Insightful Personal Data Processing Addendum

01: Integration

This PDPA shall not replace any comparable or additional rights relating to Processing of Customer Data contained in the Terms.

The details of Processing, applicable retention periods, security measures, international transfer disclosures, and Sub-processor information are further described in Insightful’s Privacy Policy, which forms part of the Terms.

02: Processing of Personal Data

2.1 Roles of the parties

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Insightful is the Processor and that Insightful or members of the Insightful Group will engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-processors" below.

2.2 Customer's processing of personal data

Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer's instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 Insightful's processing of personal data

Insightful shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer's documented instructions for the following purposes: (i) Processing in accordance with the Terms and applicable order form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

2.4 Details of the processing

The subject-matter of Processing of Personal Data by Insightful is the performance of the Services pursuant to the Terms. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this PDPA are further specified above.

03: Rights of data subjects

3.1 Data subject request

Insightful shall, to the extent legally permitted, promptly notify Customer if Insightful receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, object to the Processing, or its right not to be subject to an automated individual decision making ("Data Subject Request").

Taking into account the nature of the Processing, Insightful shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.

In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Insightful shall upon Customer's request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Insightful is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations.

To the extent legally permitted, Customer shall be responsible for any costs arising from Insightful's provision of such assistance.

04: Insightful Personnel

4.1 Confidentiality

Insightful shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Insightful shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2 Reliability

Insightful shall take commercially reasonable steps to ensure the reliability of any Insightful personnel engaged in the Processing of Personal Data.

4.3 Limitation of access

Insightful shall ensure that Insightful's access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

05: Sub-processors

5.1 Appointment of sub-processors

Customer acknowledges and agrees that (a) Insightful's Affiliates may be retained as Sub-processors; and (b) Insightful and Insightful's Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.

Insightful or a Insightful Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in these Terms with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.

5.2 List of current sub-processors and notification of new sub-processors

Insightful shall make available to Customer the current list of Sub-processors for the Services upon such request. Such Sub-processor lists shall include the identities of those Sub-processors and their country of location. Insightful shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.

5.3 Objection right for new sub-processors

Customer may object to Insightful's use of a new Sub-processor by notifying Insightful promptly in writing within ten (10) business days after receipt of Insightful's notice in accordance with the mechanism set out in Section 5.2.

In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Insightful will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer.

If Insightful is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Services with respect only to those Services which cannot be provided by Insightful without the use of the objected-to new Sub-processor by providing written notice to Insightful.

5.4 Liability

Insightful shall be liable for the acts and omissions of its Sub-processors to the same extent Insightful would be liable if performing the services of each Sub-processor directly under the terms of this PDPA, except as otherwise set forth in the Terms.

06: Security

Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, "Equipment").

Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer account or the Equipment with or without Customer's knowledge or consent.

Insightful will maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access to Content, in accordance with industry standards. Insightful will notify you if it becomes aware of unauthorized access to Content.

Insightful will not access, view or process Content except (a) as provided for in this Agreement and in Insightful's privacy policy ("Privacy Policy"); (b) as authorized or instructed by you, (c) as required to perform its obligations under this Agreement; or (d) as required by applicable law. Insightful has no other obligations with respect to Content. You can learn more about Insightful security at: insightful.io/security

07: Customer data incident management and notification

Insightful maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Documentation and shall, notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Insightful or its Sub-processors of which Insightful becomes aware (a "Customer Data Incident").

Insightful shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Insightful deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Insightful's reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer's Users.

08: Return and deletion of customer data

Insightful shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Security and Privacy Documentation.

09: Authorized affiliates

9.1 Contractual relationship

The parties acknowledge and agree that, by executing the Terms, the Customer enters into the PDPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate PDPA between Insightful and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 9 and Section 10. Each Authorized Affiliate agrees to be bound by the obligations under this PDPA and, to the extent applicable, the Agreement.

For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Terms, and is only a party to the PDPA. All access to and use of the Services and Content by Authorized Affiliates must comply with the Terms and any violation of the Terms by an Authorized Affiliate shall be deemed a violation by Customer.

9.2 Communication

The Customer that is the contracting party to Terms shall remain responsible for coordinating all communication with Insightful under this PDPA and be entitled to make and receive any communication in relation to this PDPA on behalf of its Authorized Affiliates.

9.3 Rights of authorized affiliates

Where an Authorized Affiliate becomes a party to the PDPA with Insightful, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this PDPA, subject to the following:

9.3.1 Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this PDPA against Insightful directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Terms shall exercise any such rights under this PDPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together (as set forth, for example, in Section 9.3.2, below).

9.3.2 The parties agree that the Customer that is the contracting party to the Terms and shall, when carrying out an onsite audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Insightful and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.

10: Limitation of liability

Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this PDPA, and all PDPAs between Authorized Affiliates and Insightful, whether in contract, tort or under any other theory of liability, is subject to the "Limitation of Liability" section of Terms, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Terms and all PDPAs together.

For the avoidance of doubt, Insightful's and its Affiliates' total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and each PDPA shall apply in the aggregate for all claims under both the Agreement and all PDPAs established under this Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such PDPA.

11: European specific provisions

11.1 GDPR

With effect from 25 May 2018, Insightful will Process Personal Data in accordance with the GDPR requirements directly applicable to Insightful's provision of its Services.

11.2 Data protection impact assessment

With effect from 25 May 2018, upon Customer's request, Insightful shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer's obligation under the GDPR to carry out a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Insightful.

Insightful shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 11.2 of this PDPA, to the extent required under the GDPR.