Data Processing Addendum

Where the Client is subject to the Data Protection Laws (as defined herein), the Parties adopt this Part A of this Data Processing Addendum for so long as Ometria processes personal data (as defined herein) on behalf of the Client. This Part A prevails over any conflicting terms of the Agreement.

1 Definitions

1.1 A defined term shall have the meaning given to it in the Agreement unless otherwise defined in this Part A of the Data Processing Addendum.

1.2 In this Part A of the Data Processing Addendum:

Agreement means the agreement between Ometria and the Client for the supply of the Ometria Service to the Client;

Data Protection Laws means as applicable and binding on either party or the processing activities and as amended from time to time:

(a) the GDPR;

(b) the Data Protection Act 2018; 

(c) the FADP;

(d) ​​Directive 2002/58/EC

(e) any laws which implement any such laws;  

(f) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; and

(g) and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction;

Data Protection Losses means all liabilities, including all:

(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and

(b) to the extent permitted by Applicable Law:

(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;

(ii) compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and

(iii) the reasonable costs of compliance with investigations by a Supervisory Authority;

Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR;

EU personal data means the processing of personal data to which data protection legislation of the European Union, or of a Member State of the European Union or European Economic Area, was applicable prior to its processing by Ometria;

FADP means the Swiss Federal Act on Data Protection;

GDPR means, as applicable to either party or the Services from time to time:

(a) the General Data Protection Regulation, Regulation (EU) 2016/679; or

(b) the UK GDPR;

Protected Area means:

(a) in the case of EU personal data, the members states of the European Union and the European Economic Area and any country, territory, sector or international organisation in respect of which an adequacy decision under Art 45 GDPR is in force;

(b) in the case of UK personal data, the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under United Kingdom adequacy regulations is in force; and

(c) in the case of Swiss personal data, any country, territory, sector or international organisation which is recognised as adequate under the laws of Switzerland;

Relevant Law means:

(a) in the case of EU personal data, any legislation of the European Union, or of a Member State of the European Union or European Economic Area;  

(b) in the case of UK personal data, any legislation of any part of the United Kingdom; and

(c) in the case of Swiss personal data, any legislation of Switzerland;

Standard Contractual Clauses mean: 

(a) in respect of EU personal data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, including the text from module three of such clauses to the extent Ometria is acting as processor and it is appointing a sub-processor, and not including any clauses marked as optional (EU Standard Contractual Clauses);

(b) in respect of Swiss personal data, the EU Standard Contractual Clauses, provided that any references in the clauses to the GDPR shall refer to the FADP; the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses; and the clauses shall also protect the data of legal persons until the entry into force of the revised FADP; and/or

(c) in respect of UK personal data the UK IDT Addendum.

Security Breach means the  actual loss, unintended destruction or damage, compromise, unintended damage, alteration, or theft of personal data, or any incident or set of events which has given rise to a personal data  breach

Supervisory Authorities means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; 

Transfer bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings); 

UK GDPR means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended); and

UK IDT Addendum means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version 21 st March 2022) laid before Parliament in accordance with s119A of the Data Protection Act 2018.

controller, processor, data subject, personal data, processing, sub-processor and appropriate technical and organisational measures shall be interpreted in accordance with the GDPR.

2 Processor and Controller

2.1 Ometria does not claim ownership in the personal data. 

2.2 The parties acknowledge that for the purposes of the Data Protection Laws, the Client is the controller and Ometria is the processor in connection with the personal data. 

2.3 To the extent that the Client is not the sole controller of any personal data it warrants that it has full authority and authorisation from all relevant controllers to instruct Ometria to process the personal data in accordance with the Agreement.

3 Compliance with Laws

3.1 Ometria shall process personal data in compliance with the obligations of processors under the Data Protection Laws in respect of the performance of its obligations under the Agreement.  Appendix I describes the scope, nature and purpose of the processing by Ometria, the duration of the processing, the types of personal data, and the categories of data subjects.

