GORDIAN DATA PROTECTION ADDENDUM

This Data Protection Addendum (“Addendum”) is entered into by and between Gordian and its applicable client (on behalf of itself and its Authorized Affiliates, “Client”) and is incorporated by reference into, and forms a part of, the Master Services Agreement or other written or electronic agreement between Gordian and Client (“Agreement”) for the provision of Gordian’s Services (as defined in the Agreement) to reflect the parties’ agreement regarding the Processing of Personal Data. Except as expressly set forth herein, the Agreement remains unchanged and in full force and effect. In the event of a conflict between this Addendum and the Agreement, this Addendum will govern. Terms used but not defined herein shall have their respective meanings as set forth in the Agreement.

HOW THIS ADDENDUM APPLIES:

If Client is a direct customer of Gordian and signed the Agreement, this Addendum forms part of the Agreement. If Client has executed an Order Document with Gordian or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this Addendum forms part of that Order Document and any applicable renewal Order Document. For any entity that has a contract with an authorized reseller or distributor of Gordian services, this Addendum is not valid or legally binding, and it should contact the authorized reseller or distributor request any applicable amendment.

1. DEFINITIONS

“Gordian” means the Gordian entity that is a party to the Agreement.
“Affiliate” means any entity(ies) owned, controlled, or commonly controlled by, a party.
“Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time.
“Authorized Affiliate” means any Client Affiliate that: (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland, the United Kingdom, and/or the United States, and (b) is permitted to use the Services pursuant to the Agreement between Client and Gordian, but has not signed its own Order Form with Gordian and is not a “Client” as defined under this Addendum.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
“Complaint” means a complaint or request relating to either party’s obligations under Data Protection Laws, including any claim from a Data Subject or any notice, investigation, or other action from a Supervisory Authority.
“Data Breach” means any confirmed unlawful or unauthorized access to, use of, or disclosure of Personal Data directly caused by a party in breach of its information security and privacy requirements set forth in the Agreement and in this Addendum that leads to the accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data. For the avoidance of doubt, a Data Breach does not include unsuccessful attempts to breach or action that do not compromise the security of Personal Data, including unsuccessful log-in attempts, denial of service attacks, or other network attacks on firewalls or networked systems.
“Data Breach Losses” means a party’s actual direct costs related to a Data Breach for: (i) notifying Data Subjects whose Personal Data was the subject of the Data Breach (“Affected Parties”) as required by Data Protection Laws; (ii) procuring credit monitoring, credit reporting, and identity theft insurance, each as required by Data Protection Laws; (iii) fines and penalties imposed by a Supervisory Authority under Data Protection Laws upon such party as a result of the Data Breach; (iv) reasonable call center support for Affected Parties for up to ninety (90) days; (v) actual monetary damages suffered by Affected Parties due to such Data Breach and/or compensation ordered by a Supervisory Authority; and (vi) the reasonable cost of compliance with investigations ordered by a Supervisory Authority. Each party shall procure all of the foregoing items at a reasonable cost consistent with industry standards.
“Data Protection Laws” means all laws and regulations regarding data protection, data privacy, and information security applicable to a party as the context requires related to the Processing of Personal Data under this Addendum.
“Data Subject” means a subject of Personal Data and who is an identified or identifiable natural person.
“Data Subject Request” means a request made by a Data Subject to exercise legal rights under Data Protection Laws.
“DPIA” means a data protection impact assessment, in accordance with Data Protection Laws.
“FADP” means the Swiss Federal Act on Data Protection, as may be amended from time to time.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information that is related to a Data Subject and is subject to the Data Protection Laws.
“Process,” “Processes” or “Processing” means an action performed upon Personal Data, whether or not automated, including but not limited to collection, recording, use, disclosure, structuring, organization, storage, alteration, adaptation, combination, retrieval, consultation, dissemination, transmission, making available, restriction, destruction, or erasure.
“SCC” means the version of the Standard Contractual Clauses as set out in Module Two (Controller to Processor) for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 found at _______________
“Subprocessor” means a third party authorized by Gordian to Process Personal Data.
“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
“UK GDPR” means the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

2. INTERPRETATION

2.1 The terms “Controller,” “Data Controller,” “Data Processor,” “international organisation,” and “Processor” have the meanings given to them in the Data Protection Laws (and terms such as “process” have corresponding meanings).

2.2 Any references to Data Protection Laws incorporate references to any laws replacing, amending, extending, re-enacting, or consolidating such Data Protection Laws and the equivalent terms defined in such laws, once in force and applicable.

