Data Processing Addendum

Last Updated: September 7, 2023

This Data Processing Addendum (“DPA”) forms a part of the Watermark subscription agreement, and is between Watermark Insights, LLC, or its affiliate (hereinafter, “Watermark” or the “Processor”) and the Organization identified on the Watermark Order Form (the “Organization” or “Controller”), collectively referred to as the “Parties”.

1. Definitions and Interpretation

1.1 In this Addendum, unless the context otherwise requires:

“Affiliate(s)” means any entity that directly or indirectly controls, is controlled by, or is under common control or ownership with a Party, where “control,” “controlled by” and “under common control with” means the possession of the power to direct, cause or significantly influence the direction of the entity, whether through the ownership of voting securities, by contract, or otherwise.

“Data Protection Regulator” or “DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Applicable Data Protection Laws.

“Applicable Data Protection Laws” means, with respect to a party, all applicable relevant data protection and privacy laws regulations, and requirements, including but not limited to, the General Data Protection Regulation (GDPR) (EU) 2016/679, and any applicable national implementing legislation.

“Organization Data” has the same meaning as defined in the Agreement. This Addendum applies to Watermark’s Processing of Organization Data to the extent that such Organization Data constitutes Personal Data.

“Processing” means any operation or set of operations performed on Personal Data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

“Data Subject” refers to an identified or identifiable natural person to whom the Personal Data relates.

“Personal Data” means “personal data”, “personal information”, personally identifiable information” or similar information defined in and governed by Applicable Data Protection Law(s).

“Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the destruction, loss, alteration, unauthorized disclosure of or access to Personal Data being Processed by Watermark. Security Incidents do not include unsuccessful attempts or activities that do not comprise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

“Services” refers to the Watermark subscription and support services provided by Processor to Controller under the Agreement.

“Standard Contractual Clauses (SCC)” means the European Commission’s standard contractual clauses for the transfer of personal data from the European Union to third countries, as set out in the Annex to Commission Decision (EU) 2021/914, a completed copy of which comprises Appendix B.

“Subprocessor” means any third party appointed by Processor to Process Organization Data on behalf of Controller.

“Usage Data” or “Aggregated Statistics” has the same meaning as defined in the Agreement. This Addendum applies to Usage Data to the extent Usage Data constitutes Personal Data.

1.2 General; Termination

a. This Addendum governs the Processing of Personal Data by Processor on behalf of Controller in the course of providing the Services.

b. This Addendum forms part of the Watermark subscription agreement and except as expressly set forth in this Addendum, the agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum will govern.

c. The Parties acknowledge that Controller acts as the data controller, and Processor acts as the data processor with respect to the Processing of Personal Data under this Addendum.

d. Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.

e. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

f. This Addendum will automatically terminate upon expiration or termination of the Agreement.

1.3 Capitalization.

Capitalized terms not otherwise defined herein shall have the meanings ascribed to them in the Agreement. The “Parties” shall refer to the parties to the Agreement and each shall be a “Party.”

Obligations of the Processor

a. Processor shall Process Personal Data only on documented instructions from Controller unless required to do so by applicable laws, in which case Processor shall inform Controller of such legal requirement before Processing unless prohibited by law.

b. Processor shall ensure that its personnel engaged in the Processing of Personal Data are subject to appropriate obligations of confidentiality.

c. Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage.

d. Processor shall assist Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under the Data Protection Laws.

e. Processor shall promptly notify Controller in case of any unauthorized or accidental loss, alteration, or disclosure of Controller’s Personal Data processed under this Addendum.

f. Processor shall, at the choice of Controller, delete or return all Personal Data to Controller after termination or expiry of the Agreement, unless required to retain such data by applicable laws.

2. Compliance with Applicable Data Protection Laws

2.1 The Parties shall comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws at all times when processing Personal Data in connection with this Agreement, which processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in Schedule 1 to this Addendum. For the avoidance of doubt, the Organization retains control of Organization Data and remains responsible for its compliance obligations under the Applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions given to Watermark.

2.2 The Parties shall each maintain records of all processing operations under their respective responsibility that contain at least the minimum information required by the Applicable Data Protection Laws, and shall make such information available to any authorized Data Protection Regulator on request.

3. Processing

Controller shall ensure that any instructions it issues to Processor complies with the Data Protection Laws since Controller has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Organization acquired such Personal Data shall establish the legal basis for processing under Applicable Data Protection Laws, including providing all notices and obtaining all consents as may be required under Applicable Data Protection Laws in order for Watermark to process the Personal Data as otherwise contemplated by this Agreement.

4. Return or Destruction of Personal Data

4.1 Subject to paragraph 4.2, Watermark shall take reasonable steps, at Organization’s option, return or irretrievably delete all Personal Data in its control or possession when it no longer requires such Personal Data to exercise or perform its rights or obligations under this Agreement, and in any event upon Organization’s instruction upon the expiry or termination of this Agreement. The Organization acknowledges and agrees that Watermark shall retain IP addresses of the devices which it has processed in connection with the Services for a period of up to 90 days after termination of the Agreement before they are deleted.

4.2 To the extent that Watermark is required by Applicable Data Protection Laws to retain all or part of the Personal Data (“Retained Data”), Watermark shall:

  1. cease all processing of the Retained Data other than as required by the Applicable Data Protection Laws;
  2. keep confidential all such Retained Data in accordance with the confidentiality provisions set out in the Agreement; and
  3. continue to comply with the provisions of this Addendum in respect of such Retained Data.

5. Audit

5.1 Watermark shall permit Organization or its representatives to access any relevant premises, personnel, or records of Watermark on reasonable notice to audit and otherwise verify compliance with this Addendum, subject to the following requirements:

  1. Organization may perform such audits no more than once per year or more frequently if required by Applicable Data Protection Law regulators;
  2. Organization may use a third party to perform the audit on its behalf, provided such third party executes a confidentiality agreement acceptable to Watermark before the audit;
  3. audits must be conducted during regular business hours, subject to Watermark’s policies, and may not unreasonably interfere with Watermark’s business activities;
  4. Organization must provide Watermark with any audit reports generated in connection with any audit at no charge unless prohibited by Applicable Data Protection Laws. Organization may use the audit reports only for the purposes of meeting its audit requirements under Applicable Data Protection Laws and/or confirming compliance with the requirements of this Addendum. The audit reports shall be confidential;
  5. to request an audit, Organization must first submit a detailed audit plan to Watermark at least 6 (six) weeks in advance of the proposed audit date. The audit must describe the proposed scope, duration and start date of the audit. Watermark will review the audit plan and inform Organization of any concerns or questions (for example, any request for information that could compromise Watermark’s confidentiality obligations or its security, privacy, employment or other relevant policies). Watermark will work cooperatively with Organization to agree a final audit plan;
  6. nothing in this paragraph 5 shall require Watermark to breach any duties of confidentiality owed to any of its clients, employees or third-party providers; and
  7. all audits are at Organization’s sole cost and expense;

If either Party receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data by the other Party or to either Party’s compliance with the Applicable Data Protection Laws, it shall as soon as reasonably practicable notify the other Party and it shall provide the other Party with commercially reasonable cooperation and assistance in relation to any such complaint, notice or communication.

6. Sub-processors

6.1 Controller acknowledges and agrees that Processor may engage Subprocessors to assist in the provision of the Services. Processor shall inform Controller of any intended changes concerning the addition or replacement of Subprocessors.

6.2 Processor shall ensure that any Subprocessor engaged by Processor is bound by written agreements containing data protection obligations no less protective than those set out in this Addendum.

  1. Watermark will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Addendum; and
  2. Watermark will remain liable for compliance obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Watermark to breach any of its obligations under this Addendum. 6.3 A list of Sub-Processors, including their functions and locations, engaged by Watermark is available upon request, which Watermark shall update from time to time.

6.4 If Watermark engages a new Sub-Processor (“New Sub-Processor”), Watermark shall inform the Organization of the engagement by updating the list found at paragraph 6.3 above.

6.5 Watermark shall ensure that its contract with each New Sub-Processor shall impose obligations on the New Sub-Processor that are substantially similar to the obligations to which Watermark is subject to under this Addendum.

6.6 Any sub-contracting or transfer of Personal Data pursuant to this paragraph 7 shall not relieve Watermark any of its liabilities, responsibilities, and obligations to Organization under this Addendum and Watermark shall remain liable for the acts and omissions of its Sub- Processors.

6.7 If Organization wishes to be informed of Watermark’s engagement with New Sub- Processors by email, it shall request such notification in writing to Watermark. Watermark shall, upon written confirmation of receipt of any request under this paragraph, send Organization an updated list of Sub-Processors by email to an email address requested by Organization if it engages a new Sub-Processor.

7. Security

a. Security Measures. Watermark will implement and maintain technical and organizational security measures designed to protect Organization Data from Security Incidents and to preserve the security and confidentiality of the Organization Data, in accordance with Watermark’s security standards.

b. Organization Responsibility.

  1. Organization is responsible for reviewing the information added to the Watermark products and services relating to data security, and for making an independent determination as to whether the Watermark product and services meet Organization’s requirements and legal obligations under Applicable Data Protection Laws.
  2. Organization acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Organization to reflect process improvements or changing practices (but the modifications will not materially decrease Watermark’s obligations as compared to those reflected in such terms as of the Effective Date).
  3. Organization agrees that, without limitation of Watermark’s obligations under this Section 8, Organization is solely responsible for its use of the services, including (a) making appropriate use of the services to ensure a level of security appropriate to the risk in respect of the Organization Data; (b) securing the account authentication credentials, systems and devices Organization uses to access the services; (c) securing Organization’s systems and devices that it uses with the services; and (d) maintaining its own backups of Organization Data.

c. Security Incident. Upon becoming aware of a confirmed Security Incident, Processor will notify Controller without undue delay. A delay in giving such notice requested by law enforcement and/or in light of Watermark’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notices will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps Watermark recommends Organization take to address the Security Incident. Without prejudice to Watermark’s obligations under this Section 8.c., Organization is solely responsible for complying with Security Incident notification laws applicable to Organization and fulfilling any and all third-party notification obligations related to any Security Incidents. Watermark’s notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Watermark of any fault or liability with respect to the Security Incident. Processor shall cooperate with Controller and take appropriate measures to mitigate the effects of any Security Incident and prevent the recurrence of such incidents.

8. Audits and Reviews of Compliance.

The parties acknowledge that Organization must be able to assess Watermark’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Watermark is acting as a Processor on behalf of Organization.

a. Watermark’s Audit Program. Watermark uses external auditors to verify the adequacy of its security measures with respect to its processing of Organization Data. Such audits are performed at least once annually at Watermark’s expense by independent third-party security professionals at Watermark’s selection and result in the generation of a confidential audit report (“Audit Report”). The availability of such Audit Report shall be made under a separate non-disclosure agreement mutually agreed upon by the parties

b. Organization Audit. Upon Organization ’s written request at reasonable intervals, no more frequent than once per calendar year, and subject to reasonable confidentiality controls, Watermark will make available to Organization a copy of Watermark’s most recent Audit Report. Organization agrees that any audit rights granted by Applicable Data Protection Laws will be satisfied by these Audit Reports. To the extent that Watermark’s provision of an Audit Report does not provide sufficient information for Organization to verify Watermark’s compliance with this Addendum or Organization is required to respond to a regulatory authority audit, Organization agrees to a mutually agreed-upon audit plan with Watermark that: (a) ensures the use of an independent third party; (b) provides notice to Watermark in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Organization at Watermark’s then-current rates; (e) occurs no more than once annually; (f) restricts findings to only Organization Data relevant to Organization ; and (g) obligates Organization , to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.

9. Impact Assessments and Consultations.

Watermark will provide reasonable cooperation to the Organization in connection with any data protection impact assessment (at Organization expense – if such reasonable cooperation will require Watermark to assign resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Laws.

10. Data Subject Requests.

Watermark will, upon Organization ’s request (and at Organization’s expense) provide Organization with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection) in cases where Organization cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If Watermark receives a request from a Data Subject in relation to their Organization Data, Watermark will advise the Data Subject to submit their request to Organization, and Organization will be responsible for responding to any such request.

11. Return or Deletion of Organization Data.

a. Watermark will, within sixty (60) days after request by Organization following the termination or expiration of the Agreement, delete all Organization Data from Watermark’s systems.

b. Notwithstanding the foregoing, Organization understands that Watermark may retain Organization Data if required by law, and such data will remain subject to the requirements of this Addendum.

12. International Provisions.

a. Processing in the United States. Organization acknowledges that, as of the Effective Date, Watermark’s primary processing facilities are in the United States; however, Customer Support utilizes a ‘follow-the-sun’ model, with both United States and international support resources (e.g., in India).

b. Jurisdiction Specific Terms. To the extent that Watermark Processes Organization Data originating from and protected by Applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this Addendum.

c. Cross Border Data Transfer Mechanism. To the extent that Organization’s use of the services require an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area (“EEA”), the UK, Switzerland or any other jurisdiction listed in Schedule 3) to Watermark located outside of that jurisdiction (a “Transfer Mechanism”), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.

IN WITNESS WHEREOF, the Parties hereto have executed this Agreement as of the date of last signature below.

Watermark Insights, LLC By_ Name: Torie Orton

Title: General Counsel, Watermark

Organization By_________________ Name:

Title:

SCHEDULE 1

SUBJECT MATTER & DETAILS OF PROCESSING

The Personal Data processing activities carried out by Watermark under this Agreement may be described as follows:

1. Subject matter of processing

Watermark will process Personal Data as necessary to provide the services under the Agreement. Watermark does not sell Organization Data (or end user information within such Organization Data) and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.

  1. Organization Data. Watermark will process Organization Data as a processor in accordance with Organization’s instructions as outlined in Section 6.a (Organization Instructions) of this Addendum.
  2. Usage Data. Watermark will process Usage Data as a controller for the purposes outlined in Section 4.b (Watermark as Controller) of this Addendum.

2. Nature and purpose of processing

  1. Organization Data. Organization Data will be subject to the following basic processing activities: the provision of services that allow Watermark Organizations to manage and control their Organization Data.
  2. Usage Data. Personal Data contained in Usage Data will be subject to the following processing activities by Watermark: Watermark may use Usage Data to operate, improve and support the Services and for other lawful business practices, such as analytics, benchmarking, and reporting.

3. Categories of Personal Data

  1. Organization Data. The categories of Organization Data are such categories as Organization is authorized to ingest into the services under the Agreement.
  2. Usage Data. Watermark processes Personal Data within Usage Data.

4. Categories of Data Subjects

Data subjects include the individuals about whom data is provided to Watermark via the Services by (or at the direction of) Organization (i.e., Organization’s end users)

5. Duration

The period for which Personal Data will be retained and the criteria used to determine that period is as follows:

  1. Organization Data. Prior to the termination of the Agreement, Watermark will Process stored Organization Data for the purpose of providing the services until Organization elects to delete such Organization Data via the Watermark services or in accordance with the Agreement.
  2. Usage Data. Upon termination of the Agreement, Watermark may retain, use and disclose Usage Data for the purposes set forth above in Section 2.b (Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. Watermark will anonymize or delete Personal Data contained within Usage Data when Watermark no longer requires it for the purpose set forth in Section 2.b (Usage Data) of this Schedule 1.

6. Sensitive Data or Special Categories of Data.

  1. Organization Data. Organizations are prohibited from including sensitive data or special categories of data in Organization Data.
  2. Usage Data. Sensitive Data is not contained in Usage Data.

 SCHEDULE 2

TECHNICAL & ORGANIZATIONAL SECURITY MEASURES

Watermark is committed to ensuring the security and protection of the personal and sensitive data we Process. This Schedule 2 outlines the technical and organizational security measures Watermark has implemented to safeguard the confidentiality, integrity, and availability of data, including but not limited to the following:

  • Password policies, requiring a combination of alphanumeric characters and regular password updates.
  • Multi-factor authentication for access to sensitive systems and data.
  • Access privileges based on job roles and responsibilities.
  • Up-to-date list of authorized users and their access rights.
  • Regular review and revocation of user access upon employee termination or job role changes.
  • Secure mechanisms for granting temporary access when required.
  • Log and monitor user access activities for auditing and detection of unauthorized access attempts.
  • Encryption mechanisms (such as Transport Layer Security – TLS) to protect data during transmission over networks.
  • Encrypt sensitive data at rest, stored on servers or databases.
  • Only collect and retain necessary data for legitimate business purposes.
  • Regularly review and dispose of unnecessary or outdated data securely.
  • Regular data backup procedures to ensure data availability and integrity.
  • Store backups securely, with access controls and encryption.
  • Test data restoration processes periodically to verify their effectiveness.
  • Control physical access to offices and data center facilities using access systems.
  • Monitor and record access activities through surveillance systems.
  • Secure procedures for the disposal of electronic devices, ensuring data is wiped securely or destroyed irreversibly.
  • Compliance with local regulations and environmental standards for proper disposal.
  • Procedures for reporting security incidents or breaches promptly.
  • Incident response protocols to employees and provide clear reporting channels.
  • Incident response team responsible for investigating and mitigating security incidents.
  • Post-incident reviews to identify areas for improvement and implement necessary measures.
  • Regular security awareness training to employees, emphasizing the importance of data protection and privacy.
  • Educate employees on social engineering threats, phishing attacks, and other common security risks.
  • Promote a security-conscious culture within the organization.
  • Compliance with applicable data protection laws and regulations.
  • Regularly review and update security measures to align with changing regulatory requirements.
  • Periodic security audits and assessments to identify vulnerabilities and gaps.
  • Penetration testing and vulnerability assessments on systems and applications.
  • Regular review and update security policies and controls based on audit findings and recommendations.
  • Watermark’s Organizations have direct relationships with their end users and are responsible for responding to requests from their end users who wish to exercise their rights under Applicable Data Protection Laws. If Watermark receives a request from a Data Subject in relation to their Organization Data, Watermark will advise the Data Subject to submit their request to Organization, and Organization will be responsible for responding to any such request.

SCHEDULE 3

CROSS BORDER DATA TRANSFER MECHANISM

Definitions

a. “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Organization, any of the following:

  1. UK Standard Contractual Clauses; and
  2. 2021 Standard Contractual Clauses

b. “UK Standard Contractual Clauses” means:

  1. Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”); and
  2. Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC (“UK Controller to Controller SCCs”).

c. “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

2. UK Standard Contractual Clauses. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by reference) and completed as follows:

a. The UK Controller to Processor SCCs will apply where Watermark is processing Organization Data. The illustrative indemnification clause will not apply. Schedule 1 serves as Appendix 1 of the UK Controller to Processor SCCs. Schedule 2 serves as Appendix 2 of the UK Controller to Processor SCCs.

b. The UK Controller to Controller SCCs will apply where Watermark is processing Usage Data. In Clause II(h), Watermark will process personal data in accordance with the data processing principles set forth in Annex A of the UK Controller to Controller SCCs. The illustrative commercial clause will not apply. Schedule 1 serves as Annex B of the UK Controller to Controller SCCs. Personal Data transferred under these clauses may only be disclosed to the following categories of recipients: i) Watermark’s employees, agents, affiliates, advisors and independent contractors with a reasonable business purpose for needing such personal data; ii) Watermark vendors that, in their performance of their obligations to Watermark, must process such personal data acting on behalf of and according to instructions from Watermark; and iii) any person (natural or legal) or organization to whom Watermark may be required by applicable law or regulation to disclose personal data, including law enforcement authorities, central and local government.

3. The 2021 Standard Contractual Clauses. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will apply in the following manner:

a. Module One (Controller to Controller) will apply where Organization is a controller of Usage Data and Watermark is a controller of Usage Data.

b. Module Two (Controller to Processor) will apply where Organization is a controller of Organization Data and Watermark is a processor of Organization Data;

c. Module Three (Processor to Processor) will apply where Organization is a processor of Organization Data and Watermark is a sub-processor of Organization Data;

d. For each Module, where applicable:

  1. in Clause 7, the option docking clause will not apply;
  2. in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 7 (Subprocessing) of this Addendum;
  3. in Clause 11, the optional language will not apply;
  4. in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law.
  5. in Clause 18(b), disputes will be resolved before the courts of Ireland;
  6. In Annex I, Part A:

Data Exporter: Organization and authorized affiliates of Organization. Contact Details: Organization’s account owner email address, or to the email address(es) for which Organization elects to receive privacy communications. Data Exporter Role: The Data Exporter’s role is outlined in Section 4 of this Addendum.

Signature & Date: _______________________________________________________________________

By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Data Importer: Watermark Insights, LLC Contact Details: Watermark Privacy Team – privacy@watermarkinsights.com Data Importer Role: The Data Importer’s role is outlined in Section 4 of this Addendum.

Signature & Date _______________________________________________________________________ Watermark Legal: _____

By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

(vii) In Annex I, Part B: The categories of data subjects are described in Schedule 1, Section 4. The sensitive data transferred is described in Schedule 1, Section 6. The frequency of the transfer is a continuous basis for the duration of the Agreement. The nature of the processing is described in Schedule 1, Section 1. The purpose of the processing is described in Schedule 1, Section 1. The period of the processing is described in Schedule 1, Section 3. (viii) In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority. (ix) Schedule 2 serves as Annex II of the Standard Contractual Clauses.

4. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the Standard Contractual Clauses will prevail.

SCHEDULE 4

JURISDICTION SPECIFIC TERMS

1. California, United States

a. The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act of 2018 (CCPA).

b. The terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings given in the CCPA.

c. With respect to Organization Data, Watermark is a service provider under the CCPA.

d. Watermark will not (a) sell Organization Data; (b) retain, use or disclose any Organization Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Organization Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose the Organization Data outside of the direct business relationship between Watermark and Organization.

e. The parties acknowledge and agree that the Processing of Organization Data authorized by Organization’s instructions described in Section 6 of this Addendum is integral to and encompassed by Watermark’s provision of the Services and the direct business relationship between the parties.

f. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that Watermark’s access to Organization Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

g. To the extent that any Usage Data (as defined in the Agreement) is considered Personal Data, Watermark is the business with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at https://www.watermarkinsights.com/privacy-policy/.

2. China

The People’s Republic of China Personal Information Protection Law (PIPL). For the sake of clarity, Watermark’s obligations under this DPA shall only apply where PIPL requires that Watermark as an “Entrusted Person” have in place with a “Personal Information Handler”, as an “Entrusted Person” and “Personal Information Handler” are referenced in the PIPL.

3. European Economic Area (EEA)

a. The definition of “Applicable Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679)(“GDPR”).

b. When Watermark engages a Subprocessor under Section 7 (Subprocessing), it will:

  1. require any appointed Subprocessor to protect Organization Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
  2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

c. GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

4. Switzerland

a. The definition of “Applicable Data Protection Laws” includes the Swiss Federal Act on Data Protection.

b. When Watermark engages a Subprocessor under Section 7 (Subprocessing), it will:

  1. require any appointed Subprocessor to protect Organization Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses. 5. United Kingdom

a. References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

b. When Watermark engages a Subprocessor under Section 7 (Subprocessing), it will:

  1. require any appointed Subprocessor to protect Organization Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
  2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

[End]

View our EIS