3.2 Ometria shall process the personal data on the documented instructions of the Client unless Ometria is required by the Data Protection Laws to otherwise process personal data.

3.3 For the purposes of paragraph 3.2, the following are deemed an instruction by the Customer to Ometria process personal data:

(a) Processing to deliver the Ometria Service to the Client in accordance with the Agreement and applicable Order Form(s);

(b) Processing initiated by the Client or Users in using the Ometria Services; and

(c) The general authorisation given in clause 7.1 to appoint sub-processors.

3.4 To the extent that Ometria cannot comply with the Client’s instructions without incurring material additional costs, Ometria shall:

(a) immediately inform the Client, giving details of the problem; and

(b) cease all processing of the affected data (other than securely storing those data) until revised instructions are received.

3.5 Any changes to the pricing structure or commercial relationship between the parties by virtue of a change in written instructions as envisaged by paragraph 3.2 shall be negotiated in good faith between the parties. 

3.6 Where Ometria is relying on Relevant Law as the basis for processing personal data, Ometria shall promptly notify the Client of this before performing the processing required by the Data Protection Laws unless those laws prohibit Ometria from notifying the Client.

3.7 Where Ometria reasonably considers that an instruction of the Client infringes the Data Protection Laws or other Union, Member State or national data protection provisions, it shall immediately inform the Client of its opinion and cease processing the personal data based on that instruction (other than securely storing those data).

3.8 The Client shall process personal data in compliance with the obligations of controllers under the Data Protection Laws in respect of its use of the Ometria Service and the performance of its obligations under the Agreement.

3.9 The Client shall provide Ometria with such information as it requires for it to comply with Article 30 of the GDPR and shall make such information available to the Supervisory Authorities.

3.10 In using the Ometria Service, the Client warrants that it shall ensure fair processing and appropriate notices shall be provided to the data subjects (and all necessary consents from such data subjects obtained and at all times maintained) to the extent required by the Data Protection Laws in connection with all personal data processing activities undertaken by Ometria and its sub-processors.

3.11 The Client shall, if applicable, appoint a representative in the EU or UK as required by Article 27 of the GDPR and provide details to Ometria at [email protected] 

4 Security

4.1 Ometria shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures, such measures are set out in Appendix III.

4.2 Ometria shall ensure that its personnel who have access to and/or process personal data are obliged to keep the personal data confidential.

5 Assistance to the Client

5.1 Ometria, shall assist the Client in responding to a Data Subject Request and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. Ometria may charge the Client for its assistance under this paragraph 5.1, which shall be calculated in accordance with Ometria’s standard daily fees as amended from time to time.

5.2 Ometria shall promptly notify the Client in writing without undue delay and in any event within seventy-two (72) hours of, becoming aware of a Security Breach. 

5.2.1 Within such written notice, Ometria shall detail, where known, the nature of the breach including categories and approximate numbers of data subjects concerned as well as categories and approximate numbers of personal data records, the extent and likely consequences of the breach and describe any measures taken or proposed to be taken by Ometria  to address  the breach, including measures to mitigate the impact of such breach.

5.2.2 Any notice under this paragraph 5.2 by Ometria or a response to a Personal Data breach shall not be construed as an admission of fault or liability by Ometria. 

5.3 At the written direction of the Client, Ometria shall delete or return Personal Data and copies thereof to the Client on termination of the agreement as soon as reasonably practicable and within a maximum period of 60 days, unless required by Relevant Law or as Ometria may deem necessary to prosecute or defend any legal claim, in which case Ometria may retain Client Data for a reasonable period of time pending resolution of such obligation or issue.

5.4 Ometria shall maintain all necessary information to demonstrate its compliance with Article 28 of the GDPR and, at the cost of the Client, make such information available to the Client.

5.5 Ometria shall allow for annual audits by the Client or the Client’s designated auditor. Ometria may charge the Client for its assistance under this paragraph 5.5, which shall be calculated in accordance with Ometria’s standard daily fees as amended from time to time. 

5.6 The Client must send any requests to conduct audits to [email protected]

5.7 Ometria and the Client shall agree in advance the

(a) dates and times of the audit; 

(b) scope of audit; and

(c) personnel conducting the audit.

5.8 If in the opinion of Ometria, it reasonably considers the auditor not to be suitably qualified, independent or acting for a competitor of Ometria or manifestly unsuitable, the Client shall appoint a different auditor or undertake the audit itself. 

5.9 No audit shall commence without the Client first entering into a non-disclosure agreement with Ometria, on Ometria’s terms, which shall, if applicable, contain direct covenants to be entered into by the Client’s designated auditor.

International Transfers

6.1. Subject to the other provisions of clauses 6.2 to clause 6.7 inclusive, personal data that Ometria processes on the Client’s behalf the Client consents to processing by Ometria or its sub-processor outside of the Protected Area.

6.2. If the Data Protection Laws restrict Transfers of personal data, the Client will only Transfer that personal data to Ometria if Ometria, either through its location or participation in a valid cross-border transfer mechanism under the Data Protection Laws, may legally receive that personal data.

6.3. To the extent that Ometria is relying upon Standard Contractual Clauses or another specific statutory mechanism to normalise a Transfer and those mechanisms are subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Client and Ometria agree to cooperate in good faith to promptly suspend the Transfer or to pursue a suitable alternative mechanism that can lawfully support the Transfer.

6.4. Ometria may only process, or permit the processing, of personal data by the Ometria Services in respect of a Transfer under the following conditions:

(a) Where the European Commission or the UK (as applicable) has found that the relevant countries provide adequate protection for the privacy rights of data subjects;

(b) In the absence of an adequacy decision, where appropriate safeguards have been provided by the controller or processor established in third countries which do not ensure an adequate level of data protection, and who receive the personal data by way of a valid transfer mechanism under Article 46(2) of the Data Protection Laws.

6.5. The Standard Contractual Clauses shall apply only to personal data that is transferred in circumstances such that, absent of the protections afforded by the Standard Contractual Clauses, such transfer and/or subsequent processing would contravene Data Protection Laws, including with respect to transfers of personal data to a third country. Ometria shall not be under an obligation to use the Standard Contractual Clauses where Ometria has adopted Binding Corporate Rules with its processors or otherwise adopts an alternative and compliant transfer mechanism.

6.6 If any Transfer of personal data between Ometria and the Client requires execution of the Standard Contractual Clauses, or execution of successors or addenda to the Standard Contractual Clauses to comply with the Data Protection Laws, the parties will complete all relevant details in, and execute, the applicable Standard Contractual Clauses or addenda, and take all other actions required to legitimise the Transfer.

6.7. Where necessary, Client authorises Ometria to enter into the applicable form of the relevant Standard Contractual Clauses with sub-processors on behalf of the Client (in which case Client will no longer require to enter into direct agreements itself with such sub-processors). Ometria will make the executed applicable Standard Contractual Clauses available to Client on request.

Sub-processors

7.1 By entering into the Agreement, the Client authorises and instructs Ometria to transfer Personal Data to its current third party sub-processors, including third parties providing hosting, infrastructure, maintenance and other services to Ometria as required in order to provide the Ometria Service (whether within or outside the Protected Area) as described in Appendix II. Before adding or replacing sub-processors to its portfolio of sub-processors, Ometria shall give the Client at least twenty-one (21) days’ notice in advance of any intended change (Change Date).

(a) If the Client objects to the intended addition or replacement of a sub-processor, the Client shall notify Ometria at least fourteen (14) days’ before the Change Date. Ometria shall not implement the change and cease all Processing of the Client’s data (other than securely storing those data) from the Change Date. 

(b) Provided that at least fourteen (14) days’ notice has been given by the Client as required by clause 7.1(a), the Client may terminate the Agreement.

7.2 When engaging sub-processors to process personal data, Ometria shall enter into contracts that impose data protection obligations set out in Article 28(3) of the GDPR on such sub-processors.

7.3 Ometria shall remain liable for all obligations subcontracted to, and all acts and omissions, of the sub-processor.

Post-Termination

8.1 Ometria shall use reasonable efforts to permit the Client to download any Personal Data from the Ometria Service for a period of fifteen (15) days after the expiry or termination (howsoever caused) of the Agreement. 

8.2 If written notice has not been received under clause 5.3 or fifteen (15) days have passed as envisaged by clause 8.1, the Client agrees that Ometria may delete any Client Data at any time on or after the effective date of termination or expiry of the Agreement without liability to the Client.

Indemnity

9.1 Subject to the cap on liability set out in clause 15 of the Agreement:

(a) The Client shall indemnify and keep indemnified Ometria in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, the Ometria and any sub-processor arising from or in connection with any:

(i) non-compliance by the Client with the Data Protection Laws;

(ii) processing carried out by Ometria or any sub-processor pursuant to any processing instruction that infringes any Data Protection Law; or

(iii) breach by the Client of any of its obligations under clauses 1 to 10 (inclusive), except to the extent Ometria is liable under clause 9.1 (b).

(b) Ometria shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Part A of this addendum to the extent caused by the processing directly resulting from Ometria’s breach of clauses 1 to 10 (inclusive); and in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Part A of this addendum by the Client.

9.2 If a Party receives a compensation claim from a person relating to processing of personal data, it shall promptly provide the other party with notice and full details of such claim.

9.3 The Parties agree that the Client shall not be entitled to claim back from Ometria any part of any compensation paid by the Client in respect of such damage to the extent that the Client is liable to indemnify or otherwise compensate Ometria in accordance with clause 9.1(a).

9.4 This clause 9 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to data subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

(a) to the extent not permitted by Applicable Law (including Data Protection Laws); and

(b) that it does not affect the liability of either Party to any data subject.

Survival of data protection provisions

10.1 Clauses 1 to 8 (inclusive) shall survive expiry or termination (for any reason) of the Agreement and continue until no personal data remains in the possession or control of Ometria. The termination or expiry of such processing shall be without prejudice to any accrued rights or remedies of either Party under any such clauses at the time of such termination or expiry.

10.2 Clauses 9 to 10 (inclusive) shall survive expiry or termination (for any reason) of the Agreement and continue indefinitely.

Where the Client is subject to the State Privacy Laws (as defined herein), the Parties adopt this U.S. State Privacy Law Data Processing Addendum (U.S. State DPA) for so long as Ometria processes Personal Data (as defined herein) on behalf of the Client. This Part B prevails over any conflicting terms of the Agreement.

1. Definitions. For the purposes of this U.S. State DPA-

1.1 A defined term shall have the meaning given to it in the Agreement unless otherwise defined in this Part B of the Data Processing Addendum.

1.2 In this Part B of the Data Processing Addendum:

Client Personal Data means Personal Data provided by Client to, or which is collected on behalf of the Client by, Ometria to provide services to the Client pursuant to the Agreement.

Consumer has the meaning defined in the State Privacy Laws.

Controller means Controller or Business as those terms are defined in the State Privacy Laws.

Personal Data means Personal Data or Personal Information as those terms are defined in the State Privacy Laws.

Personal Data Protection Losses means all liabilities, including all:

(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and

(b) to the extent permitted by State Privacy Laws:

(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a privacy regulator;

(ii) compensation which is ordered by a court or privacy regulator to be paid to a Consumer; and

(iii) the reasonable costs of compliance with investigations by a privacy regulator;

Processing, Process, and Processed have the meaning defined in the State Privacy Laws.

Processor means Processor, Service Provider, or Contractor as those terms are defined in the State Privacy Laws.

Sale and Selling have the meaning defined in the State Privacy Laws.

Share, Shared, and Sharing have the meaning defined in the CPRA.

State Privacy Laws means, collectively, all U.S. state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals’ Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information). State Privacy Laws include the following:

(a) California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199) (CPRA);

(b) Colorado Privacy Act (Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313) (ColoPA);

(c) Connecticut Personal Data Privacy and Online Monitoring Act (Public Act No. 22-15) (CPOMA);

(d) Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61-404) (UCPA); and

(e) Virginia Consumer Data Protection Act (Virginia Code Ann. §§ 59.1-575 to 59.1-585) (VCDPA).

1.3 In the event of a conflict in the meanings of defined terms in the State Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies

Scope, Roles, and Termination

2.1. Applicability – This U.S. State DPA applies only to Ometria’s Processing of the Client Personal Data for the nature, purposes, and duration set forth in Appendix I.

2.2. Roles of the Parties – For the purposes of the Agreement and this U.S. State DPA, the Client is the Party responsible for determining the purposes and means of Processing Client Personal Data as the Controller and appoints Ometria as a Processor to Process the Client Personal Data on behalf of the Client for the limited and specific purposes set forth in Appendix I.

2.3. Obligations at Termination – Upon termination of the Agreement, except as set forth therein or herein, Ometria will discontinue Processing and destroy or return the Client Personal Data in its or its subcontractors and sub-processors possession without undue delay. Ometria may retain the Client Personal Data to the extent required by law but only to the extent and for such period as required by such law and always provided that Ometria shall ensure the confidentiality of all such Client Personal Data.

Compliance

3.1. Compliance with Obligations – Ometria, its employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the State Privacy Laws, (b) shall provide the level of privacy protection required by the State Privacy Laws, (c) shall provide the Client with all reasonably-requested assistance to enable Client to fulfill its own obligations under the State Privacy Laws. Upon the reasonable request of the Client, Ometria shall make available to Client all information in Ometria’s possession necessary to demonstrate Ometria’s compliance with this subsection.

3.2. Compliance Assurance – The Client has the right to take reasonable and appropriate steps to ensure that Ometria uses the Client Personal Data consistent with the Client’s obligations under applicable State Privacy Laws. 

3.3. Compliance Monitoring – The Client has the right to monitor Ometria’s compliance with this U.S. State DPA through measures, including, but not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other annual technical and operational testing at least once every 12 months. Ometria shall cooperate fully with any audit initiated by the Client, provided that such audit will not unreasonably interfere with the normal conduct of Ometria’s business and the scope of the audit is first agreed between the Parties. Unless the audit reveals a breach by Ometria of this U.S. State DPA or applicable State Privacy Laws, the Client shall bear the costs of the audit. Alternatively, Ometria may arrange for a qualified and independent auditor to conduct, at least annually and at Ometria’s expense, an audit of Ometria’s policies and technical and organizational measures in support of the obligations under this U.S. State DPA using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. Ometria shall provide a report of the audit to the Client upon request.

3.4. Compliance Remediation – Ometria agrees to notify Client no later than five business days after determining that it can no longer meet its obligations under applicable State Privacy Laws. Upon receiving notice from Ometria in accordance with this subsection, the Client may direct Ometria to take reasonable and appropriate steps to stop and remediate unauthorised use of the Client Personal Data.

3.5. Security – Ometria and the Client shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect the Client Personal Data from unauthorized access, destruction, use, modification, or disclosure. 

Restrictions on Processing

4.1. Limitations on Processing – Ometria will Process the Client Personal Data solely as instructed in the Agreement and this U.S. State DPA. Except as expressly permitted by the State Privacy Laws, Ometria is prohibited from (i) Selling or Sharing the Client Personal Data, (ii) retaining, using, or disclosing the Client Personal Data for any purpose other than for the specific purpose of performing the Services specified in Appendix I, (iii) retaining, using, or disclosing the Client Personal Data outside of the direct business relationship between the Parties, and (iv) combining Client Personal Data with Personal Data obtained from, or on behalf of, sources other than Client, except as expressly permitted under applicable State Privacy Laws.

