Data Processing Addendum

last updated September 2022

This Data Processing Addendum (this “DPA”) supplements the RIW Software Services Agreement (“Services Agreement”) and the Order Form(s) (together, the “Agreement”) entered into by and between the Customer named therein (together with its Affiliates, “Customer”) and riwsoftware.com. (“RIW”). In the event of a conflict between this DPA and the Agreement, this DPA shall supersede and control.

By signing this DPA, the signing Customer entity enters into this DPA and provide Instructions and manages the relationship with RIW on behalf of itself and, to the extent required under applicable Data Privacy Laws, in the name and on behalf of its Affiliates (“Authorized Affiliates”) to the extent RIW Processes Personal Data in relation to which each of the signing Customer entity and its respective Affiliates are Controllers in accordance with Data Privacy Laws, unless the parties have expressly agreed otherwise in writing.

For the purposes of this DPA only, the term “Customer” shall include Customer and its Authorized Affiliates. In respect of any obligation(s) which are required to be performed by the Customer, the Customer shall ensure that the Customer, or as applicable, its Authorised Affiliates shall perform such obligation(s). Capitalized terms used and not defined in this DPA shall have the respective meanings set forth in the
Agreement and/or applicable Data Privacy Laws.

1. Definitions

Data Privacy Laws” means, to the extent applicable, laws and regulations in any relevant jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the California Privacy Rights and Enforcement Act of 2020 and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”) and the UK Data Privacy Laws.

Data Subject” means an identified or identifiable person to whom Personal Data relates.

European Union and EEA” means the European Union and the European Economic Area (including each of their respective member states) and Switzerland.

EU SCCs” means Modules 1 and 2 of the EU standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, as amended or replaced from time to time by a competent authority under the relevant Data Privacy Laws (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en ).

Instruction(s)” means the directions, either in writing, in textual form (e.g. by e-mail) or by using the Subscription Services, issued by Customer to RIW and directing RIW to Process Personal Data.

Losses” means losses, liabilities, damages, compensation, awards, payments made under settlement arrangements, claims, fines, proceedings, costs, and other expenses including without limitation interest and penalties, legal and other professional fees and expenses in each case whether arising in contract, tort (including but not limited to negligence, misrepresentation, breach of statutory duty, breach of warranty, claims by third parties arising from any breach of the Agreement) or otherwise.

Personal Data” means any information relating to (i) an identified or identifiable natural person or (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Privacy Laws), where for each of (i) and (ii), such information forms part of the Customer Data which is Processed by RIW as a Processor on behalf of Customer to provide the Services, save as set out in Section 2(f)(i). For clarity, Personal Data does not include information that has been sufficiently anonymized or aggregated in accordance with the Data Privacy Laws.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

Personnel” means, in relation to a party, all persons engaged or employed by that party in connection with the delivery of the Services, including employees, consultants, contractors, sub-contractors and permitted agents from time to time;

Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure, or destruction.

Standard Contractual Clauses” or “SCCs” means if and to the extent (i) GDPR applies to the Processing under this DPA, the EU SCCs; and/or (ii) the UK Data Privacy Laws apply to the Processing activities under this DPA, the UK SCCs.

Subprocessor” means any entity engaged by RIW to Process Personal Data or a RIW Affiliate.

Supervisory Authority” means any data protection authority defined under Data Privacy Laws.

UK” means the United Kingdom of Great Britain and Northern Ireland.

UK Data Privacy Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

UK GDPR” means the UK General Data Protection Regulation, as it forms part of the law of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018.

UK Addendum” means the International Data Transfer Addendum to EU SCCs, issued by the ICO under s119A(1) of the Data Protection Act 2018, version B1.0 and any updates or replacements as may be issued by the ICO from time to time in accordance with S119A(1), as set out in Exhibit C of this DPA.

UK SCCs” means the UK Addendum, as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.

