Data Protection Addendum

You agreeing to these terms (“Customer“) and Ona Systems, Inc (as applicable) have entered into an Ona Terms of Service agreement (as amended to date) (the “Ona Systems Agreement“). This amendment (the “Data Processing Amendment“) is entered into by and between Customer and Ona Systems, Inc. (“Ona Systems“), 46 Brewer Parkway, South Burlington, VT 05403, USA as of the Effective Date. The “Effective Date” is the date Customer accepts this Data Processing Amendment by clicking to accept these terms.

If you are accepting on behalf of Customer, you represent and warrant that: (i) you have full legal authority to bind your employer, or the applicable entity, to these terms and conditions; (ii) you have read and understood this Data Processing Amendment; and (iii) you agree, on behalf of the party that you represent, to this Data Processing Amendment. If you do not have the legal authority to bind Customer, please do not click the “Accept” button below.

1. Introduction

1.1 Subject to Section 1.2 below, Customer may use the Services to process Customer Personal Data in accordance with this Data Processing Amendment.

1.2 Customer may not use the Services to process Customer Personal Data which in itself personally identifies an individual (such as a name, email address or billing information), or other data which can be reasonably linked to such information by Ona.

1.3 This Data Processing Amendment only applies if and to the extent that the parties process Customer Personal Data under the Ona Systems Agreement, including with respect to personal data in accordance with the Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and the member countries’ national implementation.

2. Definitions

2.1 Capitalized terms used but not defined in this Data Processing Amendment will have the meaning provided in the Agreement. In this Data Processing Amendment, unless expressly stated otherwise:

Additional Products” means products, services and applications (whether made available by Ona or a third party) that are not part of the Services.

Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

Agreement” means the Ona Systems Agreement and this Data Processing Amendment.

Customer Personal Data” means any Personal Data collected, transmitted, analysed or otherwise processed through the Services which is received through web-based forms, application programming interface (API) submitted forms, mobile application submitted forms, uploaded files, or through other interactions with Ona services.

Data Protection Legislation” means the national provisions adopted pursuant to the Directive, in the country in which the Customer is established.

Directive” means Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

Ona Systems Group” means those Ona Systems Affiliates that may be used to provide the Services to Customer.

Instructions” means the written instructions of the Customer specified in the Agreement (as amended or replaced) and any subsequent instructions from the Customer to Ona and acknowledged by Ona.

Personal Data” means any information relating to an identified or identifiable natural person.

Security Incident” means accidental or unlawful distribution or accidental loss, alteration, or unauthorised disclosure or access to Customer Personal Data by Ona or its Subprocessors.

Security Measures” has the meaning given in Section 6.1 of this Data Processing Amendment.

Subprocessors” means the Ona Systems Group and Third Party Suppliers.

Services” means, for purposes of this Data Processing Amendment, those services defined as the “Ona Data Collection Platform”, “Enketo Smart Paper” or “Canopy Solutions” (as applicable) under the Agreement.

Third Party Suppliers” means the third party suppliers engaged by the Ona Systems Group for the purposes of processing Customer Personal Data in the context of the provision of the Services. Additional information about Third Party Suppliers is available at the following URL: https://ona.io/terms/subprocessors.html, as such URL may be updated from time to time by Ona.

2.2. The terms “personal data”, “processing”, “controller” and “processor” shall have the meanings ascribed to them in the Directive.

3. Term

This Data Processing Amendment shall automatically terminate upon the expiry or termination of the Agreement.

4. Data Protection Legislation

The parties agree and acknowledge that the Data Protection Legislation applies to the processing of Customer Personal Data.

5. Processing of Customer Personal Data

5.1. Processor. With respect to Customer Personal Data under the Agreement, the parties acknowledge and agree that Customer shall be the controller and Ona shall be a processor. Customer shall comply with its obligations as a controller and Ona shall comply with its obligations as a processor under the Agreement. Where a Customer Affiliate is the controller (either alone or jointly with the Customer) with respect to certain Customer Personal Data, Customer represents and warrants to Ona that it is legally authorized to instruct Ona and otherwise act on behalf of such Customer Affiliate in relation to the Customer Personal Data in accordance with the Agreement, as amended.

5.2 Scope of Processing. Ona will process Customer Personal Data only in accordance with Instructions from Customer through the settings of the services, i.e. (a) to operate, maintain and support the infrastructure used to provide the Services; (b) to comply with Customer’s instructions and processing instructions in their use, management and administration of the Services; (c) as otherwise instructed through settings of the Services. Ona will only process Customer Personal Data in accordance with the Agreement.

5.3 Other Services. Customer acknowledges that if it installs, uses, or enables Additional Products that interoperate with the Services but are not part of the Services itself, then the Services may allow such Additional Products to access Customer Personal Data as required for the interoperation of those Additional Products with the Services. By using such Additional Products, Customer authorizes Ona to share Customer Personal Data with the Additional Products. The Agreement does not apply to the processing of Customer Personal Data transmitted to and from such other Additional Products. Such separate Additional Products are not required to use the Services and may be restricted for use as determined by Customer’s system administrator in accordance with the Agreement.

6. Data Security

6.1 Security Measures. Ona will take and implement appropriate technical, administrative and organizational measures designed to protect Customer Personal Data against a Security Incident (“Security Measures”). Ona may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the material degradation of the security of the Services.

6.2 Ona Staff. Ona will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance.

6.3 Security Incident. If Ona becomes aware of a Security Incident, Ona will notify Customer of such Security Incident as soon as reasonably practicable, having regard to the nature of such Security Incident. Ona will use commercially reasonable efforts to work with Customer in good faith to address any known breach of Ona’s security obligations under the Agreement.

7. Data Deletion

For the term of the Agreement, Ona will provide Customer with the ability to export Customer Personal Data in a manner consistent with the functionality of the Services. After termination or expiry of the Ona Systems Agreement, Ona will delete Customer Personal Data in accordance with the terms of the Agreement.

8. Access to Data

Ona will make available to Customer the Customer Personal Data in accordance with the terms of the Agreement in a manner consistent with the functionality of the Services, including the SLA (if applicable).

9. Data Transfers

9.1 Data Transfers. As part of providing the Services, Ona may transfer, store and process Customer Personal Data in the United States or any other country in which Ona maintains facilities.

10. Subprocessors

10.1 Subprocessors. Ona may engage Subprocessors to provide limited parts of the Services (including customer support services).

10.2 Processing Restrictions. Ona will ensure Subprocessors only access and use Customer Personal Data in accordance with the terms of the Agreement.

10.3 Customer Consent to Subprocessing. Customer consents to Ona subcontracting the processing of Customer Personal Data to Subprocessors in accordance with the terms of the Agreement.

11. Third Party Beneficiary

Notwithstanding anything to the contrary in the Agreement, where Ona Systems Inc. isn’t a party to the Ona Systems Agreement, the applicable Ona Systems Inc. subsidiary will be a third party beneficiary of this Data Processing Amendment.

12. Effect of Amendment

To the extent of any conflict or inconsistency between the terms of this Data Processing Amendment and the remainder of the Agreement, the terms of this Data Processing Amendment will govern. Subject to the amendments in this Data Processing Amendment, the Agreement remains in full force and effect.