2.3 This Addendum will automatically terminate upon expiration or termination of the Agreement.

3. ROLES OF THE PARTIES

3.1 The parties acknowledge and agree that, with regard to the Processing of Personal Data, Client is the Controller and Gordian is a Processor.

4. COMPLIANCE WITH DATA PROTECTION LAWS

4.1 Each party shall process Personal Data in compliance with the terms of the Agreement and this Addendum, and the obligations of Data Processors or Data Controllers, as applicable, under Data Protection Laws. Each party shall maintain all relevant regulatory registrations and notifications as required under Data Protection Laws.

4.2 Client represents and warrants that: (a) any Personal Data being provided to or accessed by Gordian for performance of Gordian’s obligations under the Agreement shall be sourced by Client and shared with Gordian in compliance with Data Protection Laws, including regarding collection, storage and processing, which includes Client providing any required fair notice of processing to, and obtaining all necessary consent from, Data Subjects, and (b) instructions given by Client to Gordian in respect of Personal Data shall comply with Data Protection Laws.

4.3 Client shall not unreasonably withhold, delay or condition its agreement to any change reasonably requested by Gordian in order to ensure Gordian (or any Subprocessor) can comply with Data Protection Laws in performing its obligations under the Agreement and this Addendum.

5. DETAILS OF PROCESSING AND INSTRUCTIONS

5.1 If Gordian processes Personal Data on behalf of Client, Gordian shall: (a) process Personal Data only in accordance with Client’s documented instructions as set out in the Agreement and this Addendum, as may be updated from time to time by the parties (“Processing Instructions”), unless otherwise required by Data Protection Laws, (b) if Data Protection Laws require it to process Personal Data other than in accordance with the Processing Instructions, notify, to the extent permitted under Data Protection Laws, Client of any such requirement before so processing the Personal Data, and (c) notify Client if Gordian believes that any Processing Instructions may violate Data Protection Laws, provided, that Client agrees (i) doing so shall be without prejudice to Sections 4.2 and 4.3, and (ii) Gordian shall have no liability for any losses, expenses or liabilities (including any Data Breach Losses) arising from, or in connection with, following the Processing Instructions after the date of Gordian’s notice to Client.

6. TECHNICAL AND ORGANIZATIONAL MEASURES; SECURITY OF PROCESSING

6.1 Gordian shall implement and maintain, at its cost and expense, the technical and organisational measures set forth in Schedule 3 (Security Measures), taking into account the nature of the Processing of Personal Data described in Schedule 1 (Data Processing Details), and designed to ensure the protection of Personal Data and compliance with the terms of this Addendum. For purposes of clause 8.6(a) of the SCC, Client is solely responsible for making an independent determination as to whether the technical and organisational measures set forth in Schedule 3 (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data, as well as the risks to individuals) meet Client’s requirements and provide a level of security appropriate to the risk with respect to its Personal Data. For purposes of clause 8.6(c) of the SCC, Gordian shall notify Client in the manner described in Section 11.

7. SUBPROCESSING

7.1 For the purposes of clause 9(a) of the SCC, the parties agree that Gordian has Client’s general authorisation to engage the Subprocessors listed in Schedule 2, that Client shall be informed of any changes to the Subprocessor list via updates made by Gordian to the website listed in Schedule 2, Client’s failure to object to any such updates within sixty (60) days thereof shall be deemed Client’s consent to such updates, and that in any event, Client’s authorisation shall not be unreasonably withheld, conditioned or delayed. In the case of any reasonable objection by Client, Gordian will use commercially reasonable effort to identify an alternative; provided, that, if no commercially reasonable alternative is available, the parties will meet and confer and mutually negotiate a resolution. Where Gordian enters into EU Processor-to-Processor Transfer Standard Contractual Clauses with a Subprocessor in connection with the provision of the Services, Client hereby grants Gordian and Gordian’s Affiliates authority to provide a general authorisation on Controller’s behalf for the engagement of subprocessors by Subprocessors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such subprocessors. Gordian shall require Subprocessors to ensure that their subprocessors agree to terms that are materially consistent with those set forth in this DPA. Gordian shall be responsible for the acts and omissions of its Subprocessors and appoint Subprocessors under a written contract containing materially the same obligations as are set forth in this DPA.

8. ASSISTANCE AND COMPLIANCE WITH DATA SUBJECT RIGHTS

8.1 For the purposes of clause 11 of the SCC, Gordian shall inform Data Subjects according Gordian’s privacy notice, a version which is available at https://www.gordian.com/privacy/. Gordian shall, if legally permitted, promptly refer all Data Subject Requests it receives to the Client as Data Controller and will reasonably assist Client to enable Client to address the Data Subject Requests related to Personal Data. In the event a government or Supervisory Authority requires access to Personal Data, Gordian will promptly notify Client prior to disclosure unless prohibited by law.

9. INTERNATIONAL DATA TRANSFERS

9.1 Client agrees Gordian may transfer Personal Data to countries outside the European Economic Area (EEA) or to any Subprocessor identified in Schedule 2 (or any additional or replacement Subprocessors as described in Section 7) in order to carry out its obligations hereunder; provided, that, any such transfer and any onward transfer shall be in accordance with Data Protection Laws. Client hereby consents to onward transfer, access and processing in according with Appropriate Safeguards, including, without limitation, (a) in any third country approved by Commission Decision 2000/518/EC of 26 July 2000 as providing adequate protection for Personal Data by the European Commission from time to time; and/or (b) in compliance with the data importer’s obligations as set out in the applicable clauses set forth at: https://www.gordian.com/standard-contractual-clauses/. The foregoing sentence shall constitute Client’s instructions with respect to international data transfers for the purposes of Data Protection Laws.

9.2 Client and Gordian agree that, if Gordian collects Personal Data under the CCPA, the GDPR, the UK GDPR, or FADP, as applicable, the clauses related to such regulation set forth at: https://www.gordian.com/standard-contractual-clauses/ shall apply.

9.3 Gordian agrees that it shall abide by: (i) the terms of the SCC sections I, II, III and IV (as applicable), in the manner described in Schedules 1, 2 and 3 of this Addendum. The SCC shall apply to Gordian in its role as the “data importer,” and to Client and, to the extent legally required, each of Client’s Authorized Affiliates established within the European Union, the EEA and/or its member states, Switzerland and/or the United Kingdom, in their role as “data exporters.” Client signs this Addendum and the SCC of each data exporter in name and on behalf of such data exporter and shall carry out the obligations of each data exporter set forth in the SCC on behalf of that data exporter.

10. RECORDS, INFORMATION, AND AUDIT

10.1 Gordian shall maintain, written records of all categories of processing activities carried out on behalf of the Client in accordance with Data Protection Laws.

10.2 Gordian shall, in accordance with Data Protection Laws, make available to Client such information as is reasonably necessary to demonstrate Gordian’s compliance with its obligations under Data Protection Laws. If that information is not sufficient to demonstrate compliance, subject to the audit rights set out in the Agreement (if any), Gordian shall permit Client and/or its authorized third-party auditor, to review and audit, at Client’s sole cost and expense, the Gordian systems used to provide the Services solely to the extent legally required to demonstrate such compliance.

10.3 Client’s rights under Section 10.2 are subject to Client: (a) giving Gordian reasonable prior notice of any information or audit request, (b) ensuring that all information obtained or generated by Client or its auditor is kept strictly confidential, save for disclosure to the Supervisory Authority or as otherwise required by Data Protection Law, (c) ensuring that any audit is undertaken during normal business hours, with minimal disruption to Gordian’s business or the business of other clients of Gordian, and (d) paying Gordian’s reasonable costs for assisting with the audit.

11. NOTIFICATIONS OF PERSONAL DATA BREACHES AND COMPLAINTS

11.1 In respect of any Data Breach caused by Gordian, Gordian shall, without undue delay: (a) notify Client of the Data Breach; and (b) provide Client with reasonable details of the Data Breach.

11.2 Each party shall promptly, and in any event within three (3) business days, if legally permitted, promptly inform the other if it receives a Complaint and provide the other party with reasonable details of such Complaint.

12. DELETION OR RETURN OF PERSONAL DATA; CERTIFICATION

12.1 Gordian shall, within a reasonable period of time following receipt of Client’s written request received within thirty (30) days following termination of the Agreement, either delete, overwrite or return all Personal Data to Client, and delete or overwrite any other copies thereof, unless storage is required by applicable law and, if so, Gordian shall inform Client of any such requirement. Gordian shall provide the certification of deletion of Personal Data described in clause 8.5 and 16(d) of the SCC to Client promptly following its completion of such activities.

13. MISCELLANEOUS

12.1 This Addendum, together with the Agreement, and any incorporated documents, constitutes the entire agreement of the parties and supersedes any previous agreement with respect to the subject matter hereof. If any provision of this Addendum shall be held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired. Any waiver of a party’s rights or remedies hereunder must be in writing to be effective. Any liabilities arising hereunder shall be subject to the limitations of liability in the Agreement. No failure of either party to exercise or enforce any rights hereunder shall act as a waiver of such rights. The governing law under clause 17 of the SCC shall be the law designated in the Governing Law section of Schedule 1. The courts under clause 18 of the SCC shall be those designated in the Choice of Forum and Jurisdiction section of Schedule 1. This Addendum may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same agreement.

IN WITNESS WHEREOF, the parties’ duly authorized representatives agree to the terms and conditions of this Agreement.

SCHEDULE 1

DATA PROCESSING DETAILS

1. LIST OF PARTIES

Data Exporter: Client and its Authorized Affiliates
Address and Contact Person: As specified in the Agreement
Activities relevant to the data transferred: Performance of the Services pursuant to the Agreement
Signature and date: As of the Effective Date of the Agreement
Role: Controller

Data Importer: Gordian, LLC Address and Contact Person: As specified in the Agreement or [email protected] Activities relevant to the data transferred: Performance of the Services pursuant to the Agreement. Signature and date: As of the Effective Date of the Agreement Role: Processor

2. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED:

Client may submit Personal Data to the Services, the extent of which is controlled by Client in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:

• Client’s employees, agents, contractors, consultants, freelancers, temporary staff, contingent workers, advisors and/or partners (who are natural persons)
• Natural persons who consume Client’s services, such as students, tenants or customers of Client
• Client’s users who are authorized by Client to use the Services
• Client’s prospects, customers, business partners, suppliers and vendors (who are natural persons)
• Employees or contact persons of Client’s prospects, customers, business partners, suppliers and vendors

3. CATEGORIES OF PERSONAL DATA TRANSFERRED:

First and last name, job title, job position, contact information (e.g., company, email, phone number, physical address, username, login credentials, operator / license / certification numbers, ID data, IP addresses, login / logout times, persistent online identifiers (e.g., cookies), professional life / employment management data, pictures, voice / screen recordings, personal life data, location/localisation data, and unique identifiers or personal data contained in help requests, webchat / messaging requests, free text fields and other records.

4. SENSITIVE DATA TRANSFERRED (IF APPLICABLE):

The Services generally do not require any transmission or processing of sensitive data, unless the Data Exporter chooses to share such information in its sole discretion, such as through messaging requests, free text fields and other records.

5. FREQUENCY OF THE TRANSFER:

On a continuous basis depending on the use of the Services by Client.

6. NATURE OF THE PROCESSING; PURPOSE OF THE DATA TRANSFER AND FURTHER PROCESSING:

Gordian (and its Subprocessors) will process Personal Data as necessary in the provision and performance of, and in monitoring and ensuring the security of, the applicable Services pursuant to the Agreement and as further instructed by the Client in its use of the Services.

7. THE PERIOD FOR WHICH THE PERSONAL DATA WILL BE RETAINED:

Until its deletion in accordance with the provisions of the Agreement, unless otherwise agreed in writing.

8. SUBPROCESSOR TRANSFERS:

See Schedule 2 for the list of approved Subprocessors. As specified above.

9. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority applicable to the data exporter by data exporter’s location or registration. Name and contact details of such supervisory authority to be disclosed by the data exporter without undue delay upon the data importer’s request. The data importer is subject to the authority of the United Kingdom, as to data subjects from the United Kingdom (UK) and UK GDPR, and the Netherlands, as to data subjects of the European Economic Area (EEA) and GDPR.

10. TECHNICAL AND ORGANISATIONAL MEASURES

As set forth in Schedule 3.

11. GOVERNING LAW

The governing law shall be the law of the EU Member State in which the data exporter is established. In the event, the data exporter is not established in an EU Member State, the SCC will be governed by: (i) if the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom; (ii) if the Agreement is governed by the laws of Switzerland, the laws of Switzerland; or (iii) the laws of Netherlands.

12. CHOICE OF FORUM AND JURISDICTION

The choice of forum shall be the country designated pursuant to the preceding section and jurisdiction shall lie with the courts of such country.

SCHEDULE 2

APPROVED SUBPROCESSORS

A list of Gordian’s third party subprocessors can be found at _______________________

SCHEDULE 3

SECURITY MEASURES

DESCRIPTION OF TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES IMPLEMENTED BY GORDIAN