SoftwareKey Data Processing Addendum

Last Updated: 12/08/2021

Controller to Processor

This SoftwareKey Data Processing Addendum (the “Addendum”), including its three exhibits, is entered into by and between Concept Software, Inc. DBA SoftwareKey.com, a corporation incorporated under the laws of Ohio (“SoftwareKey”), and you (the “Client”) (each, a “Party” and, collectively, the “Parties”).

This Addendum is effective as of the date you agree to it (the “Effective Date”) by checking the box and clicking the “I Accept” button in the applicable online form or webpage that makes reference to this Addendum.

RECITALS

WHEREAS, the Parties entered into the Instant SOLO Server Terms of Service (the “Service Agreement”) and have retained the power to alter, amend, revoke, or terminate the Service Agreement, as provided in the Service Agreement;

WHEREAS, in the course of providing its Services pursuant to the Service Agreement, SoftwareKey Processes certain Client Personal Data;

WHEREAS, the Parties now wish to amend the Service Agreement to ensure that such Client Personal Data is Processed in compliance with applicable data protection principles and legal requirements.

WHEREAS, the Parties agree that in the event of any conflict between the Service Agreement (including any annexes and appendices thereto) and this Addendum, the provisions of this Addendum shall control;

NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum, the Parties agree as follows:

1. Definitions.

1.1. Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Service Agreement. Except as modified or supplemented below, the definitions of the Service Agreement shall remain in full force and effect.

1.2. For the purpose of interpreting this Addendum, the following terms (and their applicable cognates) shall have the meanings set out below:

(a) “Affiliate” means any entity within a controlled group of companies that directly or indirectly, through one or more intermediaries, is controlling, controlled by, or under common control with one of the Parties.

(b) “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Client Personal specified in Exhibit B hereto.

(c) “Client” means the party that has entered into this Addendum with SoftwareKey, as indicated in the opening paragraph of this Addendum, including all Affiliates of that entity that are also bound by the Service Agreement, if any.

(d) “Client Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”) Processed by SoftwareKey or a Contracted Processor on behalf of Client pursuant to or in connection with the Service Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

(e) “Contracted Processor” means any third party appointed by or on behalf of SoftwareKey to Process Client Personal Data on behalf of Client in connection with the Service Agreement.

(f) “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Client Personal Data.

(g) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC,” as may be amended from time to time (General Data Protection Regulation).

(h) “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data which SoftwareKey Processes on behalf of Client in connection with the Service Agreement.

(i) “Personal Data Recipient” means SoftwareKey, a Contracted Processor, or both collectively.

(j) “Processing” (and any cognate terms) means any operation or set of operations which is performed on Client Personal Data or on sets of Client Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

(k) “Processor” means a natural or legal person, public authority, agency, or other body which Processes Client Personal Data on behalf of a Controller.

(l) “Restricted Transfer” means a Restricted Transfer of EEA Personal Data or a UK Restricted Transfer, as such terms are defined in Exhibit B.

(m) “Services” means the services and other activities to be supplied to or carried out by or on behalf of SoftwareKey for Client pursuant to the Service Agreement.

(n) “Standard Contractual Clauses” means the 2021 EU Standard Contractual Clauses or the 2010 EU Standard Contractual Clauses, as such terms are defined in Exhibit B.

2. Applicability.

2.2. This Addendum will apply to the Processing of all Client Personal Data which is regulated by Applicable Data Protection Laws.

3. Processing of Client Personal Data.

3.1. In the context of this Addendum and its exhibits, with regard to the Processing of Client Personal Data, Client acts as a Controller and SoftwareKey acts as a Processor .

3.2. SoftwareKey shall:

(a) comply with all Applicable Data Protection Laws in the Processing of Client Personal Data;

(b) Process Client Personal Data solely on Client’s relevant documented instructions (including with regard to international transfers of Client Personal Data), unless such Processing is required by Applicable Data Protection Laws to which the relevant Personal Data Recipient is subject, in which case SoftwareKey shall, to the extent permitted by Applicable Data Protection Laws, inform Client of that legal requirement before the respective act of Processing of that Client Personal Data;

(d) not retain, delete, or otherwise Process Client Personal Data contrary to or in the absence of the direct instructions of Client, provided, however, that Client expressly and irrevocably authorizes such retention, deletion, or other Processing if and to the extent required or allowed by Applicable Data Protection Laws; and

(e) immediately inform Client in the event that, in SoftwareKey’s opinion, a Processing instruction given by Client may infringe Applicable Data Protection Laws.

3.3. Client shall provide all information related to Processing of the Client Personal Data which is applicable to Client, requested in the form located within the Privacy Options & GDPR page in the Instant SOLO Server Author Account Administration web application (the “Application”). Client can access the Privacy & GDPR Options page by navigating to the Configure menu in the Application and selecting the Privacy & GDPR Options. Client shall promptly update, when necessary, all such information, and keep all such information complete and up to date.

3.4. Client instructs SoftwareKey (and authorizes SoftwareKey to instruct each Contracted Processor it engages) to Process Client Personal Data, and in particular, transfer Client Personal Data to any country or territory, only as reasonably necessary for the provision of the Services and consistent with the Service Agreement and this Addendum.

3.5. Client represents and warrants that it has all necessary rights to provide Client Personal Data to SoftwareKey for the purpose of Processing such data within the scope of this Addendum and the Service Agreement.

4. SoftwareKey Personnel.

4.1. SoftwareKey shall take reasonable steps to ensure the reliability of any of its employees, agents, or contractors who may have access to Client Personal Data.

4.2. SoftwareKey shall ensure that access to Client Personal Data is strictly limited to those individuals who need to know or access the relevant Client Personal Data, as strictly necessary to fulfill the documented Processing instructions given to SoftwareKey by Client or to comply with Applicable Data Protection Laws.

4.3. SoftwareKey shall ensure that all such individuals are subject to formal confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality.

5. Security of Processing.

5.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, SoftwareKey shall, with regard to Client Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, as well as assist Client with regard to ensuring compliance with Client’s obligations pursuant to Applicable Data Protection Laws.

5.2. In assessing the appropriate level of security, SoftwareKey shall take account, in particular, of the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches.

5.3 Client is responsible for reviewing the information made available by SoftwareKey relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Applicable Data Protection Laws. Client acknowledges that the security measures are subject to technical progress and development and that SoftwareKey may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Client.

5.4 Notwithstanding the above, Client agrees that, except as provided by this Addendum, Client is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Client Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Client Personal Data uploaded to the Services.

6. Subprocessing.

6.1. Client authorizes SoftwareKey to appoint (and permit each Contracted Processor appointed in accordance with this Section 6 to appoint) Contracted Processors in accordance with this Section 6 and any possible further restrictions, as set out in the Service Agreement, as the case may be.

6.2. SoftwareKey may continue to use those Contracted Processors already engaged by SoftwareKey as of the Effective Date, subject to SoftwareKey meeting the obligations set out in Section 6.4. The list of SoftwareKey’s Contracted Processors as of the Effective Date is located at: https://www.softwarekey.com/resources/subprocessors/.

6.3. Client consents to SoftwareKey engaging additional Contracted Processors, provided that SoftwareKey maintains an up-to-date list of its Contracted Processors at the link within Section 6.2 and gives Client prior written notice of the appointment of any new Contracted Processor, by way of updating the list of SoftwareKey’s Contacted Processors. If, within 14 days of SoftwareKey updating the list of Contracted Processors, Client notifies SoftwareKey in writing of any reasonable objections to the proposed new appointment, SoftwareKey shall not appoint, or disclose any Client Personal Data to, that proposed Contracted Processor until reasonable steps have been taken to address the objections raised by Client and, in turn, Client has been provided with a reasonable written explanation of the steps taken to account for any such objections. If Client, nevertheless, objects to the proposed appointment, it shall be entitled to terminate the Service Agreement as a remedy.