2. Processing of Data

a. Customer shall, in its use of the Services, at all times Process Personal Data, and provide Instructions for the Processing of Personal Data, in compliance with the Data Privacy Laws. Customer shall ensure that its Instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the Processing of Personal Data in accordance with Customer’s Instructions will not cause RIW to be in breach of the Data Privacy Laws. Customer warrants it has undertaken due diligence in relation to RIW’s Processing operations, and it is satisfied that RIW’s Processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage RIW to Process Personal Data.

b. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to RIW by or on behalf of Customer, (ii) the means by which Customer acquired the Personal Data, and (iii) the Instructions it provides to RIW. Customer shall not provide or make available to RIW any Personal Data in violation of the Agreement or which is otherwise inappropriate for the nature of the Services and shall indemnify RIW from all Losses in connection with Customer’s breach of applicable Data Privacy Laws. Customer shall notify RIW where in the event of any change to the nature of the Personal Data it makes available to RIW as part of the Agreement.

c. RIW shall Process Personal Data (i) for the purposes set forth in the Agreement, (ii) in accordance with the terms and conditions set forth in this DPA and any other documented Instructions provided by Customer (unless required otherwise by EEA or UK law applicable to RIW, in which case RIW shall inform Customer of that requirement unless such law prohibits the provision of such information); and (iii) in compliance with the Data Privacy Laws. Customer hereby instructs RIW to Process Personal Data in accordance with the foregoing and as part of Customer’s use of the Services. RIW shall promptly inform Customer if in RIW’s opinion an Instruction infringes Data Privacy Laws;

d. In relation to any Personal Data that Customer provides or makes available to RIW, or that RIW Processes on Customer’s behalf pursuant to the Agreement, the parties acknowledge and agree that RIW is a Processor of Personal Data under the GDPR and/or the UK GDPR, and a service provider for the purposes of the CCPA receiving Personal Data from Customer pursuant to the Agreement for a business purpose. RIW shall not sell any such Personal Data nor retain, use or disclose any Personal Data provided by Customer pursuant to the Agreement except as necessary for performing the Services or otherwise as set forth in the Agreement or as permitted by the CCPA. The terms “service provider,” and “sell” are as defined in Section 1798.140 of the CCPA. RIW certifies that it understands the restrictions of this section.

e. The subject matter, nature, purpose and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Part B, Exhibit A to this DPA.

f. Personnel Personal Data

(i) Notwithstanding Section 2(d), each party acknowledges and agrees that it may need to Process Personal Data in relation to its own and/or the other party’s Personnel (in its capacity as a Controller) in order to (as appropriate): (a) administer and provide the Services; (b) request and receive the Services; (c) compile, dispatch and manage the payment of invoices relating to the Services; (d) manage the Agreement and resolve any disputes relating to it; (e) respond and/or raise general queries relating to the Services; and (f) comply with its regulatory obligations.

(ii) Each party shall Process such Personnel Personal Data for the purposes set out in Section 2(f)(i) in accordance with its applicable privacy policy. Each party acknowledges that it may be required to share Personnel Personal Data with its Affiliates and other relevant parties within or outside of the country of origin, in order to carry out the activities listed in Section 2(f)(i) and in doing so each party will ensure that the sharing and use of this Personnel Personal Data complies with applicable Data Privacy Laws.

g. Following completion of the Services, at Customer’s option, RIW shall return or delete the Personal Data, except as required to be retained by applicable law. The provisions of this DPA survive the termination or expiration of the Agreement for so long as RIW Processes the Personal Data.

3. Authorized Employees

a. RIW shall take commercially reasonable steps to ensure the reliability and appropriate training of its employees who have a need to know or access Personal Data to enable RIW to perform its obligations under the Agreement (an “Authorized Employee”).

b. RIW shall ensure that all Authorized Employees are aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their employment, any Personal Data except in accordance with their obligations in connection with the Services.