4.2. Confidentiality – Ometria shall ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to the Client Personal Data.

4.3. Subcontractors; Sub-processors – By entering into the Agreement, the Client authorises and instructs Ometria to transfer the Client Personal Data to its current third party sub-processors, including third parties providing hosting, infrastructure, maintenance and other services to Ometria as required in order to provide the Ometria Service as described in Appendix II. Ometria shall use its reasonable endeavors to ensure that Ometria’s subcontractors or sub-processors who Process the Client Personal Data on Ometria’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to Ometria in this U.S. State DPA and the Agreement with respect to Client Personal Data, as well as to comply with the applicable State Privacy Laws.

Further, before adding or replacing sub-processors to its portfolio of sub-processors, Ometria shall give the Client at least twenty-one (21) days’ notice in advance of any intended change (Change Date).

4.4. Right to Object – If the Client objects to the intended addition or replacement of a sub-processor, the Client shall notify Ometria at least fourteen (14) days’ before the Change Date. Ometria shall not implement the change and cease all Processing of the Client’s data (other than securely storing those data) from the Change Date and provided that at least fourteen (14) days’ notice has been given by the Client, the Client may terminate the Agreement.

Consumer Rights

5.1. Ometria shall provide commercially reasonable assistance to the Client for the fulfillment of the Client’s obligations to respond to State Privacy Law-related Consumer rights requests regarding the Client Personal Data.

5.2. The Client shall inform Ometria of any Consumer request made pursuant to the State Privacy Laws that they must comply with. The Client shall provide Ometria with the information necessary for Ometria to comply with the request.

Deidentified Data

6.1. In the event that either Party discloses or makes available Deidentified data (as such term is defined in the State Privacy Laws) to the other Party, the receiving Party shall: (i) take reasonable measures to ensure that the information cannot be associated with a Consumer or household; (ii) publicly commit to maintain and use the information in Deidentified form and not to attempt to reidentify the information, except as permitted by applicable State Privacy Laws; and (iii) contractually obligate any recipients of the information to comply with all provisions of this paragraph.

Sale of Data

7.1. The Parties acknowledge and agree that the exchange of the Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this U.S. State DPA.

Exemptions

8.1. Notwithstanding any provision to the contrary of the Agreement or this U.S. State DPA, the terms of this U.S. State DPA shall not apply to Ometria’s Processing of the Client Personal Data that is exempt from applicable State Privacy Laws.

Changes to Applicable Privacy Laws

9.1. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the State Privacy Laws.

Post-Termination

10.1 Ometria shall use reasonable efforts to permit the Client to download any Client Personal Data from the Ometria Service for a period of fifteen (15) days after the expiry or termination (howsoever caused) of the Agreement. If fifteen (15) days have passed the Client agrees that Ometria may delete any Client Personal Data at any time on or after the effective date of termination or expiry of the Agreement without liability to the Client.

Indemnity

11.1 Subject to the cap on liability set out in clause 15 of the Agreement:

(a) The Client shall indemnify and keep indemnified Ometria in respect of all Personal Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, the Ometria and any sub-processor arising from or in connection with any:

(i) non-compliance by the Client with the State Privacy Law;

(ii) processing carried out by Ometria or any sub-processor pursuant to any processing instruction that infringes any State Privacy Laws; or

(iii) breach by the Client of any of its obligations under sections 1 to 10 (inclusive), except to the extent Ometria is liable under section 11.1 (b).

(b) Ometria shall be liable for Personal Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Part B of this addendum to the extent caused by the processing directly resulting from Ometria’s breach of sections 1 to 10 (inclusive); and in no circumstances to the extent that any Personal Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Part B of this addendum by the Client.

11.2 If a Party receives a compensation claim from a person relating to processing of personal data, it shall promptly provide the other party with notice and full details of such claim.

