Data Processing Addendum

OPTI9 DATA PROCESSING ADDENDUM
(with EU Standard Contractual Clauses)

This addendum (the “Data Processing Addendum”) governs Opti9’s Processing of any Personal Data pursuant to Terms where such Processing occurs in the European Economic Area, its member states, Switzerland, or the United Kingdom (as each capitalized term is defined below).

  1. Definitions

The following definitions apply to this Data Processing Addendum:

  • Access Requests – requests made by a Data Subject to exercise any rights of Data Subjects under the Data Protection Legislation in relation to Personal Data.
  • Appropriate Safeguards – such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under the Data Protection Legislation from time to time.
  • Controller – has the meaning given to that term (or the term ‘data controller’) in the Data Protection Legislation.
  • Data Breach – any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data.
  • Data Protection Legislation – all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, including the Data Protection Act 2018, Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
  • Data Subject – an identified or identifiable natural person.
  • Opti9 – is Opti9 Technologies LLC, doing business or trading as Opti9, or its affiliate(s), the entity or entities providing the Services to you.
  • Personal Data – any information relating to a Data Subject received by Opti9 from you or on your behalf in connection with the performance of OPTI9’s obligations as a Processor.
  • Processor – The OPTI9 entity identified in the Order and acting as a processor (or ‘data processor’) as that term is defined in the Data Protection Legislation with respect to the Services.
  • Processing – has the meaning given to that term in the Data Protection Legislation.
  • Restricted Transfer – either a transfer of Personal Data from you to a Processor or an onward transfer of Personal Data from a Processor to a Processor (or between two establishments of a Processor), but only where such transfer would be prohibited by Data Protection Legislation (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Legislation) in the absence of the Standard Contractual Clauses to be established under Section 8.
  • Services – the services and other activities to be supplied to or carried out by or on behalf of OPTI9 pursuant to the Terms;
  • Sub-Processor – another OPTI9 entity or third party engaged by Processor in order to act as a processor (or ‘data processor’) as that term is defined in the Data Protection Legislation with respect to the Services.
  • Standard Contractual Clauses – means the clauses set forth in Annex 1, as they may be amended, superseded or replaced. from time to time.
  • Terms – shall mean the principal agreement to which this Data Processing Addendum is attached and into which it is incorporated.
  • UK Addendum – means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.
  • US Data Protection Laws – shall mean (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), (ii) the Colorado Privacy Act (“CPA”), (iii) the Connecticut Data Privacy Act (“CTDPA”), (iv) the Utah Consumer Privacy Act (“UCPA”), and (v) the Virginia Consumer Data Protection Act (“VCDPA”).
  • You or Your – shall refer to the OPTI9 client identified in the Terms.
  1. Survival

This Data Processing Addendum shall survive termination or expiry of these Terms and continue:

  • indefinitely in the case of Sections 1, 2 and 10 of the Terms; and
  • until 12 months following the termination or expiry of these Terms in the case of all other Sections.
  1. Controller and Processor
    • You are the Controller in respect of any Personal Data, and you hereby instruct Processor to process Personal Data as necessary in order to provide the Services.
    • You shall comply with all Data Protection Legislation in connection with the exercise and performance of your rights and obligations under these Terms, and Processor shall process the Personal Data in compliance with the obligations of Processors under the Data Protection Legislation.
    • You warrant that:
      • without prejudice to the generality of paragraph 3(b), you will ensure you have all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Processor and/or lawful collection of the Personal Data by Processor on your behalf for the duration and purposes of the Terms;
      • all instructions given by you to Processor in respect of the Personal Data shall be in accordance with the Data Protection Legislation; and
      • you are satisfied that OPTI9’s Processing operations are suitable to enable OPTI9 to process Personal Data, and that OPTI9 has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of the Data Protection Legislation.
  1. Instructions and Details of Processing
    • Where OPTI9 processes Personal Data on your behalf, OPTI9 shall:
      • process the Personal Data only in accordance with your documented instructions (unless required to do otherwise by the Data Protection Legislation);
      • notify you if the Data Protection Legislation require OPTI9 to process Personal Data other than in accordance with your documented instructions; and
      • notify you if OPTI9 believes that an instruction infringes the Data Protection Legislation.
    • OPTI9’s Processing of Personal Data shall consist of storing and applying business process rules to data:
      • relating to names and addresses of customers and representatives;
      • for the duration of these Terms and for a maximum period of 30 days thereafter in order to allow for an orderly wind-up and/or transfer and/or cessation of the relevant Services; and
  1. for the purpose of performing its obligations under these Terms. Technical and Organisational Measures

OPTI9 shall implement and maintain appropriate technical and organisational measures:

