Data Processing Addendum

This Data Processing Addendum and its annexes, as amended from time to time (“DPA”), once effective, shall be incorporated into and forms a part of the commonsku Terms between commonsku Inc. (“commonsku”) and the party accepting the Terms (“Customer”), which govern commonsku’s provision of Services to Customer (“Terms”). This DPA will be effective from the date on which Customer accepted the Terms and reflects the parties’ agreement with respect to Processing of Personal Data shared by Customer with commonsku during Customer’s use of the Services. All capitalized terms not defined in this DPA shall have the same meanings set forth in the Terms.

1. Definitions. For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

1. “Adequate Country” means any country or territory recognized as providing adequate protection for Personal Data transfers under an adequacy decision made from time to time by (as applicable): (i) the European Commission under the GDPR; or (ii) the UK's Information Commissioner's Office ("ICO") and /or under applicable UK law.
2. "CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or "CPRA").
3. "Consumer”, "Business", "Sell", "Service Provider", and "Share" will have the meanings given to them in the CCPA.
4. “Controller” means a natural or legal person, public authority, agency or other body which determines the purposes and means of the Processing of Personal Data.
5. “Customer Personal Data” means Personal Data that commonsku Processes in its role as a data processor (or any substantially similar terms) under Data Protection Laws, as further specified in Schedule 1.
6. “Data Protection Laws” means all applicable laws and regulations relating to data protection and privacy which apply to the Processing of Personal Data under this DPA, including without limitation: (i) European Data Protection Laws; (ii) the CCPA and other applicable United States federal and state privacy laws; or (iii) Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5. (“PIPEDA”) and any similar Canadian provincial or federal privacy legislation; in each case as amended, repealed, consolidated or replaced from time to time.
7. “Data Subject” means the individual to whom Personal Data relates.
8. "EEA" means the European Economic Area.
9. “Europe” means the EEA and/or their member states, Switzerland and the UK.
10. "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) the EU GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); (iv) the Switzerland Federal Act on Data Protection of 19 June 1992 (SR 235.1) and its subsequent revisions (“FADP”); and (iv) any and all applicable national Data Protection Laws made under, pursuant to, or that apply in conjunction with any of (i), (ii), (iii) or (iv); in each case, as may be amended, superseded or replaced.
11. “Instructions” means Customer’s instructions to commonsku directing commonsku to process the Customer Personal Data as provided under the Terms, this DPA, through Customer’s use of the features and functionality of the Services or as otherwise mutually agreed by both parties in writing.
12. “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Data Protection Laws.
13. “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
14. “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
15. “Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the FADP applies, a transfer of Personal Data from Switzerland to any other country which is not subject to legislation that guarantees adequate protection and/or is not recognized as providing an adequate level of data protection by the Swiss Federal Data Protection and Information Commissioner.
16. “Security Incident” means a breach in security leading to any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental access or damage to or loss, misuse, destruction, alteration, acquisition, disclosure of, Customer Personal Data that may adversely affect the privacy or security of individuals or Customer Personal Data. Security Incidents do not include unsuccessful attempts or activities that do not compromise the confidentiality, availability, or integrity of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other similar incidents.
17. “Sensitive Personal Data” shall have the meaning assigned to the terms “sensitive data”, “sensitive information”, “special categories of personal data”, or similar terms under Data Protection Law and, as required by Data Protection Law, shall include Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
18. "Standard Contractual Clauses" or “EU SCCs” means the standard contractual clauses for the transfer of Personal Data to Processors established in third countries, as approved by the European Commission via its Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced.
19. “Sub-processor(s)” means authorized contractors, agents, vendors and other third-party service providers that are engaged by commonsku to Process Customer Personal Data.
20. "UK" means the United Kingdom.
21. "UK Addendum" means the International Data Transfer Addendum issued by the UK Information Commissioner under s.119A(1) of the Data Protection Act 2018, as may be amended, superseded, or replaced.

