Data Processing Addendum

Data Processing Terms

1. Definitions.  All capitalized terms used but not otherwise defined herein will have the meaning set forth in this Section 1 (Definitions) or in the Agreement.  

   
   (A) “Data Protection Law” means, as applicable: (i) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “EU GDPR”); (ii) the EU GDPR as incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable legislation under such Act (the “UK GDPR”); (iii) the Federal Act on Data Protection of 19 June 1992 (Switzerland) (the “Swiss FADP”); and/or (iv) U.S. state laws that govern the processing of personal data, including the California Consumer Privacy Act of 2018 (the “CCPA”), as amended by the California Privacy Rights Act of 2020 (the “CPRA”).
   
   (B) “EEA” means the European Economic Area. 
   
   (C) “EU” means the European Union. 
   
   (D) “Standard Contractual Clauses” or “SCCs” means the clauses annexed to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, which are available online at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.  
   
   (E) “Transfer” means to disclose, provide or otherwise make personal data available to a third party including, but not limited to, disclosure by physical movement of the personal data to such third party or by enabling access to the personal data by other means. 
   
   (F) “UK” means the United Kingdom. 
   
   (G) The terms “controller”, “data subject”, “personal data”, “personal information”, “personal data breach”, “process” or “processing”, and “processor” each have the meaning set forth in the applicable Data Protection Law. 

2. Roles of the Parties.  The parties agree that, for purposes of any applicable Data Protection Law, Sponsor is a controller (or, as applicable, a processor) of personal data, and Extu is a processor of personal data.  Each party shall comply with the obligations of Data Protection Law applicable to it in connection with this DPA and the processing of personal data. 

3. Processing of Personal Data.  Extu will process personal data solely: (a) as needed to perform its obligations under the Agreement; (b) in accordance with the Agreement, this DPA, and other documented instructions received from Sponsor as further set forth in Section 4 (Instructions) below; and (c) as needed to comply with applicable law.  The details of the processing of personal data (including the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects) are set forth in Exhibit A attached hereto. 

4. Instructions.  Extu will process personal data in accordance with Sponsor’s documented, lawful instructions as specified in the Agreement and this DPA, including instructions regarding Transfers.  Sponsor acknowledges that Extu only collects personal data that is specifically requested and approved by Sponsor.  Sponsor may provide additional instructions in writing to Extu with regard to the processing of personal data in accordance with Data Protection Law.  Extu will comply with reasonable, lawful and documented additional instructions from Sponsor, except to the extent such instructions expand the scope of Extu’s performance pursuant to the Agreement in which case Extu reserves the right to charge Sponsor additional fees.  Unless prohibited by applicable law, Extu will inform Sponsor if, in Extu’s reasonable opinion, an instruction from Sponsor violates applicable Data Protection Law. 

5. Data Subject Requests.  If Extu receives a request from a data subject that relates to Sponsor’s personal data and identifies Sponsor, Extu will promptly instruct the data subject to submit such request to Sponsor.  Extu will reasonably assist Sponsor, by appropriate technical and organizational measures and taking into account the nature of the processing, in meeting Sponsor’s obligations to respond to data subjects’ requests to exercise their rights under applicable Data Protection Law, including their rights to access, correction, objection, erasure and data portability.     

6. Additional Assistance.  Taking into account the nature of the processing and the information available to Extu, Extu will reasonably assist Sponsor in meeting its compliance obligations regarding: (a) ensuring the security of the personal data; (b) responding to personal data breaches, as further set forth below in Section 11 (Personal Data Breach); and (c) carrying out privacy and data protection impact assessments and related consultations of data protection authorities. 

7. Use of Subprocessors.  Sponsor hereby provides Extu with a general written authorization to appoint third party subcontractors to process Sponsor’s personal data in connection with Extu’s performance pursuant to the Agreement (each a “Subprocessor”).  In particular, Extu may continue to use those Subprocessors already engaged as of the DPA Effective Date, a list of which is available at https://extu.com/legal/subprocessors/  (the “Subprocessor Website”).  At least thirty (30) days prior to appointing any new Subprocessor to process Sponsor’s personal data in connection with Extu’s performance pursuant to the Agreement, Extu will provide Sponsor with a notice of its intent to appoint the new Subprocessor by updating the list available on the Subprocessor Website.  If Sponsor does not object within such ten (10) business day period, the new Subprocessor shall be deemed approved.  If Sponsor objects within such ten (10) day period, the parties will use good faith efforts to resolve such objection within a reasonable time.  If the parties are unable to resolve such objection within a reasonable time, Sponsor may terminate the Agreement and this DPA, upon notice to Extu.  Before permitting any Subprocessor to process Sponsor’s personal data, Extu will enter into a written agreement with such Subprocessor that is no less restrictive than this DPA with respect to the processing of personal data.  Extu will remain responsible and liable for any act or omission by such Subprocessor with respect to the personal data as if such act or omission were performed by Extu. 