  • to ensure a level of security appropriate to the risks to Data Subject rights and freedoms presented by the Personal Data being Processed, taking into account state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing.
  • to assist you insofar as is possible in the fulfilment of your obligations to respond to Access Requests relating to Personal Data, taking into account the nature of the Processing, including the fact that OPTI9 may not be able to access or manipulate some or all of the Personal Data.
  1. Using Staff and Other Processors
    • You provide a general authorization to OPTI9 use of Sub-Processors to process Personal Data in accordance with this section, including those Sub-Processors. With respect to any new Sub-Processor that OPTI9 shall engage in the course of its business, OPTI9 will notify you at least thirty (30) calendar days prior to the data on which any new Sub-Processor shall commence processing Personal Data, OPTI9 shall update the Sub-Processor List and provide Customer with notice of that update. Such notice will be sent to individuals who have signed up to receive updates to the Sub-Processor List via the mechanism(s) indicated on the Sub-Processor List.
  • You may object to OPTI9’s appointment of a new Sub-Processor on reasonable grounds relating to data protection by notifying OPTI9 in writing at infosec@opti9tech.com within seven (7) calendar days after receiving notice. In such event, OPTI9 shall either: (a) work with you to address your objections to its reasonable satisfaction; (b) instruct the Sub-Processor to not process Personal Data; or (c) notify you of its option to terminate the Agreement and this DPA within fourteen (14) calendar days.
  • Processor shall
    • not engage any Sub-Processor for carrying out any Processing of Personal Data without your authorisation;
    • appoint Sub-Processors only under a written contract containing materially the same obligations as those incumbent upon Processor under the Terms and including, where necessary, Appropriate Safeguards; and
    • ensure that all Processor personnel authorised to process Personal Data are subject to binding statutory, ethical, professional, or written contractual obligations to keep the Personal Data confidential (except as otherwise required in accordance with the Data Protection Legislation).
  1. Assistance With Your Compliance Obligations and Data Subject Rights
    • OPTI9 shall refer all Access Requests it receives to you without undue delay and, in any event, OPTI9 shall endeavour to do so no later than 7 days after receipt.
    • OPTI9 shall provide such reasonable assistance to you as you reasonably require (taking into account the nature of Processing and the information available to OPTI9) to meet your compliance obligations under the Data Protection Legislation with respect to security of Processing, data protection impact assessments, prior consultation with a supervisory authority regarding high-risk Processing, and notification to the supervisory authority or communications to Data Subjects by you in response to a Data Breach, provided that for any assistance that exceeds reasonable standards to comply with legal requirements you shall pay OPTI9 for providing any such assistance on a time and materials basis in accordance with OPTI9’s then-current standard daily rates.
    • OPTI9 will complete information security questionnaires or requests and seek similar information from Sub-Processors on your behalf upon request, provided always that both the frequency and nature of such requests are reasonable.
  2. International Data Transfers
    • You agree that Processor may transfer Personal Data to any country from which you or a Data Subject accesses the Personal Data in order to make that Personal Data available to you or that Data Subject on the basis of your express consent in accordance with the Data Protection Legislation or in accordance with the Standard Contractual Clauses.
    • Processor may transfer Personal Data freely within the EEA, Switzerland, the United Kingdom, and any other jurisdiction which has been deemed to provide adequate safeguards for the protection of Personal Data pursuant to Data Protection Legislation.
    • Where a transfer of Personal Data is subject to UK Data Protection Legislation, the Parties shall rely on the Standard Contractual Clauses as amended by the UK Addendum to the Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018.
  3. Standard Contractual Clauses
    • Subject to Section 8 of the Data Processing Addendum, where the transfer of Personal Data to OPTI9 is a Restricted Transfer and Data Protection Legislation require that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form part of the Data Processing Addendum as follows:
    • In relation to transfers of Personal Data protected by the EU GDPR, the SCCs shall apply as follows:
    • Module Two terms shall apply (where Customer is the controller of Personal Data);
    • in Clause 7, the optional docking clause shall not apply;
    • in Clause 9, option 2 (“general authorization”) is selected, and the process and time period for prior notice of Sub-processor changes shall be as set out in Section 6 of the Data Processing Addendum;
    • in Clause 11, the optional language shall not apply;
    • in Clause 17, option 1 shall apply and the SCCs shall be governed by Irish law;
    • in Clause 18(b), disputes shall be resolved before the courts of Ireland;
    • Annex I shall be deemed completed with the information set out in Appendix 1 to the DPA; and
    • Annex II shall be deemed completed with the information set out in Appendix 2.
    • In relation to transfers of Personal Data protected by the UK GDPR, the SCCs as implemented under Section 1(a) above shall apply with the following modifications:
    • the SCCs shall be modified and interpreted in accordance with Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of the DPA;
    • Tables 1, 2 and 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Appendix 1 and Appendix 2 to the DPA and the Security Addendum respectively, and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”; and
    • any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
    • In relation to transfers of Personal Data protected by the Swiss Data Protection Act, the SCCs as implemented under Section 9(a) above will apply with the following modifications:
    • references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein;
    • references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” and/or “Swiss law” (as applicable).
  4. US Data Protection Law Requirements
    • Processor will act as a data “Processor” (under the VCDPA, the CPA, the UCPA, and the CTDPA) and/or “Service Provider” (under the CCPA) with respect to any Personal Data provided to Processor or made accessible by you under the Agreement.  you will act as a “Controller” (under the VCDPA, the CPA, the UCPA, and the CTDPA) and a “Business” (under the CCPA).
    • Processor shall:
      • not “sell” or “share” Personal Data or use Personal Data for the purposes of “targeted advertising,” as those terms are defined in the US Data Protection Laws.
      • notify you, if Processor determines that it can no longer meet its obligations under the US Data Protection Laws.
      • not combine the Personal Data received from you with Personal Data that Processor receives from, or on behalf of, another person or company, except as permitted under US Data Protection Laws.
    • Personal Data that you disclose to Processor is provided to Processor for a Business Purpose, as that term is defined in the US Data Protection Laws, and nothing about the Agreement or the Services involves a “selling” or a “sale” of Personal Data under the US Data Protection Laws references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”);
      • the SCCs shall be governed by the laws of Switzerland ; and
      • disputes shall be resolved before the competent Swiss courts.
  1. Records, Information and Audit