4. Subprocessors

a. RIW may use Subprocessors to fulfil its contractual obligations to Customer under the Agreement or to provide certain Services on behalf of RIW. RIW shall maintain an up-to-date list of the names and locations of all Subprocessors used for the Processing of Personal Data under this DPA at https://www.riwsoftware.com/Sub-Processors the same level of data protection and security as RIW under this DPA (including any applicable Standard Contractual Clauses).

b. RIW shall be liable to Customer for the acts and omissions of its Subprocessors to the same extent that RIW would itself be liable under this DPA had it conducted such acts or omissions.

c. The Subscription Services provides links to integrations with third parties, including, without limitation, certain services which may be integrated directly into Customer’s account or instance in the Subscription Services. If Customer elects to enable, access, or use such third party services, its access and use of such third party services is governed solely by the terms and conditions and privacy policies of such third party services, and RIW does not endorse and is not responsible or liable for, and makes no representations as to any aspect of such third party services, including, without limitation, their content or the manner in which they handle data (including Personal Data) or any interaction between Customer and the provider of such third party services. The providers of third party services shall not be deemed Subprocessors for any purpose under this DPA.

5. Security of Personal Data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, RIW shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data, including at a minimum those outlined in Exhibit B which are approved by the Customer. RIW shall take commercially reasonable steps to limit access to Personal Data to only Authorized Employees and Subprocessors.

6. Transfers of Personal Data

a. If and to the extent GDPR or the UK Data Privacy Laws apply to the Processing under this DPA, RIW (as data importer) and Customer (as data exporter) will be bound by the Standard Contractual Clauses in connection with a transfer that would be prohibited by Data Privacy Law in the absence of SCCs, derogation or other adequate safeguard in place (“Restricted Transfer”).

b. For the purposes of Section 6(a), the parties acknowledge and agree that in relation to any Restricted Transfers of Personal Data: i) Module 1 of the SCCS shall apply in respect of Personnel Personal Data Processed by the parties pursuant to Section 2(f)(i); and (ii) Module 2 of the SCCs shall apply in respect of the Personal Data RIW Processes on behalf of the Customer pursuant to Section 2(d).

c. The EU SCCs shall hereby be incorporated into the Agreement, for the purposes of Section 6(a). The details of the transfer is in Part 1, Exhibit A and the technical and organizational measures in Exhibit B, both of which shall be deemed appended to Appendix 1 of the EU SCCs as Annexes 1 and 2 respectively.

d. For the purposes of Modules 1 and 2 EU SCCs, the parties hereby elect to: (i) include optional Clause 7 (ii) select Option 2 for Clause 9(a) and include “thirty (30) days” where the time period is to be specified (for Module 2 only) (iii) omit the optional paragraph in Clause 11(a) and (iv) include the Netherlands as the member state governing law in Clause 17 and forum in Clause 18.

e. For the purposes of any UK transfers subject to UK Data Privacy Laws, the parties acknowledge and agree that the UK SCCs shall hereby be incorporated into the Agreement.

f. In case of conflict between the SCCs and this DPA, the SCCs will prevail.

7. Rights of Data Subjects

RIW shall, to the extent permitted by law, promptly notify Customer upon receipt of a request by a Data Subject to exercise a Data Subject’s right under Data Privacy Law (such as, for instance, access, erasure or data portability) (such requests individually and collectively “Data Subject Request(s)”); provided however, no such notice is required if Customer notifies RIW of the relevant Data Subject Request(s).

8. Actions and Access Requests

a. RIW shall, taking into account the nature of the Processing and the information available to it and provided that Customer does not otherwise have access to the relevant information, provide Customer with reasonable cooperation and assistance, where necessary for Customer to:

i. comply with its obligations under the Data Privacy Laws, including responding to Data Subject Requests,

ii. conduct a data protection impact assessment,

iii. cooperate with and/or participate in prior consultation with any Supervisory Authority, where necessary and legally required, or

iv. demonstrate compliance with Article 28 of GDPR/ UK GDPR.

b. RIW shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA.

c. Upon Customer’s written request, RIW shall provide Customer with a confidential summary report of its external auditors to verify the adequacy of its security measures and other information necessary to demonstrate Processor’s compliance with this Addendum. The report will constitute RIW’s Confidential Information under the confidentiality provisions of the Agreement.

d. In the event of a Personal Data Breach, RIW shall without undue delay inform Customer of the Personal Data Breach and take necessary and reasonable action to remediate such violation. Additionally, RIW shall, taking into account the nature of the Processing and the information available to RIW, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the Data Privacy Laws. Each party will reasonably assist the other party to mitigate any potential damages in connection with this Section.