6.4. With respect to each Contracted Processor, SoftwareKey shall:

(a) carry out adequate due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Client Personal Data required by this Addendum, the Service Agreement, and Applicable Data Protection Laws before the Contracted Processor first Processes Client Personal Data or, where applicable, in accordance with Section 6.2; and

(b) where required under the terms of Exhibit B, ensure that the arrangement between SoftwareKey and the prospective Contracted Processor is governed by a written contract that includes terms which offer at least the same level of protection for Client Personal Data as those set out in this Addendum (excluding its exhibits) to the extend specified by the applicable terms of Exhibit C.

7. Rights of the Data Subjects.

7.1. Taking into account the nature of the Processing, SoftwareKey shall assist Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligations in responding to requests to exercise rights of the Data Subjects under the Applicable Data Protection Laws.

7.2. With regard to the rights of the Data Subjects within the scope of this Section 7, SoftwareKey shall:

(a) promptly notify Client if any Personal Data Recipient receives a request from a Data Subject under any Applicable Data Protection Laws with respect to Client Personal Data; and

(b) ensure that the Personal Data Recipient does not respond to that request, except on the documented instructions of Client, or as required by Applicable Data Protection Laws to which the Personal Data Recipient is subject, in which case SoftwareKey shall, to the extent permitted by Applicable Data Protection Laws, inform Client of that legal requirement before the Personal Data Recipient responds to the request.

(c) Client shall provide SoftwareKey with instructions to respond to the request within five (5) days from the day SoftwareKey notified Client of the request. If Client does not provide such instructions within five (5) business days, SoftwareKey shall be authorized to provide Client’s contact details to the Data Subject in order to allow the Data Subject to submit their request directly to Client.

8. Personal Data Breach.

8.1. SoftwareKey shall notify Client without undue delay upon SoftwareKey becoming aware of a Personal Data Breach affecting Client Personal Data under SoftwareKey’s direct control or upon SoftwareKey being notified of a Personal Data Breach affecting Client Personal Data under the direct control of a Contracted Processor. The notification shall provide Client with sufficient information to allow Client to meet any applicable obligations pursuant to Applicable Data Protection Laws, such as to report to the supervisory authorities or any other competent authorities, or inform the Data Subjects of the Personal Data Breach.

8.2. SoftwareKey shall co-operate with Client and take all reasonable commercial steps to assist Client in the investigation, mitigation, and remediation of each such Personal Data Breach.

8.3. SoftwareKey’s notification of or response to a Personal Data Breach under this Section 8 will not be construed as an acknowledgement by SoftwareKey of any fault or liability with respect to the Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation.

9.1. SoftwareKey shall provide Client with relevant information and documentation with regard to any data protection impact assessments and prior consultations with supervisory authorities when Client reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Applicable Data Protection Laws, but in each such case, solely with regard to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, the respective Personal Data Recipient.

10. Deletion or Return of Client Personal Data.

10.1. SoftwareKey shall provide Client with the technical means, consistent with the way the Services are provided, to request the deletion of Client Personal Data upon the request of Client unless Applicable Data Protection Laws require storage of any such Client Personal Data.

10.2. SoftwareKey shall promptly, following the date of cessation of Services involving the Processing of Client Personal Data, at the choice of Client, delete or return all Client Personal Data to Client, as well as delete existing copies, unless applicable laws require storage of any such Client Personal Data.

11. Audit Rights.

11.1. Where Client is entitled to and desires to review SoftwareKey’s compliance with the Applicable Data Protection Laws, Client may request, and SoftwareKey will provide (subject to obligations of confidentiality) relevant documentation or any relevant audit report SoftwareKey might have been issued. If Client, after having reviewed such documentation, still reasonably deems that it requires additional information, SoftwareKey shall further reasonably assist and make available to Client, upon a written request and subject to obligations of confidentiality, all other information (excluding legal advice) and/or documentation necessary to demonstrate compliance with this Addendum and the obligations pursuant to the Applicable Data Protection Laws (Articles 32 to 36 of the GDPR in particular). SoftwareKey shall allow for and contribute to audits, including remote inspections of the Services, by Client or an auditor selected by Client (and subject to obligations of confidentiality) with regard to the Processing of Client Personal Data by SoftwareKey, provided that such auditor is not a competitor of SoftwareKey.

