This Data Processing Addendum (the “Agreement”) sets out the terms on which Folio will collect and process personal data on the Client’s behalf in the course of providing its products and services to the Client pursuant to the Main Agreement (as defined below). This Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.

DESCRIPTION OF DATA PROCESSING

The subject-matter, nature and purpose, duration of the processing, the type(s) of personal data being processed, and the categories of data subjects, as required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) are set out in the Order Form between the parties.

DEFINITIONS

“Applicable Laws”: the law of the European Union (for so long as and to the extent that they apply to the Data Processor), the law of any member state of the European Union and/or the UK Data Protection Legislation and any other law that applies in the UK.

“controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing” and

“appropriate technical and organisational measures”: as defined in the Data Protection Legislation.

“Data Protection Legislation”: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.

“Main Agreement” the agreement entered into between Folio and the Client under which Folio has agreed to provide products and/or services to the Client.

“UK Data Protection Legislation”: all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

For the purposes of this Agreement, the Client will be referred to as the “Data Controller”, and Folio will be referred to as the “Data Processor”.

1. Compliance with Data Protection Legislation

   
   

   1. This Agreement is intended to ensure that the Data Controller’s appointment of the Data Processor is compliant with Data Protection Legislation, and the Data Processor may, at any time on not less than 30 days’ notice to the Data Controller, revise this Agreement by replacing it with any applicable controller to processor standard clauses or similar terms approved by the relevant supervisory authority forming part of an applicable certification scheme to which the Data Processor is subject. If the Data Controller does not agree to such review terms, it may terminate the agreement by providing notice to the Data Processor.

      
      

   2. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 1.2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.

      
      

2. Roles of the parties

   
   

   The parties acknowledge that for the purposes of the Data Protection Legislation, the Data Controller is the

   controller and the Data Processor is the processor.

   
   

3. Data Controller’s Responsibilities

   
   

   Without prejudice to the generality of clause 1.2, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to the Data Processor and/or lawful collection of the personal data by the Data Processor on behalf of the Data Controller for the duration and purposes of this Agreement.

   
   

4. Data Processor’s Responsibilities

   
   

   Without prejudice to the generality of clause 1.2, the Data Processor shall, in relation to any personal data processed in connection with the performance by the Data Processor of its obligations under this Agreement:

   
   

   1. process that personal data only on the documented written instructions of the Data Controller unless the Data Processor is required by Applicable Laws to otherwise process that personal data. Where the Data Processor is relying on Applicable Laws as the basis for processing personal data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller;

      
      

   2. ensure that it has in place appropriate technical and organisational measures, to protect against: (i) unauthorised or unlawful processing of personal data; and (ii) accidental loss or destruction of, or damage to, personal data, appropriate to: the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

      
      

   3. ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential; and

      
      

   4. ensure that it makes its internal practices, books and records, including policies and procedures relating to the use and disclosure of personal information received from, or created or received by Data Processor, on behalf of Data Controller, available to the Data Controller;

      
      

   5. agree to mitigate, to the extent practicable, any harmful effect that is known to Data Processor of a use or disclosure of personal data by Data Processor or its employees, officers or agents in violation of the requirements of this Agreement. Data Processor agrees to reasonably cooperate and coordinate with Data Controller in the investigation of any violation of the requirements of this Agreement. Data Processor shall also reasonably cooperate and coordinate with the Data Controller in the preparation of any notices or reports to an individual, a regulatory body or any third party required to be made under applicable laws.

      
      

   6. not transfer any personal data outside the European Economic Area and the United Kingdom unless either: the Commission has decided, in accordance with Article 45 of the General Data Protection Regulation ((EU) 2016/679), that the third country, a territory or one or more specified sectors within that third country, or the international organisation to which personal data is to be transferred, ensures an adequate level of protection; or, the following conditions are fulfilled:

      
      

      1. the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer; and

         
         

      2. the data subject has enforceable rights and effective legal remedies,

         
         

         where, in all cases, the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the personal data;

         
         

   7. assist the Data Controller, at the Data Controller’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

      
      

   8. notify the Data Controller without undue delay, and where practicable, within 48 hours, on becoming aware of a personal data breach; affecting Data Controller personal data, providing Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects of the personal data breach under the Data Protection Laws.

      
      

   9. Data Processor shall co-operate with the Data Controller and take reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such personal data breach.

      
      

   10. at the written direction of the Data Controller, and without cost to the Data Controller, delete or return personal data and copies thereof to the Data Controller promptly and in any event within 10 business days of the date of cessation of any Services involving the processing of Data Controller personal data (the “Cessation Date”) unless required by Applicable Law to store the personal data; and

       
       

   11. maintain complete and accurate records and information to demonstrate its compliance with this clause 4 and allow for audits by the Data Controller or the Data Controller’s designated auditor, only so far as is necessary in order to demonstrate compliance, provided that the Data Controller: provides the Data Processor with no less than 30 days’ notice of such audit or inspection; and the parties agree the scope, duration, and purpose of such audit or inspection in advance. If the Data Controller becomes privy to any confidential information of the Data Processor as a result of this clause 4.8, the Data Controller shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Data Controller acknowledges that the Data Processor shall only be required to use reasonable endeavours to assist the Data Controller in procuring access to any third party assets, records or information as part of any audit.

       
       

   12. promptly notify Data Controller if it receives a request from a Data Subject under any Data Protection Law in respect of personal data; and

       
       

   13. ensure that it does not respond to that request except on the documented instructions of Data Controller or as required by Applicable Laws to which the Data Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement before the Contracted Processor responds to the request.

       
       

5. Third party processors

   
   

   1. The Data Controller acknowledges and consents generally to the appointment by the Data Processor of third parties as sub-processors of the personal data being processed under this Agreement.

      
      

   2. The Data Processor confirms that:

      
      

      1. it shall impose on all sub-processors the same data protection obligations as set out in clauses 1, 4, and 5; and

         
         

      2. the Data Processor shall remain fully liable for the actions of its sub-processors at all times.

         
         

   3. The Data Processor shall give the Data Controller prior notice of the appointment of any new sub-

      processors and provide the Data Controller with full details of the processing to be undertaken by the sub- processor, thereby giving the Data Controller the opportunity to object to such appointment. If the Data Processor so notifies the Data Controller of any changes to sub-processors and the Data Controller objects to such changes, the Data Controller will be entitled to terminate this Agreement (without liability for either party, and such termination will be deemed to be a no-fault termination) if the Data Controller has reasonable grounds for objecting to such changes by reason of the changes causing or being likely to cause the Data Controller to be in breach of the Data Protection Legislation.

      
      

6. Audit rights

   
   

   1. Subject to this section 6, Data Processor shall, subject to the Data Controller giving the Data Processor no less than 30 days’ advance notice, and on no more than 2 occasions in any contract year (except in the case of any emergency or data breach when such notice shall not be required), make available to the Data Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.

      
      

   2. Information and audit rights of the Data Controller only arise under section 6.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

      
      

7. General

   
   

   1. Subject to the provisions regarding liability under the Main Agreement, and the Data Controller taking all reasonable steps to mitigate against the same, Data Processor shall, to the fullest extent permitted by law, protect, defend and indemnify Data Controller and its respective employees, directors, and agents from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorney’s fees, including at trial and on appeal) asserted or imposed against the Data Controller arising out of a data breach directly caused by the acts or omissions of Data Processor or any of its employees, directors, or agents.

      
      

   2. This Agreement is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. Except where otherwise stated herