This Data Processing Agreement (this “DPA”) is made by and between The The Data Group LLC, an Alabama corporation (“TDG”), and the undersigned party (the “Customer”), setting forth the terms of the data processing relationship between the parties, and for good and valuable consideration, the parties, intending to be legally bound, agree as follows: 

‍

1. Definitions

1. “Affiliate” means any entity that owns or controls, is owned or controlled by, or is under common control or ownership with, Customer or TDG, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise. 
2. “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
3. “Customer Data” means any Personal Data that TDG processes on behalf of Customer as a Processor in the course of providing the Services, as described in the MSA. 
4. “Data Protection Laws” means EU Data Protection Laws, the CCPA, and, to the extent applicable, the data protection or privacy laws of any other country.
5. “EEA” means the European Economic Area and Switzerland. 
6. “EU Data Protection Laws” “EU Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); (iv) UK’s International Data Transfer Agreement (“IDTA”) and Addendum to the European Commission’s Standard Contractual Clauses “UK GDPR”); and (v) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced. 
7. “Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. 
8. “Privacy Policy” means TDG’s Privacy Policy, available at thedatagroup.cloud/privacy-policy, which governs the collection, use, and storage of Customer Data when using the Services, as may be updated by TDG from time to time.
9. “Controller” has the meaning given to it in the GDPR. The Controller and data exporter is Customer. 
10. “Processor” has the meaning given to it in the GDPR. The Processor and data importer is TDG. 
11. “Processing” has the meaning given to it in the GDPR and “process”, “processes”, and “processed” will be interpreted accordingly. 
12. “Restricted Transfer” means: (a) a transfer of Customer Data from Customer to TDG or a Sub-Processor; or (b) an onward transfer of Customer Data from TDG or a Sub-Processor to another Sub-Processor. In either case, where such transfer would be prohibited by the GDPR in the absence of the Standard Contractual Clauses, pursuant to Section 8 below. 
13. “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data. 
14. “Services” means any product or service provided by TDG to Customer pursuant to the Master Services Agreement (MSA). 
15. “Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj and the IDTA, as each may be amended, superseded, or replaced. 
16. “Sub-Processor” means any Processor engaged by TDG to assist in fulfilling its obligations with respect to providing the Services pursuant to the MSA or this DPA.
17. “Master Services Agreement” (MSA) means TDG’s Service Agreement or Customer Service Agreement including exhibits executed among the parties which governs the provision of the Services to Customer, as may be amended by agreement of the parties.

‍

2. Relationship with the Master Services Agreement

1. Except for the modifications under this DPA, the Master Services Agreement (MSA) among the parties remains unchanged and in full force and effect. If there is any conflict between this DPA and the MSA, this DPA shall prevail to the extent of that conflict with regard to the subject matter and applicability of this DPA. Any claims brought under or in connection with this DPA shall be subject to the MSA, including but not limited to, the exclusions and limitations set forth in the MSA. In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA, or otherwise. Customer further agrees that any regulatory penalties incurred by TDG to the extent such penalties arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or the GDPR shall be limited as specified under the MSA as if it were liability to the Customer under the MSA. When applicable, without prejudice to any applicable terms of the Standard Contractual Clauses, or where required under the Data Protection Laws, the parties submit to the choice of jurisdiction stipulated in the Master Services Agreement with respect to any disputes or claims arising under this DPA, which is governed by the laws of the country set forth in the MSA. Only the parties to this DPA, and its successors and permitted assignees, shall have any right to enforce any of its terms.

‍

3. Scope and Applicability

1. This DPA applies where, and only to the extent that, TDG processes Customer Data that originates from the EEA or that is otherwise subject to the Data Protection Laws on behalf of Customer as its Processor in the course of providing the Services pursuant to the MSA. 

‍

4. Roles and Scope of Processing 

1. Role of the Parties. As between TDG and Customer, Customer is the Controller of Customer Data, and TDG shall process Customer Data only as a Processor acting on behalf of Customer and at its direction. 
2. Customer Processing of Customer Data. Customer agrees and acknowledges that: (a) it shall comply with its obligations as a Controller under the GDPR with respect to its processing of Customer Data and any processing instructions it issues to TDG; and (b) it has provided notice and obtained (or shall obtain) all consents and rights necessary under the GDPR for TDG to process Customer Data solely to provide the Services pursuant to the MSA and this DPA. 
3. Processing of Customer Data. TDG shall process Customer Data only for the purposes described in this DPA and in accordance with Customer’s documented instructions. The parties hereby agree that this DPA and the MSA set forth the Customer’s complete and final instructions to TDG in relation to the processing of Customer Data and any processing outside of the scope of this DPA or the MSA requires a prior written agreement between Customer and TDG. 
4. Details of Data Processing. Notwithstanding anything to the contrary in the MSA or this DPA, Customer acknowledges that TDG shall have a right to use and disclose data relating to the operation, support, or use of the Services for its legitimate business purposes, such as for billing, account management, technical support, product development, and sales and marketing. To the extent any such data is considered Personal Data under the GDPR, TDG is the Controller of such data and accordingly shall process such data in accordance with its Privacy Policy and the GDPR. 