11.3 The Parties agree that the Client shall not be entitled to claim back from Ometria any part of any compensation paid by the Client in respect of such damage to the extent that the Client is liable to indemnify or otherwise compensate Ometria in accordance with section 11.1(a).

11.4 This section 11 is intended to apply to the allocation of liability for Personal Data Protection Losses as between the Parties, including with respect to compensation to data subjects, notwithstanding any provisions under State Privacy Laws to the contrary, except:

(a) to the extent not permitted by applicable law (including State Privacy Laws); and

(b) that it does not affect the liability of either Party to any Consumer.

Survival of data protection provisions

12.1 Sections 1 to 10 (inclusive) shall survive expiry or termination (for any reason) of the Agreement and continue until no Personal Data remains in the possession or control of Ometria. The termination or expiry of such Processing shall be without prejudice to any accrued rights or remedies of either Party under any such sections at the time of such termination or expiry.

12.2 Sections 11 to 12 (inclusive) shall survive expiry or termination (for any reason) of the Agreement and continue indefinitely.

Scope, Nature etc of Processing

Subject matter

Ometria’s provision of the Ometria Service to the Client which combines the data unification and customer insight of a customer data platform with a cross-channel marketing orchestration platform, letting retail marketers unify all sources of customer data into a single view of each shopper, use Ometria’s customer intelligence layer to tailor each message to the customer via email, cell, on-site, social, direct mail and more applying campaign segmentation, dynamic content and product recommendations.

Duration of the processing

The Term plus the period of expiry from the Term until deletion of all Personal Data by Ometria in accordance with the Terms of Service.

Nature and purpose of the processing

Ometria will Process Personal Data for the purpose of providing the Ometria Services to the Client in accordance with the Terms of Service.

Type of personal data

The Client may submit Personal Data (as part of the Client’s Data) using the Code, the extent of which is determined and controlled by the Customer in its sole discretion, which may include, but is not limited to:

– Title
– First and last name
– Contact information (e.g. email, billing address, shipping address, ‘phone number(s))
– Gender
– Suffix
– Timezone (e.g. user preference or derived from contact information)
– IP address
– Geolocation of the customer (e.g city, country, timezone)
– Date of birth
– Purchase history including product description and values

Categories of Data Subject

The Client may submit Personal Data (as part of the Client’s Data) using the Code, the extent of which is determined and controlled by the Customer in its sole discretion, which may include:

– Prospective customers of the Client who have unequivocally indicated their wish to receive unsolicited marketing emails from the Client
– Customers of the Client who have not objected to receiving unsolicited marketing emails at the point of purchasing goods from the Client
– Customers of the Client who receive transactional emails (including notification of abandoned baskets)

Subprocessors

Technical and organisational measures

Ometria shall take the following technical and organisational security measures to protect Personal Data:

1. Organisational management and dedicated employees responsible for the development, implementation, and maintenance of Ometria’s information security management system.

2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Ometria, monitoring and maintaining compliance with Ometria’s policies and procedures, and reporting the condition of its information security and compliance to senior internal management.

3. Maintain information security policies and esnure that policies and measures descriped therein are regularly reviewed and where necessary, improve them.

4. Communication with Ometria applications utilises cryptographic protocols such as TLS to protect information in transit over public networks.

5. Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilisation of commercially available and industry-standard encryption technologies.

6. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

7. Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords.

8. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

9. Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Ometria possession.

10. Change management procedures and tracking mechanisms designed to test, approve and monitor changes to Ometria’s technology and information assets.

11. Incident management procedures designed to allow Ometria to investigate, respond to, mitigate and notify events related to Ometria technology and information assets.

12. Correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

13. Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

14. Business continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

15. Formal vendor management program, including vendor security reviews for critical vendors to ensure compliance with Ometria’s information security policies.

16. A Data Protection Officer who is independent and who regularly reviews Ometria’s data protection risks and controls.