Sitemate Data Processing Addendum

Background

This Data Processing Addendum (“DPA”) supplements the Sitemate Terms and Conditions (and are hereby incorporated into the Sitemate Terms and Conditions by reference), or other agreement in place between Customer and Sitemate Services Pty Ltd and/or Sitemate Services UK Ltd and/or their subsidiaries, group companies and other Affiliates ("Sitemate" "we" "us").

All terms of the Sitemate Terms and Conditions, including all disclaimers, limitations of liability, agreements and indemnities (collectively, to the extent any of the foregoing is applicable, the “Agreement”), apply to this DPA. In the event of any conflict between the Agreement and this DPA, this DPA will govern.

THE PARTIES AGREE AS FOLLOWS:

1. Definitions

1.1. In this DPA, unless the contrary intention appears:

• “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
• “Authorised Affiliate” means any of the Customer's Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between the Customer and Sitemate.
• “Customer Personal Data” means any Customer Data (as defined in the Sitemate Terms and Conditions) that comprises the categories of Personal Data.
• “Data Protection Laws” means any applicable laws, regulations, or other binding obligations (including any and all legislative and/or regulatory amendments or successors thereto), each as updated from time to time, of any jurisdiction that govern or otherwise apply to Personal Data processed under the Agreement.
• “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and analogous terms, as defined by Data Protection Laws.
• “Process” and its cognates “processing”, “processed”, etc. mean any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “Security Incident” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
• “Sub-processor” means any third-party that Sitemate engages to process Customer Personal Data.

1.2. The terms “Business”, “Consumer”, “Controller”, “Data Subject”, “Processor”, and “Service Provider” have the meanings given to them in Data Protection Laws, or, where not specifically defined, the meanings of analogous terms under Data Protection Laws.

2. Scope and Term

2.1 Scope. This DPA applies when and to the extent Customer Personal Data is processed by Sitemate in connection with the provision of the Services to the Customer under the Agreement.

2.2 Role of the Parties. With regard to the processing of Customer Personal Data, Sitemate acts as a Processor on behalf of the Customer, which may act either as a Controller or a Processor. Sitemate or its Affiliates may engage Sub-processors pursuant to the requirements set out in this DPA.

2.3 Term of the DPA. The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement (or, if later, the date on which Sitemate ceases all Processing of Customer Personal Data).

2.4 Compliance with Laws. Each Party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Data Protection Laws.

3. Processing of Personal Data

3.1 Details of Processing. The subject matter of processing of Customer Personal Data under this DPA is the performance of the Services pursuant to the Agreement. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Schedule 1 to this DPA.

3.2 Instructions for Processing.

• (a)This DPA, the Agreement, applicable SOW or order form, the Customer’s use of the Services (including relevant configurations and settings) and related support and other documented reasonable instructions provided by the Customer (e.g. via email), constitute the Customer’s documented instructions regarding Sitemate's Processing of Customer Personal Data (“Documented Instructions”).
• (b)Sitemate will process Customer Personal Data on behalf of and only in accordance with the Customer's Documented Instructions where such instructions are consistent with the terms of the Agreement. The Customer: (i) must ensure its Documented Instructions comply with applicable Data Protection Laws, Sitemate is not responsible for monitoring the Customer's compliance with Data Protection Laws; and (ii) is responsible for determining whether the Services are appropriate for the Processing of Customer Personal Data under applicable Data Protection Laws.
• (c)Sitemate will: (i) inform the Customer immediately if in its opinion, an instruction from the Customer violates Data Protection Laws and/or Sitemate is unable to comply with Data Protection Laws or the Customer’s instructions for the processing of Customer Personal Data; (ii) not “sell” or “share” Customer Personal Data, or process Customer Personal Data for purposes of targeted advertising, as such terms are defined under Data Protection Laws; (iii) not retain, use, or disclose Customer Personal Data outside the direct business relationship between the Customer and Sitemate or as permitted by Data Protection Laws; and (iv) treat Customer Personal Data as Confidential Information under the Agreement.

3.3 Third-Party Disclosures Comprising Part of our Services. The Customer acknowledges that, as part of the provision of the Services, Sitemate may disclose Customer Personal Data to certain third-party vendors acting as Controllers (including professional advisers such as lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services).

4. Personnel

4.1 Sitemate will ensure that its personnel engaged in the processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Sitemate will also:

• (a)take commercially reasonable steps to ensure the reliability of any Sitemate personnel engaged in the processing of Customer Personal Data; and
• (b)ensure that Sitemate's access to Customer Personal Data is limited to those personnel performing Services in accordance with the Agreement.

5. Customer Responsibilities

The Customer will, in its use of the Services, process Customer Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Sitemate as Processor. For the avoidance of doubt, the Customer's instructions for the processing of Customer Personal Data will comply with Data Protection Laws. The Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which the Customer acquired Customer Personal Data. The Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, to the extent applicable under the Data Protection Laws.