8. Transfers.   

   
   (A) To the extent the processing of personal data by Extu requires any Transfers by Sponsor of personal data originating within the EEA, UK, or Switzerland to Extu in a country located outside the EEA, UK, or Switzerland that has not been the subject of a binding adequacy decision by the European Commission or by a similar competent data protection authority, such Transfers will be made pursuant to the SCCs, which are hereby incorporated by reference, subject to the following: 

   (i) where Sponsor is a controller and Extu is a processor, such Transfers will be made pursuant to Module Two of the SCCs; 
   
   (ii) where both Sponsor and Extu are processors, such Transfers will be made pursuant to Module Three of the SCCs; 
   
   (iii) where the Transfer relates to personal data originating within the UK, the SCCs shall be modified as set forth within the “UK Transfer Addendum”, developed by the UK Information Commissioner’s Office (“UKICO”) and effective as of March 21, 2022, which is available online at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, and incorporated herein by this reference; 
   
   (iv) the parties’ choices, with respect those elements of the SCCs that provide for optionality, are set forth on a jurisdiction-by-jurisdiction basis in Exhibit B attached hereto; and 
   
   (v) the information required by: (A) Annex I and Annex III of the SCCs appears in Exhibit A attached hereto, and (B) Annex II of the SCCs appears in Exhibit C attached hereto. 

   (B) Any onward Transfers by Extu of personal data originating within the EEA, UK, or Switzerland to a recipient in a country located outside the EEA, UK, or Switzerland that has not been the subject of a binding adequacy decision by the European Commission or by a similar competent data protection authority shall be subject to binding and appropriate Transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Law, such as the standard contractual clauses or approved binding corporate rules.  

9. Confidentiality.  Extu will ensure that all persons authorized to process personal data are subject to written obligations of confidentiality or are under an appropriate statutory obligation of confidentiality that are no less restrictive that those set forth herein or in the Agreement. 

10. Security.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Extu will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing of personal data. 

11. Personal Data Breach.  If Extu becomes aware that there has been a personal data breach (as defined by Data Protection Law), Extu will notify Sponsor in writing of such personal data breach without undue delay.  Taking into account the nature of processing and the information available to Extu, Extu will reasonably assist Sponsor in complying with its obligations regarding personal data breaches. 

12. Return or Destruction.  Extu will return or destroy all personal data to Sponsor upon termination of the Agreement or this DPA, and destroy existing copies of personal data unless: (a) applicable law or Extu’s reasonable data retention policy requires storage of the personal data, or (b) such personal data is stored in Extu’s archival or backup systems.  Any personal data retained by Extu pursuant to this Section 12 (Return or Destruction) shall be retained in accordance with the terms of this DPA.  

13. Audits; Inquiries.  Extu will make available to Sponsor information reasonably necessary to demonstrate Extu’s compliance with Data Protection Law and this DPA, and, at Sponsor’s expense, allow for and contribute to audits, including inspections, conducted by the internal and external auditors and personnel of Sponsor and applicable data protection authorities.  In connection with the foregoing, Sponsor will provide Extu with reasonable notice of such audit (and in any event not less than thirty (30) days’ notice) and such audit will occur at a date and time mutually agreed to by the parties during normal business hours and will not unreasonably interfere with Extu’s business operations.  Sponsor agrees, and prior to performing any audit or inspection pursuant to this Section 13 (Audits; Inquiries) will contractually obligate its internal and external auditors and personnel to agree, to treat any information reviewed, obtained or otherwise made available by Extu during any audit or inspection, including the results of such audit and inspection, as confidential information of Extu.   

14. Disclosure Requests.  If Extu receives any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority which relates to its processing of Sponsor’s personal data (“Disclosure Request”), it will promptly pass on such Disclosure Request to Sponsor without responding to it, unless otherwise required by applicable law.  Extu will provide Sponsor with relevant information in its possession that may be responsive to the Disclosure Request and any reasonable assistance required for Sponsor to promptly respond to such Disclosure Request. 

15. CCPA Compliance.  The parties acknowledge and agree that Extu is acting as a service provider (as such term is defined by the CCPA) to Sponsor in connection with Extu’s performance pursuant to the Agreement.  Extu acknowledges and confirms that it does not provide Sponsor with any monetary or other valuable consideration in exchange for the receipt of personal information (as defined by the CCPA) and certifies that it understands and will comply with the restrictions set forth in this Section 15 (CCPA Compliance).  Except as required by applicable law, Extu will not collect, access, use, disclose, process, or retain personal information for any purpose other than Extu’s performance pursuant to the Agreement or another business purpose permitted by the CCPA, this DPA, or the Agreement.  In particular, Extu shall not sell (as defined by the CCPA) or share (as defined by the CPRA) any personal information. 

16. Survival.  Extu’s obligations under this DPA will continue for so long as Extu has access to, is in possession of or acquires personal data, even if the Agreement has expired or been terminated. 

17. Limitations on Liability.  For the avoidance of any doubt, this DPA and any liabilities or remedies arising from it are subject to any and all limitations on liability provisions and disclaimers of types of damages provisions set forth in the Agreement, to the maximum extent permitted by applicable law.  

18. Interpretation.  Except as specifically provided herein, the Agreement shall remain in full force and effect.  The rights granted to any party hereunder are in addition to and not a replacement for other rights such party may have under the Agreement.  In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement with respect to the processing of personal data, the terms of this DPA shall control.  In the event of any conflict or inconsistency between the terms of any applicable module of the SCCs and the terms of this DPA with respect to any Transfers, the terms of the SCCs shall control. 

IN WITNESS WHEREOF, the parties hereto have caused this DPA to be executed by their duly authorized representatives as of the DPA Effective Date.