EXHIBIT A – APPENDIX TO EU SCCS AND DETAILS OF PROCESSING

PART 1: APPENDIX TO EU SCCS

A. List of Parties

Data Exporter: Customer, as defined in the header of the DPA.
Address: as specified in the applicable Order Form(s)
Contact person’s name, position and contact details: as specified in the applicable Order Form(s)
Role (controller/processor): As set out in sections 2.d and 2.f(i) of this DPA.

Data Importer: RIW Software Technology AB,
Address: Brantingsgatan 18, 115 35 Stockholm
Contact person’s name, position and contact details: gdpr@riwsoftware.com
Role (controller/processor): As set out in sections 2.d and 2.f(i) of this DPA.

B. Description of the Transfer:

Where (as the context requires) Modules 1 and 2 SCCs apply to this DPA:

Categories of Data Subjects: Customer’s end users.

Categories of Personal Data: None, unless Customer chooses, in its sole discretion, to provide such data (such as an email address, account name and/or other demographic information or metadata); however, such data is not required for use of the Services. The only information required for the Services to work effectively is a unique identifier for each end user of Customer’s products.

Sensitive or Special Categories of Personal Data: None.

Frequency of the transfer: Continuous, as required for the Services.

Personal Data Retention Period (or Criteria to Determine): As specified in the Agreement

Nature and Purpose of Processing: Providing the cloud-based services as specified in the Agreement.

For transfers to the Subprocessors, subject matter, nature and duration of the Processing: As
specified in the Agreement.

C. Competent Supervisory Authority: The Supervisory Authority competent under Clause 13(a).

PART 2: DETAILS OF PROCESSING: As specified in Part 1 above and further detailed below.

Subject Matter and Duration of Processing: The processing is required for the provision of certain cloud-based software services for the purposes of product enhancement and providing in-application guidance, as specified in the Agreement. The Services will involve the Customer transmitting Personal Data, at its sole election and designation, for the purposes of utilizing the product enhancement cloud-based software. RIW shall Process such Personal Data, as provided by and determined by Customer, in its sole discretion within the Services for the purposes of fulfilling the Agreement.

The duration is the term of the applicable Services.

EXHIBIT B
RIW’S TECHNICAL AND ORGANIZATIONAL MEASURES

In order to protect the confidentiality, integrity, and availability of its internal and Customer data, RIW has implemented an information security program that includes the following technical, administrative/organizational, and physical controls:

1. Personnel security:

a. Job requirements are documented in job postings and candidates’ abilities to meet these requirements are evaluated as part of the hiring process.
b. The experience and training of candidates are evaluated before they assume the responsibilities of their position.
c. Members of the RIW workforce that have access to Customer data are required to undergo background checks.
d. RIW employees receive training in data privacy concepts and responsibilities, as well as RIW commitments on privacy, within two weeks of hire and refresher training on an annual basis.
e. RIW personnel are required to read and accept the RIW’s Code of Conduct and the statement of confidentiality and privacy practices upon their hire and to formally reaffirm them annually thereafter.

2. Incident management:

a. Policies and procedures for operational and incident response management require incidents to be logged and reviewed with appropriate action (e.g. system changes) taken if necessary.
b. A formal incident response plan and standard incident reporting form are documented to guide employees in the procedures to report security failures and incidents.
c. The incident response plan enforces a process of resolving and escalating reported events. Its provisions include consideration of needs to inform internal and external users of incidents and advising of corrective actions to be taken on their part as well as a “post mortem” review requirement.