2. Data Handling and Access.

1. Scope. This DPA applies only to Customer Personal Data and the subject matter, duration, nature and purposes of commonsku’s Processing of such Customer Personal Data. The types of Personal Data and categories of Data Subjects to be Processed are described in Annex 1 of this DPA.
2. Role of the Parties. The parties acknowledge and agree that regarding the Processing of Customer Personal Data, commonsku is acting as the Processor on behalf of and under the Instructions of Customer and Customer is acting as the Controller. As between commonsku and Customer, Customer has the sole and exclusive authority to determine the purposes and means of the Processing of Customer Personal Data under this DPA.
3. Compliance by commonsku. commonsku shall (i) comply with all obligations and restrictions imposed on it by Data Protection Laws in its role as Processor of Customer Personal Data; (ii) process Customer Personal Data only for the purposes described in the DPA and on behalf of and in accordance with Customer’s Instructions and Annex 1 of this DPA, except where and to the extent otherwise required by Data Protection Laws; and (iii) notify Customer immediately if commonsku determines that it can no longer meet its obligations under Data Protection Laws or this DPA. If commonsku becomes aware or believes that Customer’s Instructions infringes Data Protection Laws, commonsku will: (a) to the extent permitted by Data Protection Laws, promptly notify Customer in writing; and (b) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new Instructions with which commonsku is able to comply. If this provision is invoked, commonsku will not be liable to Customer under the DPA for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions regarding the Processing. Notwithstanding the foregoing, Customer acknowledges that commonsku is not obligated to evaluate whether an Instruction issued by Customer complies with Data Protection Laws.
4. Compliance by Customer. Customer represents and warrants that (i) it shall comply with its obligations as a Controller under all Data Protection Laws in respect of its use of the Services and any Processing Instructions it issues to commonsku; (ii) have sole responsibility for the accuracy, legality, and quality of Customer Personal Data; (iii) ensure that Customer has the right to transfer, or provide access to, Customer Personal Data to commonsku for processing pursuant to the Terms and this DPA; and (iv) not disclose (nor permit any third party to indirectly disclose) any Sensitive Information to commonsku, except for any Sensitive Information expressly set out under Annex 1 hereto. Customer will inform commonsku without undue delay if Customer is not able to comply with its responsibilities under this DPA or Data Protection Laws.

3. Data Subject Rights and Cooperation.

1. Data Subject Rights. commonsku agrees to comply with all reasonable instructions from Customer related to any requests from a Data Subject exercising their rights in Customer Personal Data granted to them under Data Protection Law (“Privacy Request”). commonsku shall not respond to such Privacy Requests unless instructed by Customer in writing to do so.
2. Customer Compliance. Taking into account the nature of the Processing of Customer Personal Data, commonsku agrees to assist Customer, at Customer’s cost, in answering or complying with any Privacy Request. The obligations under this provision shall apply solely where and to the extent required by Data Protection Law.

4. Sub-processing.

1. Permission to Appoint. Customer grants a general authorization to commonsku to appoint third parties as Sub-processors to support the performance of the Services. commonsku shall maintain a list of Sub-processors available in Annex 2 and shall provide Customer with 30 days prior written notice if commonsku wishes to add any additional Sub-processors. If Customer has a reasonable objection to any new Sub-processor, it shall notify commonsku in writing within 15 days of the notification and the parties shall seek to resolve the matter in good faith. If Customer is not reasonably satisfied that the Sub-processor in question meets the security and privacy protection requirements of Data Protection Laws, then Customer may, as its sole remedy, prior to the end of the 30-day notice period, terminate the Terms.
2. Processing under Contract. commonsku shall ensure that any Sub-processor it engages to provide an aspect of the Services on its behalf in connection with this DPA does so in accordance with written terms substantially no less protective of Personal Data than those imposed on commonsku under this DPA. Where a Sub-processor fails to fulfil its data protection obligations, commonsku shall remain fully liable to Customer for the performance of its Sub-processor obligations.

