Data Processing Addendum

1. Overview

This Data Processing Addendum (including its appendices, the “Addendum”), is incorporated into the Service Agreement between IT Eagle Eye, Inc (“IT Eagle Eye”) and the counterpart accepting the Service Terms (“Customer”).  Customer shall also include its Affiliates, as defined below.

This Addendum describes the parties’ obligations, including under applicable privacy, data security, and data protection laws, with respect to the processing and security of Personal Data where IT Eagle Eye processes said Personal Data as a Processor (or Sub-Processor as applicable) on behalf of the Customer. The parties have agreed to accept this Addendum in order to ensure that appropriate safeguards are in place to protect such Personal Data in accordance with Applicable Data Protection Laws.

This Addendum is effective and will replace and supersede any previously applicable terms relating to their subject matter (including any data processing amendment, agreement, or addendum relating to the Services), on the Addendum Effective Date (as defined below).

Regardless of whether the applicable Service Agreement has terminated or expired, this Addendum will remain in effect until it is superseded or it automatically expires when IT Eagle Eye deletes all Customer Data as described in this Addendum.

2. Definitions

The following definitions are used in this Addendum:

• “Addendum Effective Date” means the date on which Customer accepted, or the parties otherwise agreed to, this Addendum.
• “Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists).
• “Applicable Data Protection Laws” means all laws and regulations that are applicable to the processing of Personal Data under the Service Agreement, including European Data Protection Laws and the United States data protection laws including both federal and state laws.
• “Controller” means an entity that determines the purposes and means of the processing of Personal Data, and includes “controller”, “business”, or analogous term as defined under the Applicable Data Protection Laws.
• “Customer Data” means all data belonging to or provided by Customer.
• “Data Incident” means a break of IT Eagle Eye’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed or otherwise controlled by IT Eagle Eye.
• “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK-U.S. extension to the EU-U.S. Data Privacy Framework, and the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce.
• “EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
• “European Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and the United Kingdom applicable to the processing of Personal Data under the Service Agreement (including, where applicable, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (the “UK GDPR”); (iii) the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances (“Swiss FADP”); (iv) the EU e-Privacy Directive (Directive 2002/58/EC); and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii), (iii), (iv).
• “Personal Data” means the personal data, personal information, or personally identifiable information contained within the Customer Data, including any special categories of personal data or sensitive data defined under Applicable Data Protection Laws.
• “Restricted Transfer” means: (i) where the EU GDPR or Swiss FADP applies, a transfer of Personal Data from the European Economic Area or Switzerland (as applicable) to a country outside of the European Economic Area or Switzerland (as applicable) which is not subject to an adequacy determination by the European Commission or Swiss Federal Data Protection and Information Commissioner (as applicable); and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018. For the avoidance of doubt, a transfer of Personal Data to the United States pursuant to the Data Privacy Framework shall not be a Restricted Transfer.
• “Services” -means the services IT Eagle Eye will perform in accordance with he Service Terms.

To the extent the processing of Personal Data is subject to an Applicable Data Protection Law, the corresponding terms will apply in addition to these General Terms and prevail as described in the section of this Addendum entitled Precedence.

Capitalized terms used but not defined in this Addendum have the meaning given to them in the Service Agreement.

3. Roles and Legal Compliance

The type of Personal Data processed pursuant to this Addendum and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex 1. 

In respect of the parties’ rights and obligations under this Addendum regarding the Personal Data, the parties acknowledge and agree that the Customer is the Controller (or a Processor processing Personal Data on behalf of a third-party Controller), and IT Eagle Eye is a Processor (or Sub-Processor, as applicable). 

If the Customer is a Processor, Customer warrants to IT Eagle Eye that Customer’s instructions and actions with respect to the Personal Data, including its appointment of IT Eagle Eye as another Processor and, where applicable, concluding the EU SCCs have been (and will, for the duration of this Addendum, continue to be) authorized by the relevant third-party Controller. Customer will forward to the third party Controller promptly and without any undue delay any notice provided by IT Eagle Eye in relation to obligations in this Addendum.

Each party warrants in relation to Personal Data that it will comply with Applicable Data Protection Laws. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.

4. Data Processing

With respect to all Personal Data it processes in its role as a Processor or Sub-Processor, IT Eagle Eye warrants that it shall:

1. only process Personal Data in order to provide the Services and in accordance with: (i) the Customer’s written instructions as set out in the Service Agreement and this Addendum, unless required to do so by Applicable Data Protection Laws to which IT Eagle Eye is subject, and (ii) the requirements of Applicable Data Protection Laws. In the event IT Eagle Eye is required to process Personal Data under Applicable Data Protection Laws, IT Eagle Eye shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
2. not use the Personal Data for the purpose of marketing or advertising;
3. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out in Annex 2 (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that IT Eagle Eye may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Service;
4. ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under contractual or statutory obligations of confidentiality;
5. without undue delay notify the Customer upon becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed for the purpose of providing the Services to Customer by IT Eagle Eye, its Sub-Processors, or any other identified or unidentified third party (a “Personal Data Breach”) and provide the Customer with reasonable cooperation and assistance in respect of that Personal Data Breach, including all reasonable information in IT Eagle Eye’s possession concerning such Personal Data Breach insofar as it affects the Personal Data;
6. not make any public announcement about a Personal Data Breach (a “Breach Notice”) without the prior written consent of the Customer, unless required by applicable law;
7. to the extent IT Eagle Eye is able to verify that a data subject is associated with the Customer, promptly notify the Customer if it receives a request from a data subject to exercise any data protection rights (including rights of access, rectification, or erasure) in respect of that data subject’s Personal Data (a “Data Subject Request”). IT Eagle Eye shall not respond to a Data Subject Request without the Customer’s prior written consent except to confirm that such request relates to the Customer, to which the Customer hereby agrees;
8. to the extent IT Eagle Eye is able, and in line with applicable law, provide reasonable assistance to Customer in responding to a data subject request to exercise any data protection rights (including rights of access, rectification, or erasure) in respect of that data subject’s Personal Data if the Customer does not have the ability to address a Data Subject Request without IT Eagle Eye’s assistance. The Customer is responsible for verifying that the requestor is the data subject in respect of whose Personal Data the request is made. It Eagle Eye bears no responsibility for information provided in good faith to Customer in reliance on this subsection. Customer shall cover all costs incurred by IT Eagle Eye in connection with its provision of such assistance;
9. other than to the extent required to comply with applicable law, following termination or expiry of the Service Agreement or completion of the Service, at the choice of Customer, delete or return all Personal Data (including copies thereof) processed pursuant to this Addendum;
10. taking into account the nature of processing and the information available to IT Eagle Eye, provide such assistance to the Customer as the Customer reasonably requests in relation to IT Eagle Eye’s obligations under Applicable Data Protection Laws with respect to:
    
    1. data protection impact assessments and prior consultations (as such terms are defined in Applicable Data Protection Laws);
    2. notifications to the supervisory authority under Applicable Data Protection Laws and/or communications to data subjects by the Customer in response to any Personal Data Breach; and
    3. the Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to the security of processing;

provided that the Customer shall cover all costs incurred by IT Eagle Eye in connection with its provision of such assistance; and

11. notify Customer if, in IT Eagle Eye’s opinion, any instructions provided by the Customer under clause 4(a) infringe Applicable Data Protection Laws, or if IT Eagle Eye otherwise makes a determination that it can no longer meet its obligations under Applicable Data Protection Laws

5. Sub-Processors

1. IT Eagle Eye will only disclose Personal Data to Sub-Processors for the specific purposes of carrying out the Service.
2. IT Eagle Eye will ensure that any Sub-Processor it engages to provide an aspect of the Service on its behalf in connection with this Addendum, does so only on the basis of a written contract which imposes on such Sub-Processor terms that are no less protective of Personal Data than those imposed on IT Eagle Eye in this Addendum. IT Eagle Eye shall procure the performance by such Sub-Processor of the Relevant Terms and shall be liable to the Customer for any breach by such Sub-Processor of the Relevant Terms. 
3. The Customer grants a general written authorization (1) to IT Eagle Eye to appoint owned subsidiaries as Sub-Processors, and (2) to IT Eagle Eye and its subsidiaries to appoint third party data center operators, and business, engineering and customer support providers as Sub-Processors to support the performance of the Service.
4. IT Eagle Eye will maintain a list of Sub-Processors at https://www.iteagleeye.com/legal/privacy-policy/sub-processors and will add the names of new and replacement Sub-Processors to the list at least thirty (30) days prior to the date on which those Sub-Processors commence processing of Personal Data. If Customer objects to any new or replacement Sub-Processor on reasonable grounds related to data protection, it shall notify IT Eagle Eye of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. Where IT Eagle Eye is using a Sub-Processor that goes out of business or there is some other emergency situation, IT Eagle Eye shall (1) provide as much notice as possible and (2) thereafter provide the Customer with 30 days to object. If IT Eagle Eye is reasonably able to provide the Service to the Customer in accordance with the Service Agreement without using the Sub-Processor and decides in its discretion to do so, then Customer will have no further rights under this clause 5(d) in respect of the proposed use of the Sub-Processor. If IT Eagle Eye, in its discretion, requires use of the Sub-Processor and is unable to satisfy Customer’s objection regarding the proposed use of the new or replacement Sub-Processor, then Customer may terminate the applicable Order Form effective upon the date IT Eagle Eye begins use of such new or replacement Sub-Processor solely with respect to the Service(s) that will use the proposed new Sub-Processor for the processing of Personal Data. If Customer does not provide a timely objection to any new or replacement Sub-Processor in accordance with this clause 5(d), Customer will be deemed to have consented to the Sub-Processor and waived its right to object.

6. Audit and Records

1. IT Eagle Eye shall, in accordance with Applicable Data Protection Laws, make available to Customer such information in IT Eagle Eye’s possession or control as Customer may reasonably request with a view to demonstrating IT Eagle Eye’s compliance with the obligations of Processors under Applicable Data Protection Laws in relation to its processing of Personal Data.
2. IT Eagle Eye may fulfill Customer’s right of audit under Applicable Data Protection Laws in relation to Personal Data, by providing:
   
   1. an audit report not older than thirteen (13) months, prepared by an independent external auditor demonstrating IT Eagle Eye’s technical and organizational measures are sufficient and in accordance with an accepted industry standard;
   2. additional information in IT Eagle Eye’s possession or control to a data protection supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by IT Eagle Eye under this Addendum; and
   3. to the extent that Customer’s Personal Data is subject to the EU SCCs and the information made available pursuant to this clause 6(b) is insufficient, in Customer’s reasonable judgment, to confirm IT Eagle Eye’s compliance with its obligations under this Addendum or Applicable Data Protection Laws, then IT Eagle Eye shall enable Customer to request one onsite audit per annual period during the Service Term (as defined in the Service Agreement) by the Customer or an independent auditor appointed by Customer to verify IT Eagle Eye’s compliance with its obligations under this DPA in accordance with clause 6(b).
3. The following additional terms shall apply to audits the Customer requests:
   
   1. Customer must send any requests for information or access governed by this Addendum to compliance@iteagleeye.com
   2. Following receipt by IT Eagle Eye of a request for audit under clause 6(b)(iii), IT Eagle Eye and Customer will discuss and agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit under clause 6(b)(iii). Whenever possible, evidence for such an audit will be limited to a report of evidence collected for IT Eagle Eye’s most recent third-party audit.
   3. IT Eagle Eye may charge a fee (based on IT Eagle Eye’s reasonable costs) for any audit under clause 6(b)(iii). IT Eagle Eye will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
   4. IT Eagle Eye may object in writing to an auditor appointed by Customer to conduct any audit under clause 6(b)(iii) if the auditor is, in IT Eagle Eye’s reasonable opinion, not suitably qualified or independent, a competitor of IT Eagle Eye, or otherwise manifestly unsuitable (i.e., an auditor whose engagement may have a harmful impact on IT Eagle Eye’s business comparable to the aforementioned aspects). Any such objection by IT Eagle Eye will require Customer to appoint another auditor or conduct the audit itself. If the EU SCCs apply (including as they may be amended in clause 7(b) below) applies, nothing in this clause 6(c) varies or modifies the EU SCCs nor affects any supervisory authority’s or data subject’s rights under the EU SCCs.

7. Data Transfers

1. In connection with the Service, the parties anticipate that IT Eagle Eye (and its Sub-Processors) may process outside of the EEA, Switzerland, and the United Kingdom, certain Personal Data protected by European Data Protection Laws in respect of which Customer or a member of the Customer may be a Controller (or Processor on behalf of a third-party Controller, as applicable).
2. The parties agree that when the transfer of Personal Data protected by European Data Protection Laws from Customer or any member of the Customer to IT Eagle Eye is a Restricted Transfer, then the appropriate standard contractual clauses and additional safeguards shall apply as follows:
   
   1. In relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
      
      1. Module Two will apply where Customer (or the relevant member of the Customer) is a Controller and Module Three will apply where Customer (or the relevant member of the Customer) is a Processor;
      2. in Clause 7, the optional docking clause will apply;
      3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be as set out in Clause 5(d) of this Addendum;
      4. in Clause 11, the optional language will not apply;
      5. in Clause 17, Option 2 will apply, and if the data exporter’s Member State does not allow for third-party beneficiary rights, then the law of the Republic of Ireland shall apply;
      6. in Clause 18(b), disputes shall be resolved before the courts of the jurisdiction governing the Service Agreement between the parties or, if that jurisdiction is not an EU Member State, then the courts in Dublin, Ireland. In any event, Clause 17 and 18 (b) shall be consistent in that the choice of forum and jurisdiction shall fall on the country of the governing law;
      7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum; and
      8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this Addendum;
   2. In relation to Personal Data that is protected by the UK GDPR, the EU SCCs, completed as set out in clause 7(b) of this Addendum, shall apply to such Personal Data, except that:
      
      1. The EU SCCs shall be deemed amended as specified by the UK Addendum, which shall be deemed executed between the transferring Customer and IT Eagle Eye;
      2. Any conflict between the terms of the EU SCCa and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
      3. For the purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in the Annexes of this Addendum; and
      4. Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”. 
   3. In relation to Personal Data that is protected by the Swiss FADP (as amended or replaced, the EU SCCS, completed as set out above in clause 7(b) of this Addendum, shall apply to transfers of such Personal Data, except that:
      
      1. the competent supervisory authority in respect of such Personal Data shall be the Swiss Federal Data Protection and Information Commissioner;
      2. in Clause 17, the governing law shall be the laws of Switzerland;
      3. references to “Member State(s)” in the EU SCCs shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the EU SCCs in Switzerland; and
      4. references to the “General Data Protection Regulation”, “Regulation 2016/679” or “GDPR” in the EU SCCs shall be understood to be references to the Swiss FADP (as amended or replaced).
   4. The following terms shall apply to the EU SCCs (including as they may be amended under clauses 7(b)(ii)(2) and 7(b)(ii)(3) above:
      
      1. Customer may exercise its right of audit under the EU SCCs as set out in, and subject to the requirements of clause 6 of this Addendum; and
      2. IT Eagle Eye may appoint Sub-Processors as set out in, and subject to the requirements of clauses 5 and 7(c) of this Addendum, and Customer may exercise its right to object to Sub-Processors under the EU SCCs in the manner set out in clause 5(d) of this Addendum.
   5. In the event that any provision of this Addendum contradicts, directly or indirectly, the EU SCCs (and the UK Addendum, as appropriate), the latter shall prevail.
3. In respect of Restricted Transfers made to IT Eagle Eye under clause 7(b), IT Eagle Eye shall not participate in (nor permit any Sub-Processor to participate in) any further Restricted Transfers of Personal Data (whether as an “exporter” or an “importer” of the Personal Data) unless such further Restricted Transfer is made in full compliance with Applicable Data Protection Laws and, if applicable, any EU SCCs and/or UK Addendum implemented between Customer and IT Eagle Eye.
4. Customer acknowledges that IT Eagle Eye complies with the Data Privacy Framework and that transfers of Customer Data to IT Eagle Eye made under the Data Privacy Framework shall not be a Restricted Transfer. IT Eagle Eye will notify Customer if its Data Privacy Framework certification lapses or is otherwise invalidated, in which instance any transfers of Personal Data from Customer to IT Eagle Eye shall immediately be deemed a Restricted Transfer and the provisions of clause 7(b) will apply. 
5. In the event Customer seeks to conduct any assessment of the adequacy of the SCCs for transfers to any particular countries or regions, IT Eagle Eye shall, to the extent it is able, provide reasonable assistance to Customer for the purpose of any such assessment, provided Customer shall cover all costs incurred by IT Eagle Eye in connection with its provision of such assistance.

8. Third Party Requests

1. If IT Eagle Eye becomes aware of any third party legal process requesting Personal Data that IT Eagle Eye processes on behalf of Customer in its role as Processor or Sub-Processor (as applicable) then IT Eagle Eye will:
   
   1. immediately notify Customer of the request unless such notification is legally prohibited;
   2. inform the third party that it is a Processor or Sub-Processor (as applicable) of the Personal Data and is not authorized to disclose the Personal Data without Customer’s consent;
   3. disclose to the third party the minimum necessary Customer contact details to allow the third party to contact the Customer and instruct the third party to direct its data request to Customer; and
   4. to the extent IT Eagle Eye provides access to or discloses Personal Data in response to third party legal process either with Customer authorization or due to a mandatory legal compulsion, then IT Eagle Eye will disclose the minimum amount of Personal Data to the extent it is legally required to do so and in accordance with the applicable legal process.
2. In IT Eagle Eye’s role as a Processor or Sub-Processor, as applicable, it may be subject to third party legal process issued by a government authority (including a judicial authority) and requesting access to or disclosure of Personal Data. If IT Eagle Eye becomes aware of any third party legal process issued by a government authority (including a judicial authority) requesting Personal Data that IT Eagle Eye processes on behalf of Customer in its role as Processor or Sub-Processor (as applicable) then, to the extent that IT Eagle Eye reviews the request with reasonable efforts and as a result is able to identify that such third party legal process requesting Personal Data raises a conflict of law, IT Eagle Eye will only disclose Personal Data to the extent required to do so under applicable procedural rules.

9. General

1. This Addendum is without prejudice to the rights and obligations of the parties under the Service Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this Addendum and the terms of the Service Agreement, the terms of this Addendum shall prevail so far as the subject matter concerns the processing of Personal Data.
2. IT Eagle Eye’s liability under or in connection with this Addendum, including under the EU SCCs, is subject to the exclusions and limitations on liability contained in the Service Agreement.
3. Except where and to the extent expressly provided in the EU SCCs or required as a matter of Applicable Data Protection Laws, this Addendum does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
4. This Addendum and any action related thereto shall be governed by and construed in accordance with the laws as specified in the Service Agreement, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the Service Agreement.
5. If any provision of this Addendum is, for any reason, held to be invalid or unenforceable, the other provisions of the Addendum will remain enforceable.
6. This Addendum is the final, complete, and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.