Data Processing Addendum

1. Application of this Addendum

1. This Data Processing Addendum, including its Schedules (“Addendum”), forms part of the Agreement as defined in Contract Eagle’s Terms and Conditions of Service (“Terms”) and sets out the parties’ agreement in relation to the processing of Personal Data (as defined below) in accordance with Applicable Data Protection Laws (as defined below).
2. Contract Eagle is located in New Zealand, which the European Commission has determined provides adequate protection for the purposes of Article 45 of the GDPR and which has also been deemed to provide adequate protection for the purposes of the equivalent laws of the United Kingdom.
3. Except as varied in this Addendum, all terms and conditions set out in the Terms continue to apply.
4. For the purposes of the CCPA, Contract Eagle certifies that it understands and will comply with its obligations under this Addendum.

2. Interpretation

1. Unless the context requires otherwise:
   1. capitalised terms used, but not defined, in this Addendum will have the meanings given to them in the Applicable Data Protection Laws (or, if not defined in the Applicable Data Protection Laws, the Terms);
   2. the rules of interpretation set out in the Terms apply to this Addendum; and
   3. references to clauses are references to the clauses in this Addendum.
2. In this Addendum:

   Applicable Data Protection Laws

    means any applicable data protection or privacy laws of any country, including, if applicable, EU/UK Data Protection Laws, the NZ Privacy Act and the CCPA.

   CCPA

    means the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., as amended, and its implementing regulations.

   Data Subject

    has the meaning given in EU/UK Data Protection Laws and includes an individual as defined in the NZ Privacy Act, a consumer as defined in the CCPA and any other identified or identifiable natural person to whom any information relates.

   EU/UK Data Protection Laws

    means all laws and regulations, including laws and regulations of the European Union, its member states and the United Kingdom, that apply to the Processing of Data under the Terms, including (where applicable) the GDPR and the equivalent laws of the United Kingdom.

   GDPR

    means the European Union General Data Protection Regulation 2016/679.

   Instruction

    means the instructions set out in clause 3.4 or agreed under clause 3.5.

   NZ Privacy Act

    means the New Zealand Privacy Act 2020.

   Personal Data

    means all Data which is personal data, personally identifiable information or personal information under Applicable Data Protection Laws (as applicable under those laws).

   Processing

    means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Process has a consistent meaning.

   Sub-Processor

    means any person appointed by Contract Eagle or on its behalf to Process Personal Data on The Subscriber’s behalf in connection with the Terms.