6. Assistance to the Customer

6.1 Data Subject Requests. Sitemate will, to the extent legally permitted, promptly notify the Customer of any complaint or request it receives from a Data Subject with respect to the processing of their Personal Data covered by this DPA (each such request being a “Data Subject Request”). The Customer authorises on its behalf, and on behalf of its Controllers when the Customer is acting as a Processor, Sitemate to respond to any Data Subject who makes a Data Subject Request to Sitemate, to confirm that Sitemate has forwarded the request to the Customer. To the extent the Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Sitemate will upon the Customer's request provide commercially reasonable efforts to assist the Customer in responding to such Data Subject Request, to the extent Sitemate is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, the Customer will be responsible for any costs arising from Sitemate's provision of such assistance.

6.2 DPIAs. The Customer agrees that Sitemate's then-current SOC 2 audit report (or comparable industry-standard successor reports) will be used by the Customer to carry out its data protection impact assessments (“DPIAs”) and prior consultations, and Sitemate will make such reports available to the Customer.

7. Sub-processors

7.1 Appointment of Sub-processors. By entering into this DPA, the Customer acknowledges and agrees that Sitemate may engage Sub-processors in connection with the provision of the Services. Sitemate must enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor.

7.2 Sub-processor Lists. The Customer may request the current list of Sub-processors for the Services, and a mechanism to subscribe to notifications of new Sub-processors, by emailing privacy@sitemate.com.

7.3 Objecting to New Sub-processors. The Customer may object to Sitemate's use of a new Sub-processor by notifying Sitemate promptly in writing within thirty (30) days after being notified of a new Sub-processor. In the event the Customer objects to a new Sub-processor, Sitemate will use commercially reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer's configuration or use of the Services to avoid processing of Customer Personal Data by the objected-to Sub-processor without unreasonably burdening the Customer. If Sitemate is unable to make available such change within thirty (30) days, the Customer may, via written notice to Sitemate, terminate the applicable SOW(s) with respect only to those Services which cannot be provided by Sitemate without the use of the objected-to Sub-processor.

7.4 Liability. Sitemate will be liable for the acts and omissions of its Sub-processors to the same extent Sitemate would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

8. Security

8.2 Security Measures. Sitemate has implemented and will maintain appropriate technical and organisational measures designed to protect the security, confidentiality, integrity and availability of Customer Personal Data and protect against Security Incidents. The Customer is responsible for configuring the Services and using features and functionalities made available by Sitemate to maintain appropriate security in light of the nature of Customer Data. Sitemate may update or change these measures from time to time, but will not materially decrease the overall security of the Services during the Term.

9. Security Incident Management

9.1 Notification. Sitemate must notify the Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident. Sitemate must make reasonable efforts to identify the cause of the Security Incident, and take those steps as Sitemate deems necessary and reasonable to mitigate the effects and remediate the cause to the extent within Sitemate's reasonable control. Upon the Customer’s request and taking into account the nature of the Processing and the information available to Sitemate, Sitemate must assist the Customer by providing information reasonably necessary for the Customer to meet its Security Incident notification obligations under Applicable Data Protection Laws. Sitemate's notification of a Security Incident is not an acknowledgment by Sitemate of its fault or liability. The obligations herein will not apply to Security Incidents that are caused by the Customer or Customer's Authorised Users.

9.2 Assistance. To enable the Customer to notify a Security Incident to Supervisory Authorities or Data Subjects (as applicable), Sitemate will cooperate with and assist the Customer by including in the notification under clause 9.1 such information about the Security Incident as Sitemate is able to disclose to the Customer, taking into account the nature of the processing, the information available to Sitemate, and any restrictions on disclosing the information, such as confidentiality.

10. Return and Deletion of Customer Personal Data

Upon the Customer's request on or prior to termination of the Agreement, Sitemate will reasonably cooperate with the Customer to facilitate an export of such Customer Personal Data from Sitemate's systems and thereafter may delete any and all remaining Customer Personal Data from the same, unless further preservation is required or otherwise prohibited by law.

11. Data Transfers

The Customer acknowledges that the Services may involve cross-border transfers of Customer Personal Data. Sitemate will comply with Data Protection Laws if it engages in any cross-border processing of Customer Personal Data, or transmits any Customer Personal Data to any country outside of the country from which such Customer Personal Data was provided to it. To the extent required by Data Protection Laws, Sitemate will ensure that a lawful data transfer mechanism is in place prior to engaging in any onward transfers of Customer Personal Data from one country to another.

12. Audit

12.1 Third-Party Certifications and Audits. Sitemate uses external auditors to verify the adequacy of its security measures, and has obtained third-party certifications. Upon the Customer's written request at reasonable intervals, on the condition that the Customer has entered into an applicable non-disclosure agreement, and subject to the confidentiality obligations set forth in the Agreement, Sitemate will make available to the Customer (or the Customer's independent, third-party auditor) a copy of Sitemate's then most recent third-party audits or certifications, as applicable.

