This Data Processing Addendum (“DPA”) is part of and incorporated into the Subtotal Services Agreement (the “Agreement”) between Subtotal, Inc. and Customer, each a “Party” and collectively the “Parties.” In the event of any conflict, this DPA shall prevail over that Agreement and any related contractual documents between the Parties, including any Order Form, statement of work, or other data processing addendum. Subtotal and Customer agree as follows:

1. Definitions

For purposes of this DPA: 1.1. “Data Privacy Laws” means all applicable laws relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and other applicable U.S. state and federal laws (collectively, “U.S. Privacy Laws”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK GDPR”), and the Swiss Federal Data Protection Act (“FADP”). 1.2. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that Subtotal Processes to provide the Services. 1.3. The terms “Business,” “Consumer,” “Controller,” “Data Subject,” “Process,” “Processor,” and “Service Provider” have the meanings ascribed to them under Data Privacy Laws. Controller is deemed to include Business, Data Subject is deemed to include Consumer, and Processor is deemed to include Service Provider. 1.4. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Section 9 below. 1.5. “Security Breach” means a breach of security leading to the accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. 1.6. “Services” means the services Subtotal provides to Customer, as set forth in the Agreement. 1.7. “UK SCCs” means the International Data Transfer Addendum to the EU SCCs (available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).

2. Applicability

This Addendum applies to Subtotal’s provision of any Personal Data to Customer in connection with the Agreement. In the event of a conflict between this Addendum and the Agreement, this Addendum governs.

3. Relationship of the Parties

With respect to Personal Data Processed by the Parties in connection with the Agreement and the Services, the Parties acknowledge and intend that each acts as an independent Controller or Business and not as joint controllers or joint businesses.

4. Obligations of Subtotal as Data Controller

Subtotal alone shall determine, in accordance with applicable Data Privacy Laws, how Personal Data is Processed in connection with its provision to Customer. This includes, without limitation, deciding which data to collect from Data Subjects, how to collect it, how long to store it, which security measures to apply to it, which data to disclose to Customer (or Customer’s Service Providers with which Customer has directed Subtotal to disclose such data), and the legal basis for such Processing. Subtotal will provide Data Subjects with appropriate information and disclosures in accordance with applicable Data Privacy Laws and, where required, obtain their consent for the disclosure and use of their Personal Data by Customer as contemplated herein. Subtotal is solely responsible for providing any applicable opt out rights to Data Subjects with respect to such disclosures, and for passing those opt out requests to Customer where required by applicable Data Privacy Laws.

5. Right to Use; Obligations of Customer as Data Controller

Customer may use and Process the Personal Data received from Subtotal for its legitimate business purposes as described in the Agreement. Customer shall comply with all requirements applicable to Controllers or Businesses under applicable Data Privacy Laws when processing such Personal Data. Customer will not “sell” or “share” (as those terms are defined in applicable Data Privacy Laws) the Personal Data provided by Subtotal unless otherwise permitted under applicable Data Privacy Laws. Customer shall not use Personal Data obtained from Subtotal to infer Sensitive Personal Information or Sensitive Data, or to make Sensitive Data Inferences (as defined in applicable Data Privacy Laws).

6. Cooperation by the Parties

Each Party shall, upon request, provide the other with all documents and information necessary to enable compliance with Data Privacy Laws in connection with the Services, including information required to complete any data processing assessments. In case of inquiry or investigation by a data protection authority related to Processing of Personal Data in connection with the Services, the Parties agree to reasonably cooperate and to provide one another with all documents and information necessary to facilitate such cooperation. Each Party shall immediately inform the other in case of potential non-compliance with its Processing of Personal Data under applicable Data Privacy Laws.

7. Personal Data Request

Each Party is responsible for intaking and responding to Data Subject requests (e.g., access, deletion, and correction) in accordance with applicable Data Privacy Laws.

8. Security Obligations

Each Party agrees to maintain security controls and safeguards that are no less robust than those described in Attachment A-2. In the event of a Security Breach involving Personal Data subject to the Agreement, the Party who experienced the breach agrees to notify the other Party without undue delay and to reasonably coordinate with the other Party on the investigation and remediation of such Security Breach.

9. Data Transfers

Each Party agrees to comply with applicable Data Privacy Laws when engaging in cross-border Processing of Personal Data, and authorizes the other Party to make cross-border transfers of Personal Data, provided that such laws are respected. To the extent legally required, by signing this DPA, Customer and Subtotal are deemed to have signed the EU SCCs, which form part of this DPA and are deemed completed as follows: (i) Module 1 of the EU SCCs applies to transfers of Personal Data from Subtotal (as a controller) to Customer (as a controller); (ii) Clause 7 (the optional docking clause) is not included; (iii) the optional language in Clause 11 (Redress) is not included; (iv) under Clauses 17 and 18, the Parties choose the laws of Ireland and the courts of Ireland to govern the DPA for transfers subject to the GDPR; (vi) Annex I(A) and I(B) are completed as set forth in Attachment A-1 of this DPA; (vii) Annex II is completed as set forth in Attachment A-2 of this DPA; and (viii) Annex III is inapplicable. To the extent legally required, by signing this DPA, the Parties are deemed to have signed the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables of the UK SCCs shall be deemed completed as follows: (i) Table 1: The Parties’ details shall be the Parties and their Affiliates, and the Key Contacts shall be the contacts set forth in the Agreement; (ii) Table 2: the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 9(b) of this DPA; (iii) Table 3: Annexes I and II shall be completed as set forth in Attachments A-1 and A-2 below, respectively, and Annex III is inapplicable; and (iv) Table 4: either Party may end this DPA as set out in Section 19 of the UK SCCs. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 9(b) of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iii) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

Attachment A-1

List of Parties

Data Exporter. The data exporter is Subtotal. Subtotal provides Services to data importer pursuant to their underlying Agreement.
  • Address: As provided in the Agreement.
  • Contact person’s name, position, and contact details: As provided in the Agreement.
  • Activities relevant to the data transferred under these Clauses: The data exporter provides Services to data importer pursuant to their underlying Agreement.
  • Role: Controller
Data Importer. The data importer is Customer. Customer receives Services from data exporter pursuant to their underlying Agreement.
  • Address: As provided in the Agreement.
  • Contact person’s name, position, and contact details: The contact information and name of the individual who electronically signed the Agreement.
  • Activities relevant to the data transferred under these Clauses: The data exporter provides Services to data importer pursuant to their underlying Agreement.
  • Role: Controller
Signature and Date. The Parties agree that execution of the Agreement shall constitute execution of Annex I(A) of the EU SCCs by both Parties.

Description of Transfer

Categories of Data Subjects whose personal data is transferred. Any individuals whose Personal Data is processed by Subtotal or Customer in connection with the Services under the Agreement. Categories of personal data transferred. Any Personal Data related to the Data Subjects referenced above pursuant to the Agreement. Sensitive data transferred. N/A The frequency of the transfer. Continuous. Nature of the Processing. Data Exporter’s Processing activities shall be limited to those discussed in the Agreement and this DPA and will include activities such as collecting, handling, storing, transmitting, and deleting Personal Data. Purpose(s) of the data transfer and further Processing. To provide the Services to Customer. The period for which the Personal Data will be retained. Personal Data will be retained for the period of time necessary to provide the Services under the Agreement, this DPA, and/or in accordance with applicable legal requirements. For transfers to (sub)processors, also specify subject matter, nature and duration of the processing. Not relevant to Controller to Controller transfers.

Competent Supervisory Authority

To the extent legally permitted, the Irish Data Protection Authority.

Attachment A-2: Data Security Measures

The Parties will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:
  • Information Security Policies and Standards. The Parties maintain written information security policies, standards, and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures are kept up to date and revised on a regular basis.
  • Physical Security. Where relevant, the Parties maintain commercially reasonable security systems at all physical sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
  • Organizational Security. The Parties maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
  • Network Security. The Parties maintain commercially reasonable information security policies and procedures addressing network security.
  • Access Control. The Parties agree that: (1) only authorized personnel can grant, modify, or revoke access to information systems that Process Personal Data, and (2) they have implemented commercially reasonable physical and technical safeguards to create and protect access credentials.
  • Virus and Malware Controls. The Parties protect Personal Data from malicious code and maintain antivirus and malware protection software on all systems that handle Personal Data.
  • Personnel. The Parties have implemented and maintain security awareness programs to train employees about their security obligations. Employees follow established security policies and procedures, and are subject to discipline if they fail to adhere to relevant policies and procedures.
  • Subprocessor Security. The Parties only select and contract with Subprocessors that are capable of maintaining appropriate security safeguards that are no less onerous than those contained in the DPA and this Attachment.
  • Business Continuity. The Parties implement disaster recovery and business interruption plans that are kept up to date and revised on a regular basis. Subtotal also adjusts its Information Security Program in light of new laws and circumstances, and as its business and Processing practices evolve.