Data Processing Addendum – Controller

This Data Processing Agreement (“DPA”) is entered into as of the later signature date below (the “Effective Date”) between Commercium Technology LLC, with offices at 148 Avenue of Two Rivers, Rumson NJ 07760 on behalf of itself and its Affiliates (“CTI”) and the company entity(ies) specified on the signature line below (or if this Addendum is being incorporated by reference, the company entity party to the Agreement) (“Company”). For purposes of this DPA, “Affiliate” means an entity controlling, controlled by, or under common control with a party (an entity will be deemed to have control if it owns over 50% of another entity). This DPA amends and forms part of the agreement between CTI and Company.

1. Roles of the Parties. The parties acknowledge that for the purposes of the Data Protection Legislation each is a data controller in respect of personal data. As used in this DPA, “Data Protection Legislation” means all applicable privacy and data protection laws including (i) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws, regulations and secondary legislation including the UK Data Protection Act 2018, (ii) the Privacy and Electronic Communications Directive (2002/58/EC) and any applicable national implementing laws including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), and (iii) any replacement legislation implemented by the United Kingdom (“UK”) pursuant to the withdrawal of the UK from the European Union, in each case as amended, replaced or updated from time to time. Where used in this DPA, the terms “controller”, “processor”, “data subject”, “personal data”, “personal data breach” and “processing” (including “process”) shall have the meanings given to them or to similar terms in the applicable Data Protection Legislation. Both parties will comply with all applicable requirements of the Data Protection Legislation. Company is prohibited from: (i) selling CTI’s personal data; and (ii) collecting, retaining, using, or disclosing CTI’s personal data for any purpose other than, if applicable, providing services to CTI or outside of the direct business relationship between CTI and Company.

2. Security Measures. Company shall ensure that it has in place appropriate technical and organizational measures to protect against a personal data breach, appropriate to the harm that might result from such personal data breach, having regard to the state of technological development and the cost of implementing any measures. Such measures may include where appropriate, pseudonymous and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after a physical or technical incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it.

3. Breach Notification. Company shall, to the extent permitted by law, notify CTI without undue delay upon discovery of a personal data breach that is connected to CTI.

4. Requests. Company shall promptly notify CTI as soon as it receives any request or enquiry from a data protection regulator or data subject with regard to the personal data and shall keep CTI regularly updated as to how it handles such request or enquiry. Each party will be responsible for answering to the requestor for the part of the processing it is responsible for.

5. Marketing. To the extent that Company collects personal data such as contact details, including email addresses, on behalf of CTI for marketing purposes, it warrants and undertakes that it will collect such data in accordance with Data Protection Legislation, including with respect to any consent that may be required for CTI to send direct marketing communications to data subjects. In such a case, Company must bring to the attention of data subjects that CTI will be sending marketing communications to them such as newsletters, webinar or events invitations.

6. Data Sharing. Where personal data is being shared between the parties, the party(ies) collecting the data shall inform data subjects about such data sharing and recipients or categories of recipients of their information.

7. International Transfers.

7.1.   To the extent that a party receives any personal data under this Agreement that originates from the EEA, UK or Switzerland and processes it in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for personal data, the parties agree to enter into the SCCs (Module 1). “SCCs” means the European Commission Standard Contractual Clauses for the transfer of personal data to third countries adopted pursuant to Regulation (EU) 2016/679 and as set out in the Annex to Commission Decision (EU) 2021/914, which are hereby incorporated into and form part of this Agreement.

7.2.   At all times during the term of the Agreement, CTI (as data importer) and Company (as data exporter) or CTI (as data exporter) and Company (as data importer), as appropriate, shall comply with the SCCs with respect to personal data shared between the parties. Annex I to the SCCs is deemed to be prepopulated with the names and contact information of CTI and Company as set forth in the Agreement; the categories of data subjects and personal data and the nature and purposes of the processing set forth in the Agreement, as applicable. No sensitive data shall be transferred between the parties. Annex II to the SCCs is deemed to be prepopulated with the technical and organizational measures described in Article 32 of the GDPR and in section 2 of this Addendum. In addition, where CTI acts as the data importer, Annex II to the SCCs is supplemented with the technical and organizational measures described in CTI’s Corporate Security White Paper available at:  es.The SCCs shall be governed by the laws of the EU Member State in which the data exporter is established and the competent supervisory authority shall be the one of such EU Member State. The Parties hereby acknowledge and agree that each party’s signature to the Agreement shall constitute such party’s signature to the SCCs, as required by Applicable Data Protection Laws and to the extent the SCCs apply.

8. Alternative Data Export Solution. The parties agree that the data export solution identified in Section 6 may not apply if and to the extent that Company adopts an alternative data export solution for the lawful transfer of personal data (as recognized under the Data Protection Legislation) outside of the EEA, UK or Switzerland, in which event, CTI may give approval for such alternative data export solution to apply instead (but solely to the extent such alternative data export solution extends to the territories to which personal data is transferred under this DPA) and shall reasonably cooperate with Company to implement such solution.