12.2 If the Customer cannot reasonably verify Sitemate's compliance with the terms of this DPA, Sitemate will provide written responses (on a confidential basis) to all reasonable requests for information made by the Customer related to Sitemate's Processing of Customer Personal Data, provided that such right may be exercised no more than once every twelve (12) months.

12.3 On-site Audits.

• (a)In the event that the Customer or a regulatory authority requires additional information or an audit related to the Services, such information and/or audit will be made available provided that any such audit of Sitemate's processing activities covered by this DPA (“On-Site Audit”) may only be conducted when: (i) the information available pursuant to clause 12.2 is not sufficient to demonstrate compliance with the obligations set out in this DPA; (ii) the Customer has received a notice from Sitemate of a Security Incident; or (iii) such an audit is required by Data Protection Laws or by the Customer’s competent Supervisory Authority.
• (b)Any audit must: (i) be conducted during Sitemate's regular business hours, with reasonable advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Laws or a regulatory authority requires a shorter notice period); (ii) be subject to reasonable confidentiality controls obligating the Customer (and its authorised representatives) to keep confidential any information disclosed that, by its nature, should be confidential; (iii) occur no more than once every twelve (12) months; and (iv) restrict its findings to only information relevant to the Customer.
• (c)The Customer acknowledges that Sitemate operates a multi-tenant cloud environment. Accordingly, Sitemate will have the right to reasonably adapt the scope of any On-Site Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other Sitemate customers’ information.
• (d)An On-Site Audit will be conducted by the Customer, acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services used by the Customer.
• (d)An On-Site Audit may be conducted through a third-party independent contractor (“Third-Party Auditor”) if, prior to the On-Site Audit, the Third-Party Auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement to protect Sitemate's proprietary information, and the costs of the Third-Party Auditor are solely at the Customer’s expense.
• (e)The Customer must promptly provide Sitemate with information regarding any actual or suspected non-compliance discovered during the course of an On-Site Audit.

13. Limitation of Liability

To the extent permitted by Data Protection Laws, each Party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Affiliates and Sitemate, whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

Schedule 1 — Description of Processing

1. Categories of Data Subject whose Personal Data is Processed: the Customer and its Authorised Users.

2. Categories of Personal Data Processed: Customer Personal Data, the content of which is determined and controlled solely by the Customer and its Authorised Users. Depending on the nature of the Services used by the Customer, Customer Personal Data may include:

• Contact information (such as addresses, email address, and phone number)
• Demographic information (such as gender and nationality)
• Employment information (such as job title, position and description and office location as well as other organisation-related identifiers)
• Communications information (such as information or content shared during communications with other Authorised Users on our Services, your feedback on our Services and other communications with us)
• Financial information (such as bank account details and other information necessary for processing payments and fraud prevention including your signature, credit card/debit card and bank account information or other related billing information, GST/VAT numbers and other tax identifiers that you use to pay for the Services)
• Log data and device information (such as IP address, computer and device information including device, application, or browser type and version, browser plug-in type and version, operating system, or time zone setting, authentication and security credential information, access dates and times, occurrences of technical errors, diagnostic reports, your settings preferences, backup information, API calls, and other logs)

3. The frequency of the transfer: Continuous basis depending on the use of the Services by the Customer.

4. Nature of the Processing: Sitemate will Process Personal Data in order to provide the Services and related Support Services in accordance with the Agreement, including this DPA. Additional information regarding the nature of the Processing (including transfer) is described in respective SOWs or orders for relevant Services and documentation referring to technical capabilities and features, including but not limited to collection, structuring, storage, transmission, or otherwise making available of Personal Data by automated means.

5. Purpose(s) of the Processing: Sitemate will Process Customer Personal Data as a Processor in order to perform the Services pursuant to the Agreement, applicable SOW or order form, or in accordance with the Customer’s Documented Instructions. In particular, Sitemate will process Customer Personal Data to:

• set up, operate, maintain, and support the Sitemate platform(s) and enable the use of various features and functionalities in accordance with the documentation and as directed by Authorised Users, including investigating Security Incidents, and resolving issues, bugs and errors;
• help ensure security and integrity of Sitemate platform(s), prevent, and investigate security or fraud issues, and verify or maintain the quality and safety of the Customer Personal Data and the Services;
• develop and improve any service features and functionalities provided as part of the Services including through automation, transaction processing, and machine learning; and
• comply with any legal and regulatory obligations.

6. The period for which the personal data will be retained: Subject to clause 10 of the DPA, Sitemate will process Customer Personal Data for as long as necessary to perform the Services pursuant to the Agreement or an applicable SOW or order form.

6. Transfers to Sub-processors: Sitemate will transfer Customer Personal Data to Sub-processors as permitted in clause 7 (Sub-processors). The subject matter, nature, and duration of the processing for any transfers to Sub-processors are the same as those above for transfers to Sitemate.