DATA PROCESSING AGREEMENT
(Online as of October 12, 2021)

1. PURPOSE

Pursuant to the Agreement, Client shall provide Personal Data to Selligent. The parties agree to comply with the following provisions with respect to any Personal Data transferred to or processed or accessed by Processor pursuant to or in connection with the Agreement.

2. DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the concerned entity.

“Authorized Affiliate” means any Client’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to a Sales Order between Client and Selligent.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Data Protection Law and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any Client Data that directly or indirectly identifies a natural person, or, with respect to those countries where relevant, a legal person.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such a collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process”, “Processed” and “Processes” shall be interpreted accordingly.

“Processor” means the entity that Processes Personal Data on behalf of the Controller.

“Standard Contractual Clauses” means the European Commission standard contractual clauses for the transfer of Personal Data to a Processor established in a third country which does not ensure an adequate level of data protection, as approved by Commission Decision (EU) 2021/914 (Controller to Processor transfers) as amended, replaced or repealed from time to time.

“Selligent” means Selligent SA[1], acting in its own name and on its own behalf and, to the extent required under applicable Data Protection Law and Regulations, in the name and on behalf of the Selligent Affiliate that is party to the Agreement.

3. ROLES OF THE PARTIES

3.1 Controller and Processor

The parties acknowledge and agree that with regard to the Processing of Personal Data, Client (including for the avoidance of doubt Authorized Affiliates, as the case may be) is the Controller and Selligent is the Processor with respect to Personal Data that Selligent Processes pursuant to the Agreement.

3.2 Authorized Affiliates

The Client enters into this DPA on its own behalf and, to the extent applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Selligent and each of such Authorized Affiliates subject to article 9 of this DPA. For the avoidance of doubt, where an Authorized Affiliate becomes a party to this DPA, to the extent required under the Data Protection Law and Regulations, it is bound by its obligations as Controller. Unless otherwise prescribed by the Data Protection Law and Regulations, any right will be exercised by the Client as party to the Agreement on behalf of an Authorized Affiliate and such rights exercised by the Client as party to the Agreement shall be exercised in a combined manner for all of its Authorized Affiliates and not separately for each of them.

4. PROCESSING OF PERSONAL DATA

4.1 Subject-matter of the Processing

The subject-matter of the Processing is the performance of the core Services pursuant to the Agreement. The content of the Processing, the types of Personal Data Processed and the categories of Data Subjects concerned by the Processing are further detailed in Schedule 2 of this DPA.

4.2 Provision of Personal Data by the Controller

It is up to the Client’s sole discretion to monitor what Personal Data is transferred to and uploaded on the Selligent Platform and to assess whether the technical and organizational measures implemented by Selligent provide the appropriate level of protection of its Personal Data on the Platform. In any case, the Client shall comply with the requirements of Data Protection Law and Regulations in its use of the Services and in any instruction for the Processing of Personal Data.

Client is solely responsible:

• For the accuracy, quality, integrity, legality, reliability and appropriateness, and, in general, the content of Personal Data transferred to and stored in the Platform, or generated and used by the Services;
• For the use of a secured communication protocol when submitting the Personal Data on the Selligent Platform (such as FTPS, SFTP or HTTPS), and for subscribing to the billable encryption service made available by the Processor.

4.3. Processing of Personal Data by Selligent

4.3.1 Client’s Instructions

Selligent shall Process Personal Data only on behalf of and according to documented instructions of the Client for the following purposes:

• Processing in accordance with the Agreement and any specific Sales Order or Statement of Work;
• Processing determined by the Users upon their use of the Services;
• Processing upon other documented instructions provided by the Client (e.g. via email) in line with the Agreement and consistent with the Services.

Selligent shall inform the Client if in its opinion an instruction given by the Client infringes Data Protection Laws and Regulations.

4.3.2. Selligent’s use of Personal Data

Selligent shall not use the Personal Data for its own purposes or for the purposes of any third party, and shall Process Personal Data in accordance with Data Protection Law and Regulations. Selligent shall not take any unilateral decisions about the use of the Personal Data or the length of time the Personal Data will be stored, except pursuant to statutory provisions or court or regulatory body decision that prescribe otherwise.

4.3.3.Processor’s employees

Subject to Article 6 below, Selligent’s employees who may have access to the Personal Data of the Client is limited to those employees performing Services in accordance with the Agreement, except prescribed otherwise by Data Protection Law and Regulations. The group of employees performing Services in accordance with the Agreement are listed in Schedule 2 of this DPA.

5. SECURITY OF PERSONAL DATA

5.1. Security measures

The Processor shall maintain appropriate technical and organisational measures to secure Personal Data (including to protect Personal Data against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Client Data). Details of such measures are available upon Client’s request only for the purpose of demonstrating compliance with the GDPR. These measures refer to a suitable level of security, taking into account the state of the art and the costs of implementation, as well as the risks inherent in data Processing proposed by the Processor and the nature of the Personal Data.

5.2. Certifications and Audits

At date of signing of this DPA, Selligent has obtained the third-party certifications as described in Schedule 3 of this DPA. Upon Client’s written request at reasonable intervals and subject to reasonable notice, Selligent will enable the Controller to supervise its compliance with provisions of article 5.1 by instituting an audit, subject to confidentiality obligations. Selligent will provide the necessary information and documentation and its reasonable cooperation with Client. The audit will be carried out in line with the requirements set out in the Service Level Agreement. The costs of the audit will be borne by the Client, unless the audit reveals that the provisions of article 5.1 have not been complied with in a material way, in which case the Processor will bear the costs of the audit directly related to the material errors. In such case, the Processor will promptly develop a corrective action plan. It is agreed that Client will mitigate the burden of the audit for Selligent by combining, to the extent possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.

5.3. Notification of data breaches

Selligent shall notify Client without undue delay after becoming aware of the accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Client Personal Data Processed by Selligent or its sub-processor(s) of which Selligent becomes aware (hereafter a “Personal Data Breach”). Selligent will provide the relevant information in a report that shall include, to the extent within Selligent’s reasonable control, relevant information about the nature, scope, circumstances, predictable consequences and the measures taken or to be taken. At the Client’s request, Selligent will reasonably cooperate to enable the Client to comply with the notification obligation, according to article 11 of this DPA. For the avoidance of doubt, the Client is entitled to make and receive notification on behalf of any Authorized Affiliates and will be responsible for coordinating all communications in connection with this DPA.

5.4. Confidentiality of Personal Data

5.4.1. Confidentiality within the organisation of the Processor

Processor shall ensure that Selligent’s employees having access to Client Personal Data are bound by contractual confidentiality obligations and are informed about the confidential nature of the Personal Data and the responsibilities arising from the Processing of Personal Data.

5.4.2. Confidentiality outside the organisation of the Processor

Unless it has obtained the Client’s prior written consent, Selligent is prohibited from granting any third party access to the Personal Data, except and to the extent that it is necessary for the performance of the Services, in accordance with article 6 below.

If Selligent receives a request or an order from a regulatory authority, a government agency, or a court (including but not limited to investigative, penal, or security institutions) to inspect or be provided with Personal Data belonging to the Controller (each an “Order”), then Selligent will, to the extent legally permitted, inform the Client without undue delay of such Order. In dealing with the Order, Selligent will observe the Client’s instructions (including an instruction to leave all or part of dealings with the Order to the Client) and will provide all reasonably necessary cooperation. Should the Order prohibit Selligent from meeting its obligations pursuant to this article, Selligent will promote the reasonable interests of the Client and, in particular, will scrutinize any such Order to determine whether the Order is valid, legally binding and lawful and take all reasonable steps to reject or contest any Order that is not valid, legally binding and lawful.

6. SUB-PROCESSORS

6.1. Client agrees that Selligent’s Affiliates are specifically authorized to be retained as sub- processors and that Selligent and Selligent’s Affiliates may retain respectively third party sub-processors in connection with the performance of the Services. Selligent Affiliates are listed in Schedule 1 of this DPA. Selligent warrants that data processors whose services Selligent wishes to engage for Processing Client’s Personal Data will be selected with due care. When Selligent wishes to rely on such other sub-processors, Selligent undertakes that such Processing by the sub-processor will only take place upon explicit instruction of Selligent. Selligent or Selligent’s Affiliates will have in place a written agreement with any sub-processor it uses ensuring the compliance with its obligations under this DPA.

6.2. Selligent will notify the Client in writing of its decision to engage or replace a sub-processor in due time in order to give the Controller the opportunity to comment to such addition or change, and, as the case may be, to object in accordance with article 28 of the GDPR. In case the Client should object to a new sub-processor, the parties will meet to discuss the objections and agree on a reasonable solution acceptable to each of them. If no solution is found within 30 calendar days of Client’s objection, and subject to the new sub-processor not presenting the same level of technical and organizational measures as those previously in place, Client shall be entitled to terminate such Sales Order or Statement of Work with respect to such Services that cannot be provided by Selligent without the use of the objected new sub-processor and to a refund of any prepaid fees covering the remaining of the term for such specific Services, without any additional compensation being owed by any party.

6.3. The sub-processors engaged by the Processor upon entry into force of this DPA are listed in Schedule 4 of this DPA.

6.4. Selligent will remain liable for the acts and omissions of the sub-processor to the same extent it would be liable under this DPA if performing itself the services of a sub-processor.

7. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

7.1. Hosting of Client Data

Selligent Platform is located within the European Economic Area (EEA).

7.2. Transfer of Personal Data

Any transfer of Personal Data by Selligent as Processor from the European Union, the EEA, and/or their member states, Switzerland and/or the United Kingdom, as applicable, to a sub-processor in countries which do not ensure an adequate level of data protection according to Data Protection Law and Regulations, will occur subject to the Client’s notification and under the appropriate transfer mechanisms, as made available and compliant with Data Protection Law and Regulations, subject to Article 6 above. In each case where such transfer as referred to above would be prohibited by Data Protection Law and Regulations in the absence of Standard Contractual Clauses, Selligent shall enter into these Standard Contractual Clauses with the sub-processor.

Selligent and the sub-processor will assess whether, having regard to the nature of the Personal Data, the purposes and context of the Processing, and the country of destination, the sub-processor is able to ensure an adequate level of protection for the Personal Data as required by Data Protection Law and Regulations. Where that is not the case, Selligent and its sub-processor will consider what additional safeguards may be implemented to ensure an adequate level of protection for the Personal Data Processed on behalf of the Client.

Notwithstanding the generality of the foregoing, the Client agrees that for Support Services purposes, Support Services may be provided, when necessary, out of Selligent Inc. in the USA.

In case any permitted use of the Services by a Client to an Authorised Affiliate results in a transfer of Personal Data outside the European Union, the EEA, and their member states, Switzerland and the United Kingdom, Client and such Affiliate shall comply with all Data Protection Law and Regulations applicable to transfers of Personal Data outside the European Union, the EEA, and their member states, Switzerland and the United Kingdom.

8. DATA SUBJECTS’S RIGHTS

Selligent will, to the extent possible, assist the Client by means of appropriate technical and organisational measures for the fulfilment of the Client’s obligation to respond to requests from Data Subjects exercising their rights laid down in Chapter III of GDPR.

Selligent will, to the extent legally permitted, promptly notify Client if Selligent receives a request from a Data Subject to exercise the Data Subject’s rights laid down in Chapter III of GDPR.

9. LIABILITY FOR BREACHES UNDER THIS DPA

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or in connection with this DPA, and all DPAs between Authorized Affiliates and Selligent, whether in contract or tort, shall be subject to the liability limitations set forth in the Agreement and any reference to a party’s liability in the Agreement shall be deemed to be a reference to the aggregate liability of such party and all of its Affiliates.

10. TERM AND TERMINATION OF THIS DPA

10.1. This DPA will come into force upon execution of any contractual document between the parties by virtue of which the DPA becomes applicable and will in any case terminate upon the termination of the Agreement.

10.2. At the request of the Client or upon the termination of the DPA (regardless of the reasons for such termination), Selligent will ensure that, at the Client’s option:

• The Personal Data is made available to the Client or to a subsequent service provider in accordance with the Agreement entered into by the parties. Such request must be notified in writing by the Client at the latest by the effective date of termination or expiration of the Agreement. Processor will return to Client its data through FTPS or SFTP within fifteen (15) calendar days of such request. All complaints relating to the return of the data must be notified to Selligent in writing within ten (10) calendar days of the return. The format in which such data will be returned will be Selligent format or any other format that can be run on standard software.
• Destroy all of the Personal Data that has been provided to it, as well as all Personal Data it has Processed, in accordance with the recognised standards for data destruction, and provide the Controller with written confirmation of such destruction.

10.3. After the termination of the DPA, Selligent will not retain any copies of the Personal Data, except for that relating to any agreed technical back-up procedures or to the extent legally required.

11. INFORMATION AND ASSISTANCE

Selligent will provide Client with the information and assistance necessary to allow Client (as Controller) to:

1. Notify Personal Data breaches with respect to Personal Data Processed as a consequence of the Services to competent national data protection authorities;
2. Take the appropriate technical and organizational measures to ensure the security and safety of Client’s Personal Data;
3. Undertake data protection impact assessments or seek prior consultation with the data protection authorities;
4. Observe rights of Data Subjects according to article 8 of this DPA.

Selligent reserves the right to charge a reasonable administrative fee which shall be proportional to the effort required to provide Client with this information and assistance. Any such fee shall be communicated beforehand and shall not be set at a level which results in the fee working prohibitively with regard to Selligent’s obligation to comply with the commitments in the first paragraph of this article.

12. MISCELLANEOUS

12.1. Except as specifically set forth in this DPA, all terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between the content of this DPA and the Agreement, this DPA shall prevail.

12.2. None of the provisions of this DPA should prevent any party to be compliant with any applicable law or regulation. In the event of any conflict, the relevant provision of this DPA shall not be applied.

12.3. Working days or calendar days in this DPA will be calculated according to the applicable law of the Agreement.

Schedule 1 – Selligent Affiliates

Schedule 2 – Details of Processing

The Controller shall decide, in its sole discretion, what Personal Data is transferred to and stored on the Selligent Platform. While the Controller is responsible for deciding what data to submit, it typically may concern:

• The following categories of Data Subjects:
  • Prospects, clients, business partners;
  • Clients’ users;
  • Children below the age of 16, down to 13, years old depending on domestic privacy legislations, shall not be processed by the Controller on the Platform.
• The following types of Personal Data:
  • Contact information including first name, last name, e-mail address;
  • Information that a client or prospect has entered in a form;
  • Other information relevant to Client surveys and/or offers;
  • Behavioural and navigation data, such as which sites of the controller or mails viewed, in what order and at which time;
  • Analytical and profiling data.

As part of the Services under the Agreement, Selligent will provide the Client with access to and usage of the Selligent Platform for the purpose of executing omnichannel campaign to engage both anonymous and identified consumers via e-mail, mobile, social, website optimization, call center, postal, in-store and other channels.

The nature of the processing includes uploading, creating and updating Personal Data, executing omnichannel campaigns to engage with data subjects through different channels, optimizing campaigns & customer experience and analytics.

The Processor merely provides services, usage concepts, data storage space and interfaces. The definition of the Services is described in the Agreement entered into between the Processor and the Controller.

Selligent’s employees may have access to Personal Data to the extent necessary to perform the Services under the Agreement. This concerns typically SaaS Operations and DevOps teams, Support Services team, dedicated employees in charge of Client relationship who may consult the use of the Platform by the Client for the purposes of providing advices.