5. CCPA. The terms of this Section 5 will apply only where the CCPA is applicable to the parties.

1. Roles of the Parties. When Processing Customer Personal Data in accordance with Customer’s Instructions, commonsku and Customer acknowledge and agree that Customer is a Business and commonsku is a Service Provider for the purposes of the CCPA.
2. Responsibilities. commonsku confirms that commonsku will Process Customer Personal Data as a Service Provider strictly for the purpose of performing the Services under the Terms (“Business Purpose”) or as otherwise permitted by the CCPA. Further, commonsku certifies that commonsku will not: (i) Sell or Share Customer Personal Data; (ii) Process, retain, use or disclose Customer Personal Data for any purpose other than for the specific Business Purpose, or as otherwise permitted by the Terms or Data Protection Laws; (iii) Process, retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and commonsku; and (iv) combine Customer Personal Data received pursuant to the Terms with Personal Data that commonsku collects or receives from another source, except as otherwise permitted by the Terms or Data Protection Laws.

6. International Data Transfers.

1. Restricted Transfers. The parties agree that when the transfer of Customer Personal Data from Customer to commonsku is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfers shall be subject to Standard Contractual Clauses, which shall be deemed incorporated by reference and form an integral part of this DPA as described further in this Section 6.
2. EU GDPR Transfers. In relation to Restricted Transfers of Customer Personal Data that are protected by the EU GDPR, the Parties agree that the EU SCCs shall apply completed as follows:
1. Module Two will apply;
2. in Clause 7, the optional docking clause will not apply;
3. in Clause 9, Option 2 will apply (general written authorization), and the time period for prior notice of Sub-processor changes shall be as set out in Section 4(a) of this DPA;
4. in Clause 11, the optional language will not apply;
5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA; and
8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA.
3. UK GDPR Transfers. In relation to Restricted Transfers of Customer Personal Data that are protected by the UK GDPR:
   1. the EU SCCs shall apply as completed in accordance with Section 6(b) above and shall be deemed amended as specified by the UK Addendum, which shall be deemed accepted by the parties and incorporated into and form an integral part of this DPA; and
   2. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information set out in Annex I and Annex II of this DPA and the options “neither party” shall be deemed checked in Table 4.
4. FADP Transfers. In relation to Restricted Transfers of Customer Personal Data that are protected by the FADP, the parties agree that the EU SCCs will apply completed as provided in Section 6(b) above, with the following changes:
   1. references to “Regulation (EU) 2016/679” shall be interpreted as references to the FADP;
   2. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section the FADP;
   3. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”;
   4. the term “member state” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
   5. in Clause 17, Option 1 will apply, and the EU SCCs shall be governed by the laws of Switzerland; and
   6. with respect to transfers to which the FADP applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
5. Sub-processors. To the extent that the performance of this DPA and/or the Terms involves commonsku transferring any Personal Data to a Sub-processor and, without prejudice to Section 4, where such Sub-processor will process Personal Data outside the UK, Switzerland or the EEA (except if in an Adequate Country), commonsku shall in advance of any such transfer take steps to put in place a legal mechanism to achieve adequacy in respect of that Processing as required by Data Protection Laws.

7. Data Security.

1. Security Measures. commonsku shall implement and maintain an information security program that complies with Data Protection Laws and good industry practice. commonsku’s information security program shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Customer Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Customer Personal Data; and (iii) protect against Security Incidents.
2. commonsku Personnel. commonsku shall ensure that access to Customer Personal Data is limited to those commonsku employees, agents, and subcontractors who (i) have a need to know or otherwise access Customer Personal Data to enable commonsku to perform its obligations under the Terms and this DPA; and (ii) are bound in writing by confidentiality obligations sufficient to protect the confidentiality of such Customer Personal Data in accordance with this DPA.
3. Data Deletion and Return. Promptly upon the expiration or earlier termination of the Terms, commonsku shall, at the Customer's request, return or securely destroy or render unreadable or indecipherable, each and every original and copy in every media of all Customer Personal Data in commonsku’s possession, custody or control. In the event Data Protection Laws require commonsku to continue to store Customer Personal Data, commonsku warrants that it shall ensure the confidentiality of Customer Personal Data.
4. Security Incident. In the event of a Security Incident, commonsku shall (i) notify Customer without undue delay after becoming aware of the Security Incident, but in no case longer than seventy-two (72) hours after it becomes aware of the Personal Data Breach; (ii) provide timely information relating to the Security Incident as it becomes known or reasonably requested by Customer; (iii) promptly take all necessary and advisable corrective actions and shall cooperate with Customer, at Customer’s cost, in reasonable and lawful efforts to prevent, mitigate or rectify such Security Incident; and (iv) at Customer’s request and cost, provide such assistance as reasonably required to enable Customer to notify the relevant supervisory authority and/or affected Data Subjects of the Security Incident, if Customer is required to do so under Data Protection Laws.