3. Processing of Personal Data

1. With respect to the Processing of Personal Data under the Terms:
   1. for the purposes of EU/UK Data Protection Laws:
      1. The Subscriber acts as the Data Controller; and
      2. Contract Eagle acts as the Data Processor;
   2. Contract Eagle acts as The Subscriber’s agent for the purposes of the NZ Privacy Act;
   3. Contract Eagle acts as the service provider (and not a third party) for the purposes of the CCPA; and
   4. subject to clause 6, Contract Eagle may engage the Sub-Processors listed in Schedule 2.
2. Contract Eagle will comply with all Applicable Data Protection Laws that apply to its Processing of Personal Data on The Subscriber’s behalf, including, if applicable, all EU/UK Data Protection Laws that apply to Data Processors. Contract Eagle will promptly (and in any event within any applicable time limit set out in the Applicable Data Protection Laws) notify The Subscriber if it determines that it can no longer meet its obligations under Applicable Data Protection Laws. Upon receiving notice from Contract Eagle in accordance with this clause, The Subscriber may direct Contract Eagle to take reasonable and appropriate steps to stop and remediate unauthorised use of Personal Data.
3. The Subscriber must, when using the Service, comply with all Applicable Data Protection Laws that apply to its Processing of Personal Data, including, if applicable, all EU/UK Data Protection Laws that apply to Data Controllers.
4. The Subscriber instructs Contract Eagle to Process Personal Data and in particular, subject to clause 6, transfer Personal Data to any country or territory:
   1. as reasonably necessary to provide the Service in accordance with the Terms, including transmitting Personal Data to AI Sub-Processors for AI processing in a Region different from the Region in which the Subscriber’s Data is stored at rest, in accordance with clause 11.f of the Terms;
   2. as initiated through the use of the Service by The Subscriber, The Subscriber’s Personnel and other end users The Subscriber allows to use the Service; and
   3. to comply with any further instruction from The Subscriber (including by email or through Contract Eagle’s support channels) that is consistent with the Terms and this Addendum.
5. This Addendum and the remainder of the Terms are The Subscriber’s complete and final instructions for the Processing of Personal Data as at the time this Addendum takes effect. Any additional or alternate instructions must be agreed between the parties separately in writing.
6. Contract Eagle will not Process Personal Data other than on The Subscriber’s Instructions unless required by any law to which Contract Eagle is subject, in which case Contract Eagle will to the extent permitted by applicable law inform The Subscriber of that legal requirement before Contract Eagle Processes that Personal Data.
7. As required by Article 28(3) of the GDPR, if applicable, and, if applicable, equivalent requirements of other Applicable Data Protection Laws, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this Addendum are set out in Schedule 1. Contract Eagle may amend Schedule 1 from time to time on written notice to The Subscriber as Contract Eagle reasonably considers necessary to meet the requirements of Applicable Data Protection Laws (including, if applicable, the GDPR).
8. The duration of Processing is limited to the duration of the Terms. Contract Eagle’s obligations in relation to Processing will continue until the Personal Data has been properly deleted or returned to The Subscriber in accordance with clause 11 of this Addendum.
9. The Subscriber is solely responsible for ensuring that its Instructions comply with Applicable Data Protection Laws. It is also The Subscriber’s responsibility to enter into data processing agreements with other relevant Data Controllers in order to allow Contract Eagle and its Sub-Processors to Process Personal Data in accordance with this Addendum.
10. If, in Contract Eagle’s reasonable opinion, an Instruction infringes Applicable Data Protection Laws, Contract Eagle will notify The Subscriber as soon as reasonably practicable.
11. Contract Eagle will not:
    1. sell or share (as those terms are defined in the CCPA) Personal Data;
    2. retain, use, or disclose Personal Data for any purpose other than the specific business purpose of providing the Service, including retaining, using, or disclosing such information for a commercial purpose other than providing the Service; or
    3. retain, use, or disclose such Personal Data outside of Contract Eagle’s direct business relationship with The Subscriber.
12. Contract Eagle will not, and will not permit any Sub-Processor to, use Personal Data to train any machine-learning model. Contractual restrictions are in place with all AI Sub-Processors prohibiting training on, or persistent retention of, Personal Data submitted via the Service. AI processing is ephemeral — inputs and outputs are not retained by the model provider after the response is generated.

4. Data Subject Requests

1. To the extent permitted by law, Contract Eagle will notify The Subscriber promptly if it receives a request from a Data Subject to exercise the Data Subject’s rights under Applicable Data Protection Laws relating to any Personal Data (“Data Subject Request”).
2. Taking into account the nature of the Processing, Contract Eagle will assist The Subscriber by implementing appropriate technical and organisational measures, to the extent possible, to fulfil The Subscriber’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws.
3. To the extent The Subscriber does not have the ability to address a Data Subject Request, Contract Eagle will, on The Subscriber’s written request, provide reasonable assistance in accordance with Applicable Data Protection Laws to facilitate that Data Subject Request. The Subscriber will reimburse Contract Eagle for the reasonable costs arising from this assistance.
4. Contract Eagle will not respond to a Data Subject Request except on The Subscriber’s written request or if required by applicable law.

