Last revised: March 13, 2022

Effective date: March 13, 2022

This Data Sub-Processing Addendum (“Addendum”) amends and forms part of the Terms of Service agreement governing the use of the Services and Products, and the Order form, if any (“Principal Agreement”), entered by and between you, a customer of the Services and Products (“you” or “your” or “Customer”) and Pathfix Inc. (“we” or “us” or “our” or “Pathfix”) to reflect the parties agreement with regard to the Processing of Personal Data by Pathfix solely on behalf of the Customer. The Customer and Pathfix may hereinafter be referred to individually as a “Party” and collectively as the “Parties”.

The scope and duration, as well as the extent and nature of the collection, processing and use of Customer Personal Data under this Addendum has been defined in the Principal Agreement. The term of this Addendum corresponds to the duration of the Principal Agreement.

Capitalized terms not defined herein shall have the meanings assigned to such terms in the Principal Agreement.

By using the Services, you accept the terms and conditions of this Addendum and you represent and warrant that you have full authority to bind the Customer to this Addendum. If you cannot, or do not agree to, comply with and be bound by this Addendum, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.

If you need a signed copy of this Addendum, you can download this Addendum and send a signed copy to info@pathfix.com and we’ll provide you a countersigned copy.

NOW THEREFORE, THE PARTIES AGREE AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION

Unless otherwise defined herein, capitalized terms and expressions used in this Addendum shall have the following meaning;

a. “Addendum” means this Data Processing Addendum and all annexures attached hereto;

b. “Pathfix” means Pathfix Inc., a Delaware Corporation and its affiliates and subsidiaries. 

c. “Business’,’ “Business Purpose”, Consumer”, “Person”, “Personal Information”, “Sell”, “Service Provider” and “Third Party” shall have the meanings set forth in CCPA. 

d. “California Personal Information” means Personal Data that is protected under the CCPA.  

e. “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018) as may be amended from time to time, and any rules or regulations implementing the foregoing. 

f. “Customer Personal Data” means any Personal Data Processed by Pathfix on behalf of the Customer pursuant to or in connection with the Principal Agreement.

g. “Data Protection Laws” means the data protection or privacy laws, rules, and regulations of the European Union, the European Economic Area and their member states, and the State of California, United States applicable to the Processing of Customer Personal Data under this Addendum.

h. “Data Transfer” means:

1. A transfer of Customer Personal Data from the Customer to Pathfix; or 
2. an onward transfer of Customer Personal Data from Pathfix to a Sub-processors, or between two establishments of Pathfix, in each case, where such transfer would be prohibited by Data Protection Laws  

i. “EEA” means the European Economic Area; 

j. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

k. “GDPR” means EU General Data Protection Regulation 2016/679;

l. “Services” means the services provided by Pathfix to the Customer pursuant to the Principal Agreement. 

m. “Standard Contractual Clauses” means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021, for the transfer of personal data to third countries in the form set out in Annexure 3; as amended, superseded or replaced from time to time in accordance with this Addendum.

n. “Sub-processors” means any person or entity appointed by or on behalf of Pathfix to process Customer Personal Data on behalf of the Customer in connection with the Principal Agreement.

o. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. 

2. RELATIONSHIP AND ROLES OF THE PARTIES

The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data performed solely on behalf of Customer, (i) Customer is (or represents that it is acting with full authority on behalf of) the Processor of the Customer Personal Data, (ii) Pathfix is the Sub-processor of such Customer Personal Data; (iii) for the purposes of the CCPA (and to the extent applicable), Customer is the “Business” and Pathfix is the “Service Provider” (as such terms are defined in the CCPA), with respect to Processing of Customer Personal Data. In some circumstances, Customer may be a Controller, in which case Customer appoints Pathfix as Customer’s Processor, which shall not change the obligations of either Customer or Pathfix under this Addendum.

3. PROCESSING OF CUSTOMER PERSONAL DATA

a. The Parties agree that this Addendum and the Principal Agreement constitute Customers documented instructions regarding Pathfix’s Processing of Customer Personal Data. 

b. The scope of the processing of the Customer Personal Data provided by Customer to Pathfix for e.g. the subject-matter of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects are specified in Annexure 1 of this Addendum. 

c. The Customer shall in its use of the Services, and Customer’s instructions to Pathfix, comply with Data Protection Laws. The Customer shall ensure that its instructions will not cause Pathfix to be in breach of the Data Protection Laws. The Customer shall establish and have any and all required legal basis in order to collect, Process and transfer to Pathfix the Customer Personal Data, and to authorize the Processing by Pathfix, and for Pathfix’s Processing activities on Customer’s behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.