OPTI9 shall, in accordance with Data Protection Legislation:

  • maintain written records of all categories of Processing activities carried out on your behalf; and
  • make available to you such information as is reasonably necessary to demonstrate OPTI9’s compliance with the obligations of Processors under Data Protection Legislation, and allow for and contribute to audits, including inspections, by you for this purpose, subject to you:
    • giving OPTI9 reasonable prior notice of such information request, audit and/or inspection being required by you;
    • ensuring that all information obtained or generated by you in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the supervisory authority or as otherwise required by applicable laws); and
    • ensuring that such audit or inspection is undertaken during regular business hours of operation with minimal disruption to OPTI9’s or any Sub-Processor’s business
  1. Breach Notification

OPTI9 shall notify you without undue delay of any Data Breach involving Personal Data as required pursuant to Data Protection Legislation.

  1. Deletion or Return of Personal Data

OPTI9 shall, at your written request, either delete, securely destroy, or return all the Personal Data to you in such form as you may reasonably request within 30 days after the earlier of either (a) the end of the performance of the relevant Services or, the end of the subscription, support period or rental period, whichever is sooner; or (b) once Processing by OPTI9 of any Personal Data is no longer required for the purposes of these Terms. OPTI9 shall also delete any existing copies of such Personal Data (unless such deletion would be prohibited by applicable laws or by OPTI9’s then-current backup or archival purposes, in which case OPTI9 shall continue to protect the confidentiality of such copies as if they were subject to this Data Processing Addendum, or unless OPTI9 is a Controller in relation to that data at the relevant time).

  1. Changes in Data Protection Laws

You or OPTI9 may propose any variations to this Data Processing Addendum which you or OPTI9 reasonably considers to be necessary to address the requirements of any Data Protection Legislation. If you or OPTI9 gives notice under this Section 12, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in such notice as soon as is reasonably practicable. Notwithstanding any contrary restriction in the Terms, neither you nor OPTI9 shall require the consent or approval of any of your or OPTI9’s respective affiliates in order to amend this Data Processing Addendum pursuant to this Section 12.

Annex 1: Standard Contractual Clauses

The controller to processor standard clauses adopted pursuant to EU Commission Decision 2016/679/EU, available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en , are incorporated into this DPA as if fully set forth herein, except that the standard contractual clauses shall yield to those provisions set forth below within this Annex. For the avoidance of doubt, Customer’s signature or other indication of assent with respect to the Order shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, as well as this Annex and its appendices.

Name and contact information of the data exporting organization: Customer, as indicated on the Order.

(the data exporter)

Name and contact information of the data importing organization: Opti9 Technologies LLC doing business or trading as Opti9, and its affiliated companies, as set forth on the Order.

(the data importer)

each a ‘party’; together ‘the parties’,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Appendix 1 to Annex 1: Standard Contractual Clauses

This Appendix forms part of Annex 1 and shall be deemed to be signed by the respective parties as described in Annex 1.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Data Exporter is Customer, as defined in the Order.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Opti9 Technologies LLC, doing business or trading as Opti9, and its affiliated companies, which provide workforce management and other human resources solutions upon the instruction of the data exporter in accordance with the terms of the Agreement.

Data subjects, categories of personal data, and processing operations

The data exporter has instructed the data importer to import, host, and process certain information in connection with its provision of the Services, as defined in the Order. The extent of personal data transferred pursuant to the Standard Contractual Clauses is a limited subset of contact information required in order to allow the data importer to administer its contractual relationship with the data exporter. This information includes the names, job titles, locations, email addresses, telephone numbers, and related contact information of individual employees of the data importer who interact with the data exporter with respect to those Services. No special categories of data will be transferred.

Appendix 2 to Annex 1: Standard Contractual Clauses

This Appendix forms part of Annex 1 and shall be deemed to be signed by the respective parties as described in Annex 1.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data uploaded to the Platform, as described in the OPTI9 Platform Information Security Policy by submitting a request to security@opti9tech.com as updated from time to time, and made reasonably available by data importer upon request.