Data Processing Agreement

DATA PROCESSING AGREEMENT

Effective as of November, 2022

Wandy and its affiliates and subsidiaries (collectively “Wandy”) requires that service providers, contractors, suppliers, distributors and other business partners and their employees (collectively “You”) comply with the requirements set forth in this Data Processing Agreement (“DPA”) with respect to any information (“Wandy Data”) that Wandy or its employees, representatives, customers, distributors, or other business partners make available to You in the context of Your business relationship with Wandy or a Wandy customer. This DPA is attached to, and incorporated by reference into, the agreements for services (“Agreements”) by and between the Wandy entity named therein and You.

  1. Use and Transfer Limitations. You must not access, collect, store, retain, transfer, use or otherwise process in any manner any Wandy Data, except: (a) in the interest and on behalf of Wandy; (b) as directed by authorized personnel of Wandy in writing; and (c) in accordance with applicable law. Without limiting the generality of the foregoing, You may not make Wandy Data accessible to any subcontractors or relocate Wandy Data to new locations, except as set forth in written Agreements with, or written instructions from Wandy. You must return or delete any Wandy Data at the end of Your relationship with Wandy and, at any time, at Wandy's request. You must impose contractual obligations on all employees, contractors, and onward recipients that are at least as protective of Wandy Data as this DPA.
  1. Comply with Approved Policies. You must keep Wandy Data secure from unauthorized access and other data processing by using Your best efforts and state-of-the-art organizational and technical safeguards. You must comply with Wandy’s Information Security Requirements for Vendors unless Wandy has expressly approved Your own information security policy in writing as an alternative (in which case You have to comply with the approved version of Your own policy, refrain from making any changes that reduce the level of security provided thereunder, and provide thirty (30) days prior written notice to Wandy of any significant changes to Your own information security policy). If You conduct SSAE 16, SOC or similar or successor audits, You must comply with Your SSAE 16, SOC or similar or successor standards and provide Wandy with thirty (30) prior days' notice of any changes.
  1. Cooperate with Compliance Obligations. At Wandy’s reasonable request, You must: (a) execute a business associate agreement under the U.S. Health Insurance Portability and Accountability Act of 1996 and related regulations, as amended (“HIPAA”) as well as similar agreements as required under other jurisdictions' laws, (b) contractually agree to comply with laws and industry standards designed to protect Wandy Data, including, without limitation, the Standard Contractual Clauses approved by the European Commission for data transfers to processors, Payment Card Industry Standards (“PCI”), as well as similar and other frameworks, if and to the extent such frameworks apply to any Wandy Data that You come into contact with; or (c) allow Wandy to terminate certain or all contracts with You, subject to (i) a proportionate refund of any prepaid fees, (ii) transition or migration assistance as reasonably required, and (iii) without applying any early termination charges or other extra charges.
  1. Submit to Audits. You must provide information on Your compliance program and submit to reasonable data security and privacy compliance audits by Wandy or, at Wandy’s request, by an independent third party, or customers of Wandy, to verify compliance with this DPA, applicable law, and any other applicable contractual undertakings.
  1. Notify Breaches. If You become aware of unauthorized access to Wandy Data, or of any security breach that is reportable under the EU General Data Protection Regulation (GDPR) or laws applicable to You or Wandy, You must immediately notify Wandy, consult and cooperate with investigations and potentially required notices, and provide any information reasonably requested by Wandy. You must also indemnify Wandy from any resulting damages and costs, including, without limitation, identity protection assistance and services procured for data subjects and reasonable attorneys and technical consultant fees for Wandy’s handling of the incident.
  1. No Information Selling or Sharing for Advertising. You acknowledge and confirm that You do not receive any Wandy Data as consideration for any services or other items that You provide to Wandy. You shall not have, derive, or exercise any rights or benefits regarding Wandy Data. You must not sell or share any Wandy Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act of 2020 (“CCPA”), or under any other laws. You must not collect, retain, use, or disclose any Wandy Data (a) for targeted or cross‐context behavioral advertising, (b) but for the business purposes specified in a written contract with Wandy, or (c) outside the direct business relationship with Wandy. You must not combine Wandy Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA or other laws. You certify that You understand the rules, requirements, and definitions of the CCPA, and all restrictions in the DPA. You agree to refrain from taking any action that would cause any transfers of Wandy Data to or from You to qualify under the CCPA or other laws as “sharing” for advertising purposes or as “selling” personal information.
  1. EEA/CH Personal Data: With respect to any Wandy Data that is subject to the GDPR and/or the Swiss Data Protection Act as "personal data," You accept the Standard Contractual Clauses 2021 promulgated by Commission implementing decision (EU) 2021/914 of 4 June 2021 with the applicable Module(s), and you will provide completed Annexes, a list of subprocessors and a transfer impact assessment (as required by Clause 14) without undue delay.
  1. Integration. This DPA applies in addition to, not in lieu of, any other terms and conditions agreed with Wandy, except as specifically and expressly agreed in writing with explicit reference to this DPA. This DPA shall not create any rights for anyone other than Wandy.