‍

5. Sub-Processing

1. Authorized Sub-Processors. Customer agrees that TDG may engage Sub-Processors to process Customer Data at Customer's direction.
2. Sub-Processor Obligations. TDG shall: (a) enter into a written agreement with each Sub-Processor with data protection terms requiring the Sub-Processor protect the Customer Data to the standard required by the Data Protection Laws; and (b) remain responsible for its compliance with the obligations of this DPA.
3. Changes to Sub-Processors. TDG shall: (a) provide an up-to-date list of the Sub-Processors as listed under Annex C hereto; and (b) provide 10 days’ notice to Customer by electronic mail with regard to any changes of Annex C. Customer may object in writing to TDG’s appointment of a new Sub-Processor within 5 calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection under the Data Protection Laws. In the event of Customer’s objection, the parties shall discuss and resolve the concerns over the Sub-Processor in good faith. If no resolution is achieved, TDG may suspend or terminate Service to Customer under the MSA.

‍

6. Security

1. Security Measures. TDG shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with TDG's security standards which include: (a) pseudonymization or encryption of Customer Data; (b) restoring the availability and access to Customer Data in a timely manner in the event of a Security Incident, if possible; and (c) evaluating the effectiveness of technical and organizational Security Measures. 
2. Updates to Security Measures. Customer is responsible for reviewing the information made available by TDG relating to data security to make an independent determination as to whether the Services meet Customer’s requirements and legal obligations under the Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that TDG may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. 
3. Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its own account credentials. 

‍

7. Data Secured Only In the USA 

1. Data Center Locations. TDG and its Sub-Processors will only process Customer Data in data centers located inside the United States.

‍

8. Additional Security 

1. Confidentiality of Processing. TDG shall ensure that any person who is authorized by TDG to process Customer Data, including its staff, agents and contractors, shall be under an appropriate obligation of confidentiality.
2. Security Incident Response. Upon becoming aware of a Security Incident, TDG shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer. 

‍

9. Return or Deletion of Data.

1. Upon termination or expiration of the relationship between the parties under the MSA, TDG shall, at Customer's written election, delete or return to Customer all Customer Data, including copies, in its possession or control, except that this requirement shall not apply to the extent TDG is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data TDG shall securely isolate, keep confidential, and protect from any further processing, except to the extent required by applicable law. 

‍

10. Cooperation 

1. Customer Cooperation. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, TDG shall, at Customer's reasonable expense, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the MSA and this DPA. In the event that any such request is made directly to TDG, TDG shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If TDG is required to respond to such a request, TDG shall promptly notify Customer in writing and provide it with a copy of the request, unless legally prohibited from doing so. To the extent TDG is so required under the Data Protection Laws, TDG shall, at Customer's reasonable expense, provide reasonably requested information regarding the Services to enable the Customer to carry out its own compliance assessments as required by law. If a law enforcement agency demands Customer Data from TDG, such as by subpoena or court order, TDG shall attempt to redirect the request to Customer. In so doing, TDG may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, TDG shall give Customer reasonable notice of the demand so that Customer may seek a protective order or other appropriate remedy, unless TDG is legally prohibited from doing so. To the extent that any disclosure becomes legally required, TDG will limit the disclosure to only that amount of information required to be disclosed. 
2. Changes to Data Protection Laws or DPA. Customer may request modification to this DPA or the Standard Contractual Clauses with 30 calendar days’ written notice to TDG, where such modifications are required as a result of any change in, or decision of a competent authority under, the EU Data Protection Laws, to allow Processing or Restricted Transfers without breach of the EU Data Protection Laws, or to propose other modification to this DPA which Customer reasonably considers necessary to address the requirements of the Data Protection Laws. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by TDG to protect TDG or any Sub-Processor against additional risks associated with variations made under this Section 11. Likewise, TDG shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Customer to protect Customer against additional risks associated with variations made under this Section 11.

‍

11. Confidentiality.

1. This DPA as well as any notices, communications, or information received by either party from the other party thereto, shall be considered the confidential information of the disclosing party (“Confidential Information”). At all times, both for so long as Customer uses the Services under the MSA and this DPA, and for 3 years thereafter, except for confidential information deemed a trade secret for which such obligation shall continue for so long as it is deemed a trade secret, the party receiving Confidential Information shall not, directly or indirectly, disclose, use, or make available any Confidential Information, except as required by the normal business of the recipient under appropriate measures to safeguard such information, the MSA, this DPA, or where otherwise legally required to do so. Where disclosure is legally required, the recipient shall notify the disclosing party before disclosure so that the disclosing party can review and object to such disclosure, and the recipient shall only disclose that information necessary to comply with such legal requirement. Upon termination of this DPA, the provision of Services to Customer, or upon written request, the recipient of Confidential Information shall return to the disclosing party all Confidential Information in its possession, whether in the form supplied by the disclosing party or in the form of notes, reports, or otherwise, or the recipient shall certify the destruction of any Confidential Information in its possession. 

12. General Terms 

1. Order of Priority. Between Customer and TDG, where applicable, the order of priority in which terms shall prevail is, first, the Standard Contractual Clauses, then this DPA, and finally the MSA. This DPA shall be governed by and construed in accordance with the MSA, unless otherwise required by the GDPR.
2. Enforceability. Only the parties to this DPA, or its respective successors and assigns, shall have the right to enforce this agreement.
3. Effectiveness. This DPA shall remain in effect for so long as TDG is Processing at the direction of Customer or until termination in accordance with the MSA and this DPA.
4. Notices. Any notice required or permitted pursuant to this DPA shall be given in writing either by electronic mail or by registered or certified mail, return receipt requested, duly addressed to the addresses listed below.