d. In processing your Customer Personal Data, we will comply with Data Protection Laws. We shall as per our obligations under Article 28 of GDPR; 

1. process the Customer Personal Data only in accordance with documented instructions from you (as set forth in this Addendum or the Principal Agreement or as directed by you through the Services). If Data Protection Laws require us to process the Customer Personal Data for any other purpose, we will inform you of this requirement first, unless such law(s) prohibit this on important grounds of public interest;
2. notify you promptly if, in our opinion, an instruction for the processing of Customer Personal Data given by you infringes upon the Data Protection Laws;
3. make available to you all information reasonably requested by you for the purpose of demonstrating that your obligations relating to the appointment of Sub-Processors have been met;
4. not generate copies, duplicates and/or backups of the Customer Personal Data without the prior written consent and knowledge of the Customer.

e. We will assist you in your obligations under Articles 35 and 36 of GDPR by performing any required data protection impact assessments, and informing any supervisory authority if such assessment indicates that such processing would result in high risk in the absence of measures taken by you to mitigate the risk.

f. We will assist you in your obligations under Articles 15 through 18 of GDPR by providing you documentation, product functionality, or processes to assist you in retrieving, correcting, deleting or restricting Customer Personal Data.

g. We shall ensure that our personnel required to access the Customer Personal Data are subject to a binding duty of confidentiality with regard to such Customer Personal Data; and ensure that none of our personnel publish, disclose or divulge any Customer Personal Data to any third party. 

h. We will upon your written request following the expiration or earlier termination of the Principal Agreement securely delete such Customer Personal Data in our possession in compliance with procedures and retention periods outlined in our Principal Agreement.

i. Pathfix acknowledges and confirms that it does not receive or process any Customer Personal Data as consideration for any services or other items that Pathfix provides to the Customer under the Principal Agreement. Pathfix shall not have, derive, or exercise any rights or benefits regarding Customer Personal Data Processed on Customer’s behalf, and may use and disclose Customer Personal Data solely for the purposes for which such Customer Personal Data was provided to it, as stipulated in the Principal Agreement and this Addendum. Pathfix certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Customer Personal Data Processed hereunder, without the Customer’s prior written consent, nor taking any action that would cause any transfer of the Customer Personal Data to or from Pathfix under the Principal Agreement or this Addendum to qualify as “selling” such Customer Personal Data under the CCPA.

5. SECURITY

a. We implement and maintain appropriate technical and organizational measures (which may include, with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Customer Personal Data while in transit and at rest) to protect the Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure in accordance with Annexure 2. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and appropriate to the nature of the Customer Personal Data which is to be protected. We may update the technical and organizational measures, provided, however, that such modifications shall not diminish the overall level of security.

b. Pathfix takes reasonable steps to confirm and ensure that all Pathfix representatives that may have access to the Customer Personal Data are protecting the security, privacy and confidentiality of the Customer Personal Data consistent with the requirements of this Addendum. 

c. If Pathfix becomes aware of and confirm any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to your Customer Personal Data that Pathfix Processes in the course of providing the Services, Pathfix will notify you without undue delay in a manner as provided for under Section 8 of this Addendum.

6. SUB-PROCESSORS

a. Pathfix shall not engage any Sub-processor to process any Customer Personal Data under this Addendum without the Customer’s prior written consent. You provide general consent under Clause 11 of the Standard Contractual Clauses to our appointment of the applicable third party Sub-processors listed at our website for the Processing Customer Personal Data and for purposes described in this Addendum. Pathfix may update the list of approved Sub-processors at any time. 

b. The Sub-processor list as of the date of first use of the Services by the Customer is hereby deemed authorized, upon first use of the Services. The Customer may reasonably object to Pathfix’s use of an existing Sub-processor by providing a written objection to info@pathfix.com within thirty (30) days from the date on which the list of Sub-processors is updated by Pathfix. The Customer’s failure to object to such a new Sub-processor in writing within thirty (30) days from the date on which the list of Sub-processors is updated by Pathfix shall be deemed as acceptance of the new Sub-processor by the Customer.

c. In the event Customer reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, Customer may, as a sole remedy, terminate the applicable Principal Agreement and this Addendum with respect only to those Services which cannot be provided by Pathfix without the use of the objected to Sub-processor by providing written notice to Pathfix provided that all amounts due under the Principal Agreement before the termination date with respect to the Processing at issue shall be duly paid to Pathfix. The Customer will have no further claims against Pathfix due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Principal Agreement (including, without limitation, requesting refunds) and the Addendum in the situation described in this paragraph. 