8. Audits.

1. Standards Audits. commonsku will meet industry security frameworks or standards and upon written request, and no more than once per calendar year, commonsku shall provide Customer a summary copy of commonsku’s most recent certified audit report to Customer, provided that such report shall be subject to the confidentiality terms under the Terms.
2. Customer Compliance. Upon Customer’s written request, commonsku shall provide such reasonable assistance as Customer reasonably requires in ensuring compliance with Customer’s obligations under applicable Data Protection Laws, at Customer’s cost.
3. Compliance Audits. Upon Customer’s written request, and no more than once per calendar year, commonsku shall make available for Customer’s inspection all information in commonsku's possession necessary to demonstrate commonsku's compliance with this DPA and Data Protection Laws (“Audit”) and, at the Customer’s expense, allow for and contribute to an Audit conducted by Customer or another auditor mandated by Customer, provided any third party auditor will be subject to confidentiality restrictions under the Terms. Any Audit will be conducted remotely and not on-premise, shall be of reasonable duration, will not unreasonably interfere with commonsku’s day-to-day operations, and will be limited in scope to commonsku’s Processing of Customer Personal Data.
4. Required Disclosure. To the extent legally permitted, commonsku shall promptly, and in all cases before producing and/or providing access to any Customer Personal Data, notify Customer in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Customer Personal Data. Customer shall have the right to defend such action in lieu of and on behalf of commonsku. Customer may, if it so chooses, seek a protective order. At Customer’s cost, commonsku will comply with any legal hold from Customer regarding Customer Personal Data and will provide reasonable support so that Customer can comply with third party requests. At Customer’s cost, commonsku will reasonably cooperate with Customer if Customer or its regulators properly request access to Customer Personal Data for any reason.
5. Failure to Comply. commonsku’s failure to comply with the obligations in this Section 8 shall entitle Customer to suspend the Processing of Customer Personal Data Processed by commonsku, and to terminate any further Processing of Customer Personal Data under this DPA and/or the Terms, if doing so is required to comply with Data Protection Laws.

9. General.

1. Conflicts. In case of any conflict between this DPA and the Terms, this DPA shall prevail with regard to the Processing of Customer Personal Data covered by it. In the event of an inconsistency between this DPA and any applicable Data Protection Laws, the applicable Data Protection Laws shall prevail.
2. Amendments. commonsku may update this DPA from time to time, including to accommodate legislative changes and developments, provided that commonsku may only modify the Standard Contractual Clauses to (i) incorporate any new version of the Standard Contractual Clauses (or similar model clauses) that may be adopted under European Data Protection Law or (ii) comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency. Any non-material change to this DPA will become effective on the date the change is posted. Any material changes to this DPA will be effective: (i) immediately if you are a new Customer; and (ii) if you are an existing Customer, thirty (30) days after notice is provided of such changes, which notice may be provided on the website or by dispatch of an e-mail.
3. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
4. Limitation of Liability. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA and the Standard Contractual Clauses, where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Terms and any reference in the Terms to the liability of a party means aggregate liability of that party and all of its affiliates under the Terms (including this DPA). In no event will either party's liability be limited with respect to any individual's data protection rights under this DPA or otherwise.
5. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself.
6. Governing Law. This DPA shall be governed by the laws of the jurisdiction specified in the Terms.

ANNEX 1: SCOPE OF DATA PROCESSING

This Annex 1 forms part of the DPA and describes the processing that commonsku will perform on behalf of the Customer. Capitalized terms in Annex 1 shall have the meaning assigned to them in the Terms and the DPA.

A. LIST OF PARTIES

Data Exporter(s):

Data Importer(s):

B. DETAILS OF PROCESSING AND DESCRIPTION OF TRANSFER

ANNEX 2: SUB-PROCESSORS

commonsku Affiliates

Sub-processors who support the delivery of commonsku products and services: