<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=246296627026896&amp;ev=PageView&amp;noscript=1">

Kapta Data Processing Addendum

This Kapta Data Processing Addendum (“DPA”) forms a part of, and is incorporated into, the Terms of Service (“Terms”) between Kapta and Customer. All capitalized terms not defined herein shall have the meaning set forth in the Terms. Customer agrees to the following terms of this DPA:

1. Definitions

1.1 “Applicable Data Protection Law(s)” means the data protection laws, rules and regulations applicable to Services offered by Kapta; with respect to PII from Europe, “Applicable Data Protections Law(s)” shall include Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Act of 2018 (“UK GDPR”);

1.2 “Customer” or “Customers” means the natural or legal person engaging or approaching Kapta for the purpose of soliciting, securing, or otherwise utilizing one or more of Kapta’s Services;

1.3 “Data Security Statement” means the Kapta Data Security Statement located at [www.kapta.com/security-statement/];

1.4 “Data Subject” means an identified or identifiable person whose PII may be subject to this DPA;

1.5 “Europe” shall mean the European Economic Area, the European Free Trade Association and the United Kingdom;

1.6 “PII” means personally identifiable information or any representation of information that permits the identity of the Customer or data subject to whom the information applies to be reasonably inferred by either direct or indirect means;

1.7 “Process”, “processes”, “processing”, and “processed” shall have the meanings assigned to them in the Applicable Data Protection Law(s);

1.8 “Security Incident” means an event in which Kapta knows, discovers, is notified of, or reasonably suspects that PII has been accessed, disclosed, transferred, acquired, or used by unauthorized persons;

1.9 “Service” or “Services” means the information, software or services made available to Customers through the Website or other platforms offered by Kapta;

1.10 “Sub-Processor” or “Sub-Processors” means Kapta’s contractors, agents, vendors, and third-party service providers who process PII as a service to Kapta;

1.11 “Website” means Kapta’s websites located at the domain addresses [https://kapta.com] and [https://login.kaptasystems.com] and any affiliated websites.

2. Data Handling and Sub-Processors

2.1 General Compliance. Customer hereby authorizes and instructs Kapta to, and Kapta will, and will require Sub-Processors to, process PII in compliance with this DPA, the Terms, the Privacy Policy, the Data Security Statement (collectively “Policies”), and all Applicable Data Protection Law(s). Customer represents and warrants that it has the authority, grounds, rights, permissions, licenses, and consents necessary to enable Kapta to process the PII Customer provides as required by the Policies and in accordance with Applicable Data Protection Law(s).

2.2 Sub-Processor Compliance. Customer hereby grants Kapta general authorization for the engagement of Sub-Processors. Customer hereby understands, acknowledges, and approves of the following Sub-Processors: Amazon Web Services (United States), Clearbit (United States), Hubspot (United States), Twilio SendGrid (United States), Zoom Video Communications (United States), ScheduleOnce (United States), Zendesk (United States), Microsoft Corporation (United States), Google LLC (United States), The Rocket Science Group LLC d/b/a Mailchimp (United States), and Slack Technologies (United States). Kapta shall inform Customer in writing, either via email or a notice conspicuously placed on the Website, within thirty (30) calendar days of any intended additional or replacement Sub-Processors.

2.3 Sub-Processor Engagement. In the event Kapta engages a Sub-Processor for any Services which may involve the transfer of PII, it will only do so by way of a written contract which will include a provision requiring the same data protection obligations as the ones binding Kapta, including terms of third-party beneficiary rights for Data Subjects. Kapta will ensure all Sub-Processors comply with these contractual obligations.

2.4 Objection Right Concerning New Sub-processors. Customer may object to Kapta’s use of a new Sub-Processor by notifying Kapta in writing within thirty (30) calendar days after receipt of Kapta’s notice of engaging such new Sub-Processor. In the event of such an objection, Kapta will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable modification to Customer’s configuration or utilization of the Services to avoid processing of PII by the objected-to new Sub-Processor without unreasonably burdening Customer. If Kapta is unable to offer such change within a reasonable period of time, which shall not exceed thirty (30) calendar days, Customer may terminate the applicable Order Form(s) with respect to those Services which cannot be provided by Kapta without the use of the objected-to new Sub-Processor by providing written notice to Kapta. Kapta will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

2.5 Details of the Processing. The purpose, nature, and duration of PII processing, types of PII, and categories of Data Subjects are specified in Schedule 1.

2.6 Rights of Data Subjects. Kapta will, to the extent legally permitted, promptly notify Customer if Kapta receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Kapta will assist Customer by reasonable and appropriate technical and organizational measures for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Applicable Data Protection Law(s). In addition, Kapta will, upon Customer’s request and at Customer’s expense, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Kapta is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Laws. To the extent legally permitted, Customer will be responsible for any reasonable costs arising from Kapta’s provision of such assistance.

2.7 Prior Consultation. Kapta agrees to provide reasonable assistance to Customer (at Customer’s expense) where, in Customer’s judgement, the type of processing performed by Kapta is likely to result in a high risk to the rights and freedoms of Data Subjects (e.g., systematic and extensive profiling, processing and systematically monitoring PII on a large scale, or processing PII via new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

2.8 Demonstrable Compliance. Kapta agrees to keep records of its processing in compliance with Applicable Data Protection Law(s) and provide such records to Customer upon request. If Kapta is collecting the PII of Data Subjects in Europe on Customer’s behalf, such records shall indicate, among other information:

(a) The legal basis for processing; or

(b) Records of the Data Subject’s verifiable consent under Applicable Data Protection Law(s).

3. Information Security

3.1 Controls for the Protection of PII. Kapta will maintain appropriate technical and organizational measures for ensuring (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to) the confidentiality and integrity of PII and will regularly monitor compliance with these measures. Furthermore, Kapta will not materially decrease the overall security of the Services during a subscription term.

3.2 Data Protection Impact Assessment. Upon Customer’s request, to the extent Customer does not otherwise have access to the relevant information, and such information is available to Kapta, Kapta shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services.

4. Processing Personnel

4.1 Confidentiality. Kapta will ensure that all personnel engaged in the processing of PII are informed of the confidential nature of the PII, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Kapta will ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2 Reliability. Kapta will take commercially reasonable steps to ensure the reliability of any Kapta personnel engaged in the processing of PII.

4.3 Limitation of Access. Kapta will ensure that access to PII is limited to those personnel performing Services in accordance with the Policies and Applicable Data Protection Law(s).

5. Assessments, Audits and Remediation

5.1 Assessments. Records to demonstrate compliance with the Policies and Applicable Data Protection Law(s) will be maintained by Kapta for one (1) calendar year following the creation of the relevant record(s) and provided to Customer upon request. Kapta will complete all reasonable data protection inquiries and requests provided by Customer within two (2) calendar weeks of the date and time it receives each request.

5.2 Audits. Upon written notice of no less than thirty (30) calendar days, Kapta agrees to permit Customer, at Customer’s cost, and no more than once annually, to conduct audits through a Kapta-approved third-party auditor. However, Kapta agrees to allow audits to be conducted directly by Customer where, under Applicable Data Protection Law(s), Customer has the right to conduct audits directly, and such right cannot be contractually waived by Customer. Kapta will cooperate in good faith with the audit and promptly:

(a) Provide access to books, records (including, but not limited to, security scan records), systems, files, and other information necessary for the audit; and

(b) At Customer’s request, provide access to Kapta’s premises if absolutely necessary to properly conduct the audit or as required under Applicable Data Protection Law(s).

Notwithstanding the forgoing, Customer may not conduct any security scans or other intrusion testing on Kapta’s systems without the express prior written consent of Kapta. Furthermore, Kapta may redact, remove, or otherwise withhold certain proprietary information if such information is outside the scope of the audit or is protected from audit by any law.

Customer agrees to schedule audits to minimize disruption to Kapta’s business, require any third party it employs to sign a non-disclosure agreement, and make the results of the audit available to Kapta. Customer will only disclose the results of the audit to third parties to the extent such disclosure is required to demonstrate Customer’s own compliance with any law or otherwise required under Applicable Data Protection Law(s).

5.3 Remediation. Kapta will promptly take action to correct any documented material security issue affecting PII identified by such audit and to inform Customer of such actions. If action is not promptly taken, Customer’s sole remedy will be to terminate any or all Order Forms at Customer’s discretion.

6. Secure Disposal

Kapta will dispose of PII in a secure manner:

(a) During the subscription term upon Customer’s written request if such PII is no longer reasonably required to perform Services; or

(b) At the termination or expiration of the provision of Services.

If instructed by Customer, a copy of such PII will be returned to Customer prior to disposal. Kapta may retain PII to the extent that it is required to do so under Applicable Data Protection Law(s) or other laws.

7. Security Incident

7.1 Policy. Kapta will, to the extent required under Applicable Data Protection Law(s), notify Customer without undue delay after becoming aware of any Security Incident. Kapta will make reasonable efforts to identify the cause of such Security Incident and take those steps as Kapta deems necessary and reasonable to remediate the cause of such Security Incident to the extent the remediation is within Kapta’s reasonable control. The obligations herein shall not apply to Security Incidents that are caused by Customer or Customer’s users, employees or agents.

7.2 Reports. Upon request by Customer, Kapta will enable Customer to review the results of, and reports relating to, the investigation and response to a Security Incident, which Customer will treat as confidential information of Kapta.

8. Termination Obligations

8.1 Termination. Notwithstanding anything to the contrary in the Policies, in the event a data protection or other regulatory authority, court, or tribunal in any country finds there has been a breach of Applicable Data Protection Law(s) by virtue of Customer’s or Kapta’s processing of PII in connection with the Terms, and such breach has not been cured within sixty (60) calendar days of Kapta’s receiving notice thereof, Customer may terminate any Order Form, or any portion thereof, immediately upon written notice to Kapta, and without judicial notice or resolution or prejudice to any other remedies.

8.2 Effect of Termination or Expiration. In the event of termination of an Order Form, or any portion thereof, or an expiration of a subscription term, Kapta will securely dispose of PII unless Kapta is required to retain such information under Applicable Data Protection Law(s) or other laws. Kapta’s obligations to protect PII will continue until all such information has been permanently and completely destroyed or deleted, including any back-ups.

9. Privacy and Security Coordinator

Kapta will designate a point of contact as its Privacy and Security Coordinator. The Privacy and Security Coordinator will:

(a) Be responsible for applying adequate protections to PII, including the development, implementation, and maintenance of its information security program;

(b) Oversee Kapta compliance with the requirements of this DPA; and

(c) Serve as a point of contact for internal communications and communications with Customer pertaining to this DPA and compliance with or any breaches thereof.

10. Standard Contractual Clauses

Through this DPA, Kapta has adopted the Standard Contractual Clauses (“SCC”) of the European Union enacted via Commission Decision 2010/87/EU and ratified by the United Kingdom Information Commissioner’s Office. The SCC has been modified only for the purposes of complying with laws of the United Kingdom and coherent navigation of the DPA as a whole. The SCC was not otherwise updated, amended, or modified.

In the event of a conflict between the terms of the SCC and the terms found elsewhere in the Policies (including this DPA), the terms of the SCC shall prevail and govern.

11. Updates and Changes

This DPA is effective as of February 9, 2021.

Kapta may update, amend, or otherwise modify this DPA at its sole discretion, in whole or in part, with such modifications, additions or deletions being immediately effective upon their posting to the Website.

DATA PROCESSING ADDENDUM
SCHEDULE 1
DATA PROCESSING DETAILS

1. Nature and Purpose of Processing

Kapta will process PII only as necessary to perform its Services pursuant to the Terms, as further specified in the Order Form, and as further instructed by Customer in its use of the Service that enables Customer’s key account management.

2. Duration of Processing

Kapta will process PII for the duration of subscription term, as provided in this DPA, or as otherwise agreed upon in writing. In the event of termination of Services, Kapta will process PII until the date and time of termination and may process PII for a reasonable time beyond such date and time if necessary to conclude Services or comply with any laws.

3. Categories of Data Subjects

Customer may submit PII to Kapta relating to the following categories of Data Subjects:

(a) Current or potential clients, vendors, employees, officers, directors, agents, contractors, or contact persons of Customer;

(b) Employees, officers, directors, contractors, agents, or contact persons of Customer’s third-party suppliers, business partners and vendors;

(c) Customer’s users authorized by Customer to use the relevant Service.

4. Type of PII

Customer may submit several types of PII to Kapta, including, but not limited to:

(a) Contact details:

i. Full legal name;

ii. Street and/or mailing address;

iii. Employer or relationship with any organization;

iv. Telephone number, street address, and email address of employer;

v. Job title or position;

vi. E-mail address;

vii. Telephone number; or

(b) Username and password for the account a Data Subject may establish to utilize a Service.

DATA PROCESSING ADDENDUM
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES

Clause 1
Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the United Kingdom;

(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the Transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Schedule 1 of the DPA.

Clause 3
Third-Party Beneficiary Clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the Data Exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the United Kingdom and does not violate the relevant provisions of that state;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix A;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix A, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the Data Importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organizational security measures specified in Appendix A before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorized access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix A which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and Jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts of the state of domicile of the data exporter.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with Supervisory Authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9
Governing Law

The Clauses shall be governed by the law of the state of the domicile of the data exporter.

Clause 10
Variation of the Contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Sub-Processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the laws of the state of domicile for the data exporter.

4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the Termination of Personal Data-Processing Services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX A TO SCHEDULE 2
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Description of the technical and organizational security measures implemented by Kapta in accordance with Clauses 4(d) and 5(c) of Schedule 2:

1. Data Encryption

Kapta utilizes some of the most advanced technology for Internet security available today. When Data Subjects access the Kapta Website, Transport Layer Security (TLS) technology, also known as HTTPS, protects their information using both server authentication and data encryption, ensuring that their data is safe, secure, and available only to registered users in their organization. Data is encrypted both in transit and at rest and will be completely inaccessible to unauthorized users.

2. Cookies and Passwords

Kapta provides each Customer with a unique username and password that must be entered each time a Customer logs on, unless specified by the Customer to keep the session alive. In that case Kapta issues a session “cookie” only to record encrypted authentication information for the duration of a specific session. The session “cookie” does not include either the username or password of the Customer. Kapta does not use “cookies” to store PII or session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs. Kapta enforces a strong password policy.

3. Hosting and Physical Security

Kapta is hosted in a secure server environment using world-class, SOC 2 accredited data centers provided by Amazon Web Services that uses a firewall and other advanced technology to prevent interference or access from outside intruders.

4. Penetration Tests

Kapta performs regular penetration tests and remediate according to severity for any results found.

5. Breach Notification

If Kapta learns of a security breach, then it will notify affected Customers so that they may take all appropriate protective steps.

6. Personnel

Kapta conducts industry standard background screenings at the time of hire of all personnel. In addition, Kapta communicates its information security policies to all personnel (who must acknowledge this), requires new employees to sign non-disclosure agreements, and provides ongoing privacy and security training.

ILLUSTRATIVE INDEMNIFICATION CLAUSE

Liability

Customer agrees that if one party is held liable for a violation of the Clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

Indemnification is contingent upon:

(a) the data exporter promptly notifying the data importer of a claim; and

(b) the data importer being given the possibility to cooperate with the data exporter in the defense and settlement of the claim.