d. Pathfix has entered into a written agreement with each Sub-processor containing appropriate safeguards to the protection of Customer Personal Data. Where Pathfix engages a new Sub-processor for carrying out specific Processing activities on behalf of the Customer, the same or materially similar data protection obligations as set out in this Addendum shall be imposed on such new Sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

7. DATA SUBJECT RIGHTS

a. Pathfix shall, to the extent legally permitted, promptly notify the Customer or refer Data Subject or Consumer, as the case may be, to Customer, if Pathfix receives a request from a Data Subject or Consumer to exercise their rights (to the extent available to them under Data Protection Law) of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, its right not to be subject to an automated individual decision making, to opt-out of the sale of Personal Information, or the right not to be discriminated against for exercising any CCPA Consumer rights (“Data Subject Request”). 

b. Taking into account the nature of the Processing, Pathfix shall assist Customer by appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. Pathfix may refer Data Subject Requests received, and the Data Subjects making them, directly to the Customer for its treatment of such Data Subject Requests.

c. Pathfix shall not respond to Data Subject Requests except on the documented instructions of the Customer or as required by Data Protection Laws to which the Pathfix is subject, in which case Pathfix shall to the extent permitted by Data Protection Laws inform the Customer of that legal requirement before Pathfix responds to the Data Subject Request.

8. PERSONAL DATA BREACH

a. Pathfix shall to the extent required under applicable Data Protection Laws, notify the Customer without undue delay and in any event within forty eight (48) hours of becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed on behalf of the Customer, including Customer Personal Data transmitted, stored or otherwise Processed by Pathfix or its Sub-processors of which Pathfix becomes aware (a “Personal Data Breach”). 

b. Pathfix shall at the Customer’s instructions make reasonable efforts to identify the cause of such Personal Data Breach and take those steps that Pathfix deems necessary and reasonable in order to investigate, mitigate or remediate the cause of such a Personal Data Breach to the extent the investigation, mitigation and remediation is within Pathfix’s reasonable control. The obligations herein shall not apply to incidents that are caused by the Customer or the Customer’s end users i.e. Controllers. 

c. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Personal Data Breach which directly or indirectly identifies Pathfix (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Pathfix’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by law, Customer shall provide Pathfix with reasonable prior written notice to provide Pathfix with the opportunity to object to such disclosure and in any case Customer will limit the disclosure to the minimum scope required.

9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA

a. The Parties agree that on the termination of the Services or upon Customer’s reasonable request, Pathfix shall, and shall cause any Sub-processors to, at the choice of the Customer. 

1. Return all the Customer Personal Data and copies of such Customer Personal Data to the Customer or 
2. securely destroy them and demonstrate to the satisfaction of the Customer that it has taken such measures, unless Data Protection Laws prevent Pathfix from returning or destroying all or part of the Customer Personal Data disclosed. 

b. In case Pathfix, under any Data Protection Laws is prevented from returning or destroying all or part of the Customer Personal Data disclosed, Pathfix agrees to preserve the confidentiality of the Customer Personal Data retained by it and shall ensure that it will only actively process such Customer Personal Data after such date in order to comply with Data Protection Laws.  

c. To the extent authorized or required by Data Protection Laws, Pathfix may also retain one copy of the Customer Personal Data solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations. 

10. AUDIT RIGHTS

a. Upon Customer’s fourteen (14) days prior written request at reasonable intervals (no more than once every twelve (12) months), and subject to strict confidentiality undertakings by Customer, Pathfix shall make available to the Customer that is not a competitor of Pathfix (or Customer’s independent, reputable, third-party auditor that is not a competitor of Pathfix and not in conflict with Pathfix, subject to their confidentiality and non-compete undertakings) all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, conducted by them (provided, however, that such information, audits, inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall only be used by Customer to assess compliance with this Addendum, and shall not be used for any other purpose or disclosed to any third party without Pathfix’s prior written approval. 

b. The scope of any audit shall not require us to disclose to you or your authorized representatives, or to allow you or your authorized representatives to access:

1. any data or information of any other Pathfix customer;
2. any Pathfix internal accounting or financial information;
3. any Pathfix trade secret;
4. any information that, in our reasonable opinion could: 1) compromise the security of our systems or premises; or 2) cause us to breach our obligations under Data Protection Laws or our security, confidentiality and or privacy obligations to any other Pathfix customer or any third party; or
5. any information that you or your authorized representatives seek to access for any reason other than the good faith fulfillment of your obligations under the Data Protection Laws and our compliance with the terms of this Addendum.

c. In addition, audits shall be limited to once per year, unless (i) we have experienced a Personal Data Breach within the prior twelve (12) months which has impacted your Customer Personal Data; or (ii) an audit reveals a material noncompliance. If we decline or are unable to follow your instructions regarding audits permitted under this Section (or the Standard Contractual Clauses, where applicable), you are entitled to terminate this Addendum and the Principal Agreement for convenience.

d. Upon Pathfix’s first request, Customer shall return all records or documentation in Customer’s possession or control provided by Pathfix in the context of the audit and/or the inspection). The Customer shall be fully responsible for bearing all the costs and expenses arising from or related to this Section.

11. INTERNATIONAL DATA TRANSFER

a. Customer Personal Data that Pathfix processes on Customer’s behalf will be transferred to, and stored and Processed in, North America. Customer hereby consents to the transfer of the Customer Personal Data to third countries and Customer consents to the storage and Processing of the Customer Personal Data in the North American region by Pathfix in order for Pathfix to provide the Services. 

b. For transfers of European Personal Data to Pathfix for processing by the Pathfix in a jurisdiction other than a jurisdiction in the EU, The EEA, or the European Commission, Pathfix agrees that it will provide at least the same level of privacy protection for European Personal Data as required under the Applicable Data Protection Laws. 

c. When Pathfix processes Customer Personal Data under European Data Protection Law in a country that does not ensure an adequate level of protection (within the meaning of applicable European Data Protection Law), then in such cases Pathfix shall process Customer Personal Data in accordance with the Standard Contractual Clauses in the form set out in Annexure 3, which are incorporated into and form a part of this Addendum. The Parties agree that for the purposes of the descriptions in the Standard Contractual Clauses, Pathfix is the “data importer” and Customer is the “data exporter” notwithstanding that Customer may itself be located outside Europe and/or is acting as a Processor on behalf of third party Controllers. 

d. It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, in the event of any conflict or inconsistency between the provisions of the Addendum and the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail to the extent of such conflict.

12. INDEMNITY

Subject to the limitation of liability, either party agrees to indemnify and keep indemnified the other party against all costs, claims, damages (including all legal costs) or expenses incurred by such party, from and against any and all Losses resulting from or arising out of or in connection with any actual or threatened action by a third party against the indemnified party to the extent those losses relate to or are caused by the indemnifying party’s breach of its obligations set forth in the Addendum.

13. LIMITATION OF LIABILITY

In no event, the aggregate liability of the Pathfix, its officers, directors, partners, employees and other representatives, arising out of this Addendum and the Principal Agreement or otherwise in connection with this Addendum and the Principal Agreement, shall exceed the total of the amount paid by Customer to Pathfix in twelve (12) months immediately preceding the date on which such liability arose. Pathfix shall not be liable for failure to carry out any of its obligations under this Addendum if such failures result from acts of any third-parties or of Customer.

14. TERM

The Term of this Addendum corresponds to the term of the Principal Agreement.

15. GENERAL TERMS

a. Confidentiality – Each Party must keep this Addendum and information it receives about the other Party and its business in connection with this Addendum (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that the disclosure is required by law. Pathfix shall ensure that any representative of Pathfix shall be under an appropriate obligation of confidentiality. 

b. Entire Agreement – In the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, the provisions of this Addendum shall prevail with regard to the Parties’ data protection obligations. In case of doubt as to whether clauses in such other agreements relate to the Parties’ data protection obligations, this Addendum shall prevail.

c. Severability – Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. 

d. Notices – All notices and communications given under this Addendum must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out herein and/or at such other address as notified from time to time by the Parties changing address.

16. GOVERNING LAW AND JURISDICTION

This Addendum is governed by the laws of the State of Delaware. Any dispute arising in connection with this Addendum, which the Parties fail to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the State of Delaware. 

17. MODIFICATIONS

Pathfix may by at least thirty (30) days’ prior written notice to the Customer, vary the terms of this Addendum and/or any Standard Contractual Clauses applicable, as necessary to allow the Processing of Customer Personal Data to be made (or continue to be made) without breach of applicable Data Protection Laws, or to otherwise protect the interests of Pathfix and/or the Customer, in each case as reasonably determined by Pathfix at its discretion. The Customer’s continued use of the Services on expiry of the notice period shall be deemed as the Customer’s acceptance of such revised terms. If Customer objects to said variations within the notice period, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Pathfix’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days of such notice, then Customer or Pathfix may, by written notice to the other Party, with immediate effect, terminate the Principal Agreement to the extent that it relates to the Services which is affected by the proposed variations (or lack thereof). The Customer will have no further claims against Pathfix (including, without limitation, requesting refunds for the Services) pursuant to the termination of the Principal Agreement and the Addendum as described in this Section. 

IN WITNESS WHEREOF, the parties have caused this Addendum to be executed by their duly authorized representatives to be effective as of the Effective Date. 

ANNEXURE 1 – PROCESSING ACTIVITIES