5. Contract Eagle Personnel

1. Contract Eagle will:
   1. take reasonable steps to ensure the reliability of any of its Personnel engaged in the Processing of Personal Data;
   2. ensure that access to Personal Data is limited to its Personnel who require that access as strictly necessary for the purposes of exercising Contract Eagle’s rights and performing Contract Eagle’s obligations under the Terms;
   3. ensure that its Personnel engaged in Processing Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
   4. ensure that its Personnel engaged in Processing Personal Data are informed of the confidential nature of the Personal Data and receive appropriate training on their responsibilities.
2. Contract Eagle has appointed a data protection officer who can be contacted via email at [email protected].

6. Sub-Processors

1. The Subscriber acknowledges and agrees that Contract Eagle may engage third party Sub-Processors in connection with the provision of the Service.
2. Contract Eagle has entered into (and will, for any new Sub-Processor, enter into) written agreements with each Sub-Processor containing data protection obligations which offer at least the same level of protection for Personal Data as set out in this Addendum and that meet the requirements of Article 28(3) of the GDPR and/or equivalent requirements of other Applicable Data Protection Laws, as applicable to the nature of the services provided by that Sub-Processor.
3. The Subscriber may request copies of Contract Eagle’s written agreements with Sub-Processors (which may be redacted to remove confidential information not relevant to this Addendum).
4. A list of current Sub-Processors for the Service as at the date of this Addendum is set out in Schedule 2. Contract Eagle may update the list of Sub-Processors from time to time and, subject to clause 6.5, Contract Eagle will give at least 30 days’ written notice of any new Sub-Processor (“Change Notice”).
5. Contract Eagle may engage Sub-Processors as needed to serve as an Emergency Replacement to maintain and support the Service. Emergency Replacement means a sudden replacement of a Sub-Processor where a change is outside Contract Eagle’s reasonable control. In this case, Contract Eagle will inform The Subscriber of the replacement Sub-Processor as soon as reasonably practicable.
6. The Subscriber may object to any new Sub-Processor on reasonable grounds by notifying Contract Eagle within 10 days of receipt of a Change Notice. The Subscriber’s notice of objection to any new Sub-Processor must explain the reasonable grounds for its objection. The parties must discuss The Subscriber’s concerns about the new Sub-Processor in good faith with a view to resolve the objection to the use of the new Sub-Processor in a commercially reasonable manner. If it is not possible to resolve the objection, and Contract Eagle does not revoke the Change Notice before the date the Change Notice takes effect, The Subscriber may, despite anything to the contrary in the Terms, terminate the applicable Service under the Terms that cannot be provided to The Subscriber without that new Sub-Processor. If The Subscriber does not terminate the relevant Service under the Terms in accordance with this clause, The Subscriber is deemed to have agreed to the new Sub-Processor.
7. Contract Eagle is liable for the acts and omissions of its Sub-Processors to the same extent it would be liable if performing the services of each Sub-Processor directly under the terms of this Addendum, except as otherwise set out in this Addendum.

7. Security

Contract Eagle will maintain technical and organisational measures to protect the confidentiality, integrity and security of Personal Data (including protection against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Personal Data), and to manage data security incidents affecting Personal Data, in accordance with the Terms and Applicable Data Protection Laws. A summary of those measures as at the date of this Addendum is set out in clause 8.b of the Terms.

8. Security Breach Management

1. Contract Eagle will comply with all applicable laws requiring notification to The Subscriber of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data Processed by Contract Eagle or its Sub-Processors of which it becomes aware (“Breach Incident”).
2. Contract Eagle will make reasonable efforts to identify the cause of that Breach Incident, notify The Subscriber within a timely manner to allow The Subscriber to meet its obligations to report a Breach Incident, cooperate with The Subscriber in good faith and provide any assistance reasonably necessary for The Subscriber to comply with its obligations under Applicable Data Protection Laws with respect to a Breach Incident, including any obligations The Subscriber has under Applicable Data Protection Laws to report, notify or investigate a Breach Incident, and take steps Contract Eagle considers necessary and reasonable to remediate the cause of the Breach Incident, to the extent remediation is within Contract Eagle’s reasonable control.

