Data Protection Laws, Harmonize will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data.

5. Sub-Processing

5.1 Customer agrees that Harmonize may engage Sub-Processors to Process Customer Personal Data on Customer’s behalf. Harmonize’s current list of Sub-Processors is available at the Sub-Processor List. Customer may sign up to receive notice of any intended changes concerning the addition or replacement of Sub-Processors on the Sub-Processor List by completing the form at https://harmonize.io/sub-processors (the “Notice Form”). Customer acknowledges that Harmonize satisfies its obligation to inform Customer of changes to the Sub-Processor List by updating the Sub-Processor List and sending a notice to all email addresses added to the Notice Form (the “Notice”). Harmonize will send the Notice at least 15 days prior to permitting the Sub-Processor to access Customer Personal Data. Customer may object to changes to the Sub-Processor List within seven days of receiving the Notice. If Harmonize and Customer are unable to resolve such objection, Harmonize or Customer may terminate the Agreement by providing written notice to the other party. Any termination pursuant to this Section 5.1 will not affect Customer’s obligation to pay fees incurred prior to the termination.

5.2 Harmonize will impose on its Sub-Processors substantially the same data protection obligations that apply to Harmonize under this DPA. Harmonize will be liable to Customer for its Sub-Processors’ acts or omissions as it would be for its own.

5.3 The parties agree that the copies of the Sub-Processor agreements that must be provided by Harmonize to Customer pursuant to the SCCs, if applicable, may have commercial information or clauses unrelated to the SCCs removed by Harmonize beforehand; and, that such copies will be provided by Harmonize, in a manner to be determined in its discretion, only upon Customer’s written request.

6. Data Subject Rights

Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If Harmonize receives any Requests during the term, Harmonize will advise the Data Subject to submit the request directly to Customer. Harmonize will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests. 

7. Personal Data Breaches

Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, Harmonize will (i) promptly take measures designed to remediate the Personal Data Breach and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer. Customer may request that Harmonize reasonably assist Customer’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Harmonize’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by Harmonize of any fault or liability with respect to the Personal Data Breach.

8. Data Protection Impact Assessment; Prior Consultation

Customer may request reasonable assistance from Harmonize in connection with conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and the data protection impact assessment or consultation relate to the Processing by Harmonize of Customer Personal Data.

9. Deletion of Customer Personal Data

Customer instructs Harmonize to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in the SCCs, if applicable, shall be provided only upon Customer’s written request. Notwithstanding the foregoing, Harmonize may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Harmonize maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

10. Audits

10.1 Customer may audit Harmonize’s compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) Harmonize suffers a Personal Data Breach affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding Harmonize’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Harmonize will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.

10.2 To request an audit, Customer must submit a detailed proposed audit plan to [email protected] at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. Harmonize will review the proposed audit plan and provide Customer with any concerns or questions (for example, Harmonize may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise Harmonize confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date.  Nothing in this Section 10 shall require Harmonize to breach any duties of confidentiality.

10.3 Harmonize may object to third party auditors that are, in Harmonize’s reasonable opinion, not suitably qualified or independent, a competitor of Harmonize, or otherwise manifestly unsuitable. Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve Harmonize’s auditor objection after negotiating in good faith.

10.4 If the requested audit scope is addressed in an SSAE 18/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Harmonize’s systems that Process Customer Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request and Harmonize confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.

10.5 The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Harmonize’s health and safety or other relevant policies. The audit may not unreasonably interfere with Harmonize business activities.

10.6 Any audits are at Customer’s expense and Customer will promptly disclose to Harmonize any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.

10.7 The parties agree that the audits described in the SCCs, if applicable, shall be performed in accordance with this Section 10.

11. Analytics Data

Customer acknowledges and agrees that Harmonize may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”), and use such Analytics Data to improve the Service.

12. Liability

12.1 Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

12.2 Customer acknowledges that Harmonize is reliant on Customer for direction as to the extent to which Harmonize is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. Consequently, Harmonize will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Harmonize in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

13. General Provisions

With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the SCCs, the SCCs will prevail.

SCHEDULE 1

Details of Processing

1. Categories of Data Subjects. This DPA applies to Harmonize’s Processing of Customer Personal Data relating to Customer’s employees (“Data Subjects”).

2. Types of Personal Data. The extent of Customer Personal Data Processed by Harmonize is determined and controlled by Customer in its sole discretion and includes names, email addresses, and any other Personal Data that may be transmitted through the Service by Data Subjects. 

3. Subject-Matter and Nature of the Processing. Customer Personal Data will be subject to the Processing activities that Harmonize needs to perform in order to provide the Service pursuant to the Agreement.

4. Purpose of the Processing. Harmonize will Process Customer Personal Data for purposes of providing the Service as set out in the Agreement.

5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.

SCHEDULE 2

Security Measures

Harmonize shall implement and maintain the controls listed in Schedule 2 in accordance with industry standards generally accepted by information security professionals as necessary to reasonably protect Personal Data during storage, processing and transmission.

1. Physical access control. Data is maintained at secure 3rd party data centers operated by Harmonize Technologies Inc.’s cloud infrastructure provider which include technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems (including databases, application servers and related hardware), where Personal Data is Processed. For decentralized data processing equipment (workstations), secure control procedures are in place to ensure equipment is protected when not in use.

2. Virtual access control. Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include: (a) user identification and authentication procedures; (b) ID/password security procedures (special characters, minimum length, change of password); (c) monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; (d) creation of one main record per user, user-main data procedures per data Processing environment; and (e) encryption of archived data media.

3. Data access control. Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include: (a) internal policies and procedures; (b) control authorization schemes; (c) differentiated access rights (profiles, roles, transactions and objects); (d) monitoring and logging of accesses; (e) disciplinary action against employees who access Personal Data without authorization; (f) reports of access; (g) access procedure; (h) change procedure; (i) deletion procedure; and (j) encryption.

4. Disclosure control. Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: (a) encryption; (b) logging; and (c) transport security.

5. Entry control. Technical and organizational measures to monitor whether Personal Data has been entered, changed or removed (deleted), and by whom, from data processing systems, include: (a) logging and reporting systems; and (b) audit trails and documentation.

6. Availability control. Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: (a) backup procedures; (b) data redundancy (e.g. high availability); (c) synchronous replication; (d) remote storage; (e) antivirus/firewall systems; and (f) disaster recovery plan.

7. Separation control. Technical and organizational measures to ensure that Personal Data collected for different purposes can be processed separately include: (a) separation of databases and/or schemas; (b) “internal client” concept / limitation of use; (c) segregation of functions (production/testing); and (d) procedures for storage, amendment, deletion, transmission of data for different purposes.