Data Processing Addendum

This Data Processing Addendum (this “Addendum”) is by and between risk3sixty LLC, (“risk3sixty”) and the company contracting with risk3sixty (“Customer”), including any annex hereto, forms part of the agreement between Customer and risk3sixty pursuant to which risk3sixty provides software-as-a-service products, such as FullCircle GRC, to Customer (“Terms of Service”). This Addendum sets forth the privacy, and information security obligations of each Party with respect to any Personal Data disclosed or made accessible to risk3sixty by Customer pursuant to the Terms of Service. risk3sixty and Customer may hereafter be referred to individually as a “Party and collectively as “Parties.”  The Parties intend that the Terms of Service and this Addendum, to the maximum extent practical, shall be construed in a manner that yields the greatest internal consistency between and among them. Subject to the foregoing, in the event of a conflict between the terms of the Terms of Service and the terms of this Addendum, the terms of the Addendum shall control relative to any matters pertaining to the subject matter hereof (i.e., data privacy and information security controls).

1. Definitions.  Shall be as set forth herein or as set forth in the Applicable Privacy Law:

1.1           Affiliate” means, with respect to a Party, its subsidiary or person Controlling, Controlled by, or under common Control with, such Party.

1.2           Applicable Privacy Laws” means all laws and regulations applicable to the processing of Personal Data, including but not limited to, the California Privacy Rights Act (“CPRA”), those of the European Union, the European Economic Area and each of their member states, the United Kingdom, and the United States (in each case, as applicable, amended, adopted, or superseded from time to time), taking into account the type of data, practices, industries and territories relevant to the Terms of Service.

1.3           Claims means any actual or threatened direct losses, liability, claims, damages, penalties, costs, fees, fines, levies, assessments or expenses (including without limitation, reasonable attorneys’ fees and costs) arising from or incurred in connection with any investigations, litigation, settlement, judgment, interest, remedies, consent decree or other penalties.

1.4         Control” and its derivatives means the legal, beneficial or equitable ownership, directly or indirectly, of more than fifty percent (50%) of the outstanding voting capital stock (or other ownership interest, if not a corporation) of an entity, or actual managerial or operational control over such entity.

1.5           Controller” means the Party that determines the purposes and means of the processing of Personal Data.

1.6           Data Subjects” means any person whose Personal Data is being processed.

1.7        Personal Data” or any similar terminology (e.g., personal information, personally identifiable information) shall be interpreted consistent with applicable Privacy Laws. Unless otherwise provided in the Terms of Service, Customer will have the exclusive authority to determine the purposes for processing Personal Data for which Customer is the Controller.

1.8           Personnel” means the employees, directors and officers, contractors, consultants, legal and financial advisors and other representatives of a Party, as applicable.

1.9           Process” is any operation or set of operations that are performed on Personal Data, by either automated or non-automated means.

1.10        Processor” means a natural or legal person, public authority, agency, or other body which processes (e.g., collects, uses, stores, deletes and/or shares) Personal Data on behalf of the Controller.

1.11        Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

1.12        Third Party” means any party that is neither a Party to the Terms of Service or this Addendum nor an Affiliate of a Party.

2.              Controller and Processor Relationship.

2.1        In accordance with the Applicable Privacy Laws, the Parties acknowledge and agree that for purposes of the Terms of Service and this Addendum:  (i) Customer is the sole Controller of the Personal Data and risk3sixty is the Processor (also known as a service provider); and (ii) risk3sixty shall not Process Personal Data other than for the Permitted Purposes (as defined in Section 3.1), or as mutually agreed and amended in writing by the Parties.

2.2        Under the Terms of Service, risk3sixty may also provide services to Customer’s Affiliates. In such circumstances, where risk3sixty Processes Personal Data on behalf of a Customer Affiliate, the Customer Affiliate shall also be a Controller of the Personal Data for the purposes of Section 2.1, and in these cases, such Customer Affiliate shall have the same rights that Customer has under this Addendum.  The Parties acknowledge and agree that Personal Data is necessary to fulfill the Permitted Purposes, and that the Personal Data is not being provided to risk3sixty in exchange for monetary or other valuable consideration.

3.              Obligations for Personal Data.  The Parties each agree that:

3.1       Permitted Purposes. In accordance with the Applicable Privacy Laws, risk3sixty’s Processing of Personal Data is strictly limited to the purposes specified in the Terms of Service, for limited business purposes as may be permitted by Applicable Privacy Laws, or as otherwise directed by authorized Personnel of Customer in writing (the “Permitted Purposes”).

3.2.    Compliance with Law. Each Party shall comply with all applicable laws, including Applicable Privacy Laws, with respect to its performance under the Terms of Service and this Addendum and shall not cause the other Party to violate Applicable Privacy Laws.

3.3      Security Program. risk3sixty has in place an information security program that includes industry-recognized administrative, technical, and physical safeguards designed to ensure the confidentiality, security, and integrity of Personal Data (“Security Program”).

3.4        Controller representations. Customer hereby represents and warrants that it has obtained any Personal Data that it provides to risk3sixty in accordance with all Applicable Privacy Laws and its own privacy policy which is also compliant with Applicable Privacy Laws.

4.              Internal Controls.

4.1         Security Controls. risk3sixty shall maintain appropriate technical and organizational measures for protection of the security of Personal Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, or unauthorized disclosure of, or access to, Personal Data), which are commercially reasonable, given the nature and type of Personal Data it is Processing.

4.2          Access Controls. risk3sixty shall implement appropriate access controls restricting access to Personal Data to only those employees, agents, and sub-contractors which reasonably need such access in order to perform risk3sixty’s obligations under the Terms of Service.

4.3           Encryption. risk3sixty shall take commercially reasonable steps designed to ensure that Customer’s Personal Data, when in risk3sixty’s control, is protected against unauthorized access and use, including by appropriate encryption, tokenization, or other substantially similar safeguards.

4.4.     Data Requests. risk3sixty shall promptly inform Customer in writing of any requests, complaints, or enquiries under Applicable Privacy Laws with respect to Personal Data received from Data Subjects or regulators/similar bodies, and shall provide Customer with such assistance as is reasonably necessary to enable Customer to respond to such requests within the timeframe required by the Applicable Privacy Laws.  Where risk3sixty is not permitted to inform Customer of the existence of such Data Subject request due to the nature of the request, (e.g. from regulators or similar bodies), then risk3sixty will object to the disclosure of Personal Data pursuant to such request by notifying the requestor that the Personal Data is owned and controlled by the Customer and not by risk3sixty. For the avoidance of doubt, the foregoing is intended to address a request that risk3sixty reasonably believes is an assertion of rights under Applicable Privacy Laws and not intended to apply to ordinary-course interactions between risk3sixty and a Data Subject (e.g., where a Data Subject contacts risk3sixty to make an update to his/her Personal Data on file).

4.5     Third Party Processing. To the extent required to perform obligations under the Terms of Service, risk3sixty may engage a Third Party processor (“Third Party Processor”) subject to the provisions of this Section 4.5.  Should risk3sixty’s performance under the Terms of Service require it to provide a Third Party Processor access to Personal Data, risk3sixty shall: (i) enter into a written agreement with the Third Party Processor pursuant to which the Third Party Processor is required to provide at least the same level of privacy protection as is required by this Addendum; (ii) transfer the Personal Data to the Third Party Processor only for the Permitted Purposes; (iii) take reasonable steps to ensure that the Third Party Processor effectively Processes the Personal Data transferred in a manner consistent with Applicable Privacy Laws; (iv) require the Third Party Processor to notify risk3sixty if the Third Party Processor determines it can no longer meet its obligation to provide the same level of protection consistent with the Applicable Privacy Laws; and (v) take reasonable and appropriate steps to stop and remediate unauthorized Processing hereunder of which it becomes aware.

Risk3sixty’s current Third Party Processor list is available at the following URL: https://risk3sixty.com/privacy-policy. Customer hereby authorizes risk3sixty to use such Third Party Processors. Customer will be notified of any proposed use of new Third Party Processors through risk3sixty’s automatic email subscription process for such notifications.  If Customer objects in writing to risk3sixty’s proposed use of a new Third Party Processor, risk3sixty will use reasonable efforts to refrain from permitting such proposed Third Party Processor to Process the Personal Data. If risk3sixty determines that it is unable to refrain from using such new Third Party Processor to perform its obligations pursuant to the Terms of Service, risk3sixty shall notify Customer of such determination. Upon receipt of such notice, Customer may (in its sole determination) elect to terminate all or part of the Terms of Service without penalty or liability, upon thirty (30) days’ written notice of such termination to Customer. risk3sixty shall be liable for the acts and omissions of its Third Party Processors to the same extent risk3sixty would be liable if performing the services of each Third Party Processor directly under the terms of this Addendum, unless otherwise set forth in the Terms of Service.

4.6         Compliance. Each Party shall be responsible, and remain liable to the other Party, for its employees’ compliance with the terms of this Addendum, to the same extent that it itself would be liable hereunder.

4.7.       Information Security Incident. risk3sixty will inform Customer within forty-eight (48) hours of risk3sixty’s knowledge of any confirmed loss or unauthorized Processing, use, disclosure, or acquisition of or access to any Customer Personal Data in risk3sixty’s possession, custody, or control (an “Information Security Incident”). risk3sixty will provide such notice via email to its ordinary contact at Customer (or such other email address as Customer may designate to risk3sixty), will promptly take all reasonable and advisable corrective actions, and will cooperate with Customer in reasonable and lawful efforts to investigate, mitigate, and prevent recurrence of the Information Security Incident.

4.8           Retention.  risk3sixty shall retain Personal Data only for as long as necessary to fulfill its obligations pursuant to the Terms of Service or as required by applicable laws or its data retention policies. Upon Customer’s written request and following expiration or termination of the Terms of Service, risk3sixty will return, or at Customer’s request, securely destroy, any Personal Data in risk3sixty’s possession, custody, or control, and certify in writing that such return or secure destruction has occurred.

4.9           Re-identification. risk3sixty will not, and will not allow Third Parties to, re-identify any Customer information that has been anonymized or de-identified, such that it would be considered Personal Data under Applicable Privacy Laws.

5.              Specific CPRA Requirements.

5.1       To the extent that risk3sixty’s Processing of Personal Data is subject to the CPRA, this Section 5.1 shall apply. For purposes of the CPRA, Customer is the “business,” and risk3sixty is the “service provider.”

5.2        Customer discloses or otherwise makes available Personal Data to risk3sixty for the limited and specific purpose of risk3sixty providing services to Customer in accordance with the Terms of Service and this Addendum.  risk3sixty shall: (I) comply with its applicable obligations under the CPRA; (ii) provide the same level of protection as required under the CPRA; (iii) notify Customer if it can no longer meet its obligations under the CPRA; (iv) not “sell” or “share” (as such terms are defined by the CCPA and/or the CPRA) Personal Data; (v) not retain, use, or disclose Personal Data for any purpose other than to provide services to Customer under the Terms of Service or as otherwise permitted under the CPRA; (vi) not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and risk3sixty; and (vii) unless otherwise permitted by the CPRA, not combine Personal Data with data that risk3sixty (a) receives from, or on behalf of, another person or (b) collects from its own, independent consumer interaction. Customer may: (i) take reasonable and appropriate steps agreed upon by the parties to help ensure that risk3sixty Processes Customer Personal Data in a manner consistent with the Customer’s CPRA obligations; and (ii) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Customer Personal Data by risk3sixty.

6.              Europe Specific Provisions.

6.1.     Data Transfer Mechanism. The transfer of Personal Data from the European Economic Area (“EEA”), the United Kingdom or Switzerland to a country located outside of the EEA, will be subject to the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as annexed to Commission Implementing Decision 2021/914 (“SCCs”), which are incorporated into this Addendum by this reference.

6.2       Application of SCCs. Module Two (Data Controller to Data Processor) will apply to a Data Transfer when Customer is a Data Controller.  Module Three (Data Processor to Data Processor) will apply to a Data Transfer when Customer is a Data Processor.

7.              Indemnity.

7.1           risk3sixty Indemnity. In addition to any indemnification obligations stated in the Terms of Service, but subject to the limitations of liability set forth therein, risk3sixty shall indemnify, defend, and hold harmless Customer and its officers, directors, and employees, against any and all Third Party Claims, including Notification Related Costs, in connection with an Information Security Incident caused by a material breach by risk3sixty of its obligations in this Addendum or Applicable Privacy Laws.

7.2           Customer Indemnity. In addition to any indemnification obligations stated in the Terms of Service, Customer shall indemnify, defend, and hold harmless risk3sixty and its officers, directors, and employees, against any and all Third Party Claims, including Notification Related Costs, caused by a material breach by Customer of its obligations in this Addendum or Applicable Privacy Laws.

7.3      For purposes of this Addendum, “Notification Related Costs” means a Party’s reasonably incurred internal and external costs associated with investigating, addressing, and responding to an Information Security Incident, including but not limited to:  (i) preparation and mailing or other transmission of notifications or other communications to consumers, employees or other, as legally required; (ii) establishment of a call center or other communications procedures in response to such Information Security Incident, as legally required; (iii) public relations and other similar crisis management services; (iv)  reasonable legal, consulting and accounting fees and expenses associated with such Party’s investigation of and response to such event; and, (v) costs for commercially reasonable credit reporting and monitoring services that are associated with legally required notifications.