9. Compliance Reports

1. Upon The Subscriber’s written request, Contract Eagle will provide The Subscriber with a copy of the most recent SOC 2 Type II report (or equivalent then-current attestation) covering the Service, subject to The Subscriber entering into a confidentiality undertaking acceptable to Contract Eagle.
2. Subject to clause 9.1, Contract Eagle does not grant on-site audit rights to subscribers. The SOC 2 report referred to in clause 9.1 is provided in lieu of such rights and is intended to demonstrate Contract Eagle’s compliance with its respective obligations under Applicable Data Protection Laws (including Contract Eagle’s respective obligations under Article 28 of the GDPR). Enterprise tier subscribers may negotiate additional audit arrangements as part of their Enterprise agreement.

10. Data Protection Impact Assessment

Upon The Subscriber’s written request, Contract Eagle will, at The Subscriber’s cost, provide The Subscriber with reasonable assistance needed to fulfil its obligations under Applicable Data Protection Laws to carry out a data protection impact assessment relating to The Subscriber’s use of the Service, to the extent The Subscriber does not otherwise have access to the relevant information.

11. Return and Deletion of Personal Data

1. Subject to clauses 11.2 and 11.3, following termination of the Terms Contract Eagle will delete all Personal Data within a reasonable period from termination of the Terms.
2. Subject to clause 11.3, The Subscriber may submit a written request to Contract Eagle within 10 working days of the termination of the Terms requiring Contract Eagle, within 20 working days of The Subscriber’s written request, to:
   1. return a complete copy of all Personal Data by secure file transfer in a common format; and
   2. delete all other copies of Personal Data Processed by Contract Eagle or any Sub-Processor.
3. Contract Eagle, or each Sub-Processor, may retain Personal Data to the extent that it is required by applicable laws, provided that Contract Eagle ensures the confidentiality of all such Personal Data and ensures that such Data is only processed as necessary for the purposes required under applicable laws requiring its Processing and for no other purpose.
4. If Contract Eagle cannot delete all Personal Data due to technical reasons, Contract Eagle will inform The Subscriber as soon as reasonably practicable and will take reasonably necessary steps to:
   1. come as close as possible to a complete and permanent deletion of the Personal Data;
   2. fully and effectively anonymise the remaining data; and
   3. make the remaining Personal Data which is not deleted or effectively anonymised unavailable for future Processing.

12. Changes in Data Protection Laws

1. Contract Eagle may on at least 30 days’ written notice to The Subscriber from time to time, make any variations to this Addendum, which Contract Eagle considers (acting reasonably) are required as a result of any change in, or decision of a competent authority under, Applicable Data Protection Laws, to allow transfers and Processing of Personal Data to continue without breach of Applicable Data Protection Laws.
2. If The Subscriber objects to any variation under clause 12.1 on reasonable grounds, The Subscriber may, despite anything to the contrary in the Terms, terminate the Terms and The Subscriber’s right to access and use the Service without penalty on written notice, provided The Subscriber’s notice of termination is received by Contract Eagle before the effective date of Contract Eagle’s notice. If The Subscriber does not terminate the Terms and The Subscriber’s right to access and use the Service in accordance with this clause, The Subscriber is deemed to have agreed to the variation.

13. Limitation of Liability

The liability of each party to the other party under or in connection with this Addendum is subject to the limitations and exclusions set out in the Terms, and any reference in the Terms to the liability of a party means the aggregate liability of that party under the Terms and this Addendum together.

14. General

If any provision of this Addendum is, or becomes unenforceable, illegal or invalid for any reason, the relevant provision is deemed to be varied to the extent necessary to remedy the unenforceability, illegality or invalidity. If variation is not possible, the provision must be treated as severed from this Addendum without affecting any other provisions of this Addendum.