11.2. SoftwareKey shall provide the assistance described in this Section 11, insofar as in SoftwareKey’s reasonable opinion, such audits and the specific requests of Client do not interfere with SoftwareKey’s business operations or cause SoftwareKey to breach any legal or contractual obligation to which it is subject.

11.3. Client agrees to pay SoftwareKey, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended, in relation to Client exercising its rights under this Section 11 or the Standard Contractual Clauses.

12. Jurisdiction Specific Terms.

12.1. To the extent SoftwareKey Processes Client Personal Data originating from, or protected by, Applicable Data Protection Laws in one of the jurisdictions listed in Exhibit B, then the terms and definitions specified in Exhibit B with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) shall apply in addition to the terms of this Addendum.

12.2. SoftwareKey may update Exhibit B from time to time to reflect changes in or additions to Applicable Data Protection Laws to which SoftwareKey is subject. If SoftwareKey updates Exhibit B, it will provide the updated Exhibit B to Client. If Client does not object to the updated Exhibit B within fourteen (14) days of receipt, Client will be deemed to have consented to the updated Exhibit B.

12.3. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will prevail.

13. International Data Transfers.

13.1. International transfers of Client Personal Data within the scope of this Addendum shall be conducted in accordance with the applicable terms and requirements of Exhibit B.

13.2. Where the Standard Contractual Clauses (as defined under Exhibit B) are the applicable data transfer mechanism according to the terms and requirements set out in Exhibit B, the applicable module of the Standard Contractual Clauses will be the module applicable to the role of the Parties as described in Section 3.1.

13.3. SoftwareKey may update Exhibits A and C from time to time to reflect changes in or additions necessary to conclude the Standard Contractual Clauses. Without limiting the generality of the foregoing, if the execution of a new version of the Standard Contractual Clauses promulgated by the European Commission is later required in order for the Parties to rely on such instrument as a lawful mechanism for Restricted Transfers, the Parties are deemed to have agreed to the new version of the Standard Contractual Clauses by signing this Addendum, and if necessary, SoftwareKey shall be entitled to update Exhibits A and C accordingly.

13.4. SoftwareKey may update Exhibit C from time to time to provide for additional safeguards to Client Personal Data subject to Restricted Transfers. If SoftwareKey updates Exhibit C, it will provide the updated Exhibit C to Client. If Client does not object to the updated Exhibit C within fourteen (14) days of receipt, Client will be deemed to have consented to the updated Exhibit C.

14. No Selling of Personal Data.

14.1. SoftwareKey acknowledges and confirms that it does not receive any Client Personal Data as consideration for any services or other items that SoftwareKey provides to Client. Client retains all rights and interests in Client Personal Data. Client agrees to refrain from taking any action that would cause any transfers of Client Personal Data to or from SoftwareKey to qualify as selling Client Personal Data under Applicable Data Protection Laws.

15. Indemnification.

15.1. Client agrees to indemnify and hold harmless SoftwareKey and its officers, directors, employees, agents, Affiliates, successors, and permitted assigns against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind which SoftwareKey may sustain as a consequence of the breach by Client of its obligation pursuant to the Applicable Data Protection Laws.

16. General Terms.

16.1. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between SoftwareKey and Client in connection with the Service Agreement.

16.2. All clauses of the Service Agreement that are not explicitly amended or supplemented by the clauses of this Addendum shall remain in full force and effect and shall apply, so long as this does not contradict with compulsory requirements of Applicable Data Protection Laws under this Addendum.

16.3. In the event of any conflict between the Service Agreement (including any annexes, exhibits, and appendices thereto) and this Addendum, the provisions of this Addendum shall prevail, except in such cases where the applicable Jurisdiction Specific Terms will apply and take precedence, as discussed in Section 12.3 above.

16.4. Should any provision of this Addendum be found invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Addendum will continue in effect.

16.5. If SoftwareKey determines that it can no longer meet any of its obligations in accordance with this Addendum, its exhibits, or the Standard Contractual Clauses (where applicable), it shall promptly notify Client of that determination and cease the Processing or take other reasonable and appropriate steps to remediate.

16.6. If you are accepting the terms of this Addendum on behalf of an entity, you represent and warrant to SoftwareKey that you have the authority to bind that entity and its Affiliates, where applicable, to the terms and conditions of this Addendum.

17. EU Representative.

17.1. The European Union Representative of SoftwareKey pursuant to Article 27 of the GDPR is:

VeraSafe Ireland Ltd
Unit 3D North Point House,
North Point Business Park,
New Mallow Road, Cork T23AT2P
Ireland

Phone: +1-617-398-7067

Contact form:

https://www.verasafe.com/privacy-services/contact-article-27-representative/

Exhibit A

Details of Processing

1. Further details of the Processing, in addition to those laid down in the Service Agreement and this Addendum, include:

1.1. The subject matter of the Processing of Client Personal Data is:

(a) The subject matter of the Processing of Client Personal Data pertains to the provision of Services, as requested by Client.

1.2. The duration of the Processing of Client Personal Data is:

(a) The duration of the Processing of Client Personal Data is generally determined by Client and is further subject to the terms of this Addendum and the Service Agreement, respectively, in the context of the contractual relationship between SoftwareKey and Client.

1.3. The nature and purpose of the Processing of Client Personal Data are:

(a) The purpose of Processing of Client Personal Data pertains to the provision of software licensing solutions services, as requested by Client. The nature of such Processing is related to these purposes and is elaborated on in this Addendum and the Service Agreement.

1.4. The categories of Client Personal Data to be Processed are:

(a) Biographical information (such as first and last name);

(b) Professional information (such as role/job title and company name);

(d) Computer fingerprint information (such as MAC addresses);

(e) Web analytics data (such as session and persistent cookies); and

(f) Information voluntarily provided by the Data Subjects in free-text boxes.

1.5. The Special Categories of Client Personal Data to be Processed (if appropriate) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved (such as, for instance, purpose limitation, access restrictions, keeping a record of access to the data, restrictions for onward transfers, or additional security measures) are:

(a) No special categories of Personal Date are to be Processed.

1.6. The categories of Data Subjects to whom the Client Personal Data relates are:

(a) Client’s customers who purchase and use the software solution.

1.7. The basic Processing activities to which the Client Personal Data will be subject include, without limitation:

(a) Collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to Client in accordance with the terms of the Service Agreement.

1.8. Description of the technical and organizational security measures implemented by SoftwareKey:

(a) SoftwareKey has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Client Personal Data from unauthorized Processing such as unauthorized access, disclosure, alteration, or destruction.

1.9. Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

(a) The frequency of the transfer of Client Personal Data is determined by Client. Client Personal Data may be transferred each time that Client instructs SoftwareKey to process Client Personal Data.

1.10. Maximum data retention periods, if applicable:

(a) The retention period of Client Personal Data is generally determined by Client and is subject to the term of this Addendum and the Service Agreement, respectively, in the context of the contractual relationship between SoftwareKey and Client.

1.11. Further processing:

(a) SoftwareKey shall not carry out any further Processing of Client Personal Data beyond the provision of the Services under the Service Agreement.

1.12. The following is deemed an instruction by Client to Process Client Personal Data:

(a) Processing in accordance with the Service Agreement.

(b) Processing initiated by Data Subjects in their use of the Services.

(c) Processing to comply with other reasonable documented instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Service Agreement.

Exhibit B

Jurisdiction Specific Terms

1. European Economic Area

1.1. Definitions

(a) “2021 EU Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/679 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

(b) “EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.

(c) “Restricted Transfer of EEA Personal Data” (as used in this Section) means any transfer of Client Personal Data subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to a Third Country (as defined below) or an international organization (including data storage on foreign servers).

(d) “Standard Contractual Clauses” (as used in the Addendum) includes the 2021 EU Standard Contractual Clauses.

(e) “Third Country” means a country outside of the EEA.

1.2. Agreements with Contracted Processors

(a) SoftwareKey shall ensure that the arrangement between SoftwareKey and any prospective Contracted Processor is governed by a written contract that includes data protection obligations that offer at least the same level of protection for Client Personal Data as those set out under the Addendum (excluding its exhibits) and this Section 1. Client agrees that older versions of the Standard Contractual Clauses concluded between SoftwareKey and Contracted Processor offer at least the same level of protection for Client Personal Data as those set out under the Addendum (excluding its exhibits) and this Section 1.

1.3. Restricted Transfers of EEA Personal Data

(a) With regard to any Restricted Transfer of EEA Personal Data from Client to SoftwareKey within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

i. A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred ensures an adequate level of data protection.

ii. The EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR).

iii. Any other lawful data transfer mechanism, as laid down in the GDPR, as the case may be.

(b) This Addendum hereby incorporates by reference the 2021 EU Standard Contractual Clauses, provided that the content of Annex I and Annex II of the Standard Contractual Clauses is set forth in Exhibit A to this Addendum. The Parties are deemed to have accepted, executed, and signed the 2021 EU Standard Contractual Clauses where necessary in their entirety (including the annexes thereto). For the purpose of the 2021 EU Standard Contractual Clauses:

i. SoftwareKey shall be deemed the “data importer” and Client the “data exporter.”

ii. The text contained in Exhibit C to this Addendum serves to supplement the 2021 EU Standard Contractual Clauses.

iii. The Parties agree to apply module two of the 2021 EU Standard Contractual Clauses.

iv. The Parties elect not to include Clause 7 of the 2021 EU Standard Contractual Clauses.

v. With respect to Clause 9, the Parties select the “Option 2 General Written Authorization” and the time period set forth in Section 6.3 of this Addendum.

vi. With respect to Clause 11, the Parties agree not to provide the right to lodge a complaint with an independent dispute resolution body.

vii. With respect to Clause 13 and Annex I.C, the competent supervisory authority is the Data Protection Commission (Ireland).

viii. With respect to Clause 17, the Parties select, under Option 1, the law of the Republic of Ireland.

ix. With respect to Clause 18, the Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.

x. In cases where the 2021 EU Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the 2021 EU Standard Contractual Clauses, the terms of the 2021 EU Standard Contractual Clauses shall prevail.

2. United Kingdom

2.1. Definitions

(a) “2010 EU Standard Contractual Clauses” (as used in the Addendum and this Section) means the contractual clauses adopted by Decision of the European Commission of 5 February 2010 (decision 2010/87/EU) for the purpose of adducing adequate protection of Client Personal Data transferred from a Controller to a Processor established in a third country, where the legislation in such third country has not been deemed to provide an adequate level of data protection.

(b) “Applicable Data Protection Laws” (as used in the Addendum) includes the Data Protection Act 2018 and when in full force and effect, the UK GDPR (as defined below).

(d) “Third Country” (as used in this Section) means a country outside of the UK.

(e) “UK GDPR” (as used in this Section) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)” as has been amended, adopted, and forming part of the law of England, Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdraw) Act 2020.

(f) “UK Restricted Transfer” (as used in this Section) includes any transfer of Client Personal Data (including data storage in foreign servers) subject to the UK GDPR to a Third Country or an international organization.

2.2. Agreements with Contracted Processors

(a) SoftwareKey shall ensure that the arrangement between SoftwareKey and any prospective Contracted Processor is governed by a written contract that includes data protection obligations that offer at least the same level of protection for Client Personal Data as those set out under the Addendum and this Section 2. Client agrees that agreements between SoftwareKey and Contracted Processor that do not specifically include Client Personal Data governed by the UK GDPR provide data protection obligations compatible with those of SoftwareKey under the Addendum and this Section 2.

2.3. UK Restricted Transfers

(a) With regard to any UK Restricted Transfer from Client to SoftwareKey within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

i. A valid adequacy decision pursuant to the requirements under the UK GDPR and the Data Protection Act 2018 that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred ensures an adequate level of data protection.

(b) The 2010 EU Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the UK GDPR and the Data Protection Act 2018).

2.4. Standard Contractual Clauses

(a) This Addendum hereby incorporates by reference the Standard Contractual Clauses (updated from time to time if required by law or at the choice of SoftwareKey to reflect the latest version promulgated by the European Commission), provided that the content of Appendices 1 and 2 of the Standard Contractual Clauses is set forth in Exhibit A to this Addendum. For the purpose of the 2010 EU Standard Contractual Clauses and this Section, Client shall be deemed the “data exporter” and SoftwareKey the “data importer”. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the Appendices thereto, including the “Illustrative Indemnification Clause” as an operative clause, and including the terms of Exhibit C).

(b) In cases where the 2010 EU Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the 2010 EU Standard Contractual Clauses, the terms of the 2010 EU Standard Contractual Clauses shall prevail.

Exhibit C

Supplemental Terms to the Standard Contractual Clauses

By this Exhibit C (this “Exhibit”), the Parties provide additional safeguards and redress to the Data Subjects whose Client Personal Data is transferred pursuant to Standard Contractual Clauses. This Exhibit supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to the Restricted Transfer.

1. Applicability of this Exhibit

1.1. This Exhibit only applies with respect to Restricted Transfers of EEA Personal Data and UK Restricted Transfers of Client Personal Data when the Parties have concluded the Standard Contractual Clauses pursuant to the Addendum and its exhibits.

2. Definitions

2.1. For the purpose of interpreting this Exhibit, the following terms shall have the meanings set out below:

(a) “Data Importer” and “Data Exporter” shall have the same meaning provided under the Standard Contractual Clauses.

(b) “Disclosure Request” means any request from law enforcement authority or other governmental authority with competent authority and jurisdiction over the Data Importer for disclosure of Client Personal Data processed under the Addendum.

(d) “FISA” means the U.S. Foreign Intelligence Surveillance Act.

(e) “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.

3. Applicability of Surveillance Laws to Data Importer

3.1. U.S. Surveillance Laws

(a) SoftwareKey (hereinafter, “Data Importer”) represents and warrants that, as of the Effective Date, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II judgment.

(b) Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:

i. No court has found Data Importer to be an entity eligible to receive process issued under FISA Section 702: (A) an “electronic communication Data Importer” within the meaning of 50 U.S.C. § 1881(b)(4); or (B) a member of any of the categories of entities described within that definition.

ii. If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.

(c) EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to U.S. Executive Order 12333.

3.2. General Provisions About Surveillance Laws Applicable to Data Importer

(a) Data Importer commits to provide, upon request, information about the laws and regulations in the destination countries of the transferred data applicable to Data Importer that would permit access by public authorities to the transferred Client Personal Data, in particular in the areas of intelligence, law enforcement, or administrative and regulatory supervision applicable to the transferred Client Personal Data. In the absence of laws governing the public authorities’ access to Client Personal Data, Data Importer shall provide Data Exporter with information and statistics based on the experience of Data Importer or reports from various sources (such as partners, open sources, national case law, and decisions from oversight bodies) on access and Disclosure Requests by public authorities to Client Personal Data in situations similar to the Restricted Data Transfer. Data Importer may choose the means to provide the information.

(b) Data Importer shall monitor any legal or policy developments that might lead to its inability to comply with its obligations under the Standard Contractual Clauses and this Exhibit, and promptly inform Data Exporter of any such changes and developments. When possible, Data Exporter shall inform Data Exporter of any such changes and developments ahead of their implementation.

4. Obligation on Data Importer Related to Orders for Compelled Disclosure of Personal Data

4.1. In the event Data Importer receives an order from any third party for compelled disclosure of any Client Personal Data that has been transferred under the Standard Contractual Clauses, Data Importer shall comply with the following, unless prohibited under the law applicable to Data Importer:

(a) Promptly (and, when possible, before granting access to the transferred Client Personal Data) notify Data Exporter, unless prohibited by law, or, if prohibited from notifying Data Exporter, Data Importer shall use all lawful efforts to obtain the right to waive the prohibition to communicate information relating to the order to Data Exporter as soon as possible. This includes, but is not limited to, informing the requesting public authority of the incompatibility of the order with the safeguards contained in Standard Contractual Clauses and the resulting conflict of obligations for Data Importer and documenting this communication.

(b) Use every reasonable effort to redirect the third party requesting the disclosure of any Client Personal Data that has been transferred to Data Importer directly to Data Exporter.

(c) Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable EEA Member State law or any other Applicable Data Protection Law. For the purpose of this Exhibit, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

(d) Seek interim measures with a view to suspend the effects of the order until the competent court has decided on the merits.

(e) Not disclose the requested Client Personal Data until required to do so under the applicable procedural rules.

(f) Provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request.

(g) Document all the steps taken by Data Importer related to the Disclosure Request.

5. Information on Requests of Access to Personal Data by Public Authorities

5.1. Where allowed by law and upon the Data Exporter’s request, Data Importer commits to provide Data Exporter with sufficiently detailed information on all requests of access to Client Personal Data by public authorities which Data Importer has received over the last ten (10) years, in particular in the areas of intelligence, law enforcement, administrative, and regulatory supervision applicable to the transferred data and comprising information about the requests received, the data requested, the requesting body, and the legal basis for disclosure and to what extent Data Importer has disclosed the requested data. Data Importer may choose the means to provide this information.

6. Backdoors

6.1. Data Importer certifies that:

(a) It has not purposefully created backdoors or similar programming that could be used to access Data Importer’s Systems or Client Personal Data subject to the Standard Contractual Clauses;

(b) It has not purposefully created or changed its business processes in a manner that facilitates access to Client Personal Data or systems; and

(c) National law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Client Personal Data or systems.

6.2. Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.

7. Information About Legal Prohibitions

7.1. Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under Sections 5 through 6 of this Exhibit. Data Importer may choose the means to provide this information.

8. Other Measures to Prevent Authorities from Accessing Personal Data

8.1. Notwithstanding the application of the security measures set forth in the Addendum, Data Importer will implement the following technical, organizational, administrative, and physical measures designed to protect the transferred Client Personal Data from unauthorized disclosure or access:

(a) Encryption of the transferred Client Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption;

(b) Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Data Importer;

(c) Restriction of physical and logical access to IT systems that Process transferred Client Personal Data to those officially authorized persons with an identified need for such access;

(d) Firewall protection of external points of connectivity in Data Importer’s network architecture;

(e) Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Data Importer; and

9. Inability to Comply with this Exhibit

9.1. Data Importer shall promptly inform Data Exporter of its inability to comply with the Standard Contractual Clauses and this Exhibit.

9.2. If Data Importer determines that it is no longer able to comply with its contractual commitments under this Exhibit, Data Exporter can swiftly suspend the transfer of data and/or terminate the Service Agreement.

9.3. If Data Importer determines that is no longer able to comply with the Standard Contractual Clauses or this Exhibit, Data Importer shall return or delete the Client Personal Data received in reliance on the Standard Contractual Clauses. If returning or deleting Client Personal Data received is not possible, Data Importer must securely encrypt the data without necessarily waiting for Data Exporter’s instructions.

9.4. Data Importer shall provide the Data Exporter with sufficient indications to exercise its duty to suspend or end the transfer and/or terminate the contract.

10. Termination

10.1. This Exhibit shall automatically terminate with respect to the Client Personal Data transferred in reliance of the Standard Contractual Clauses if the European Commission or a competent supervisory authority approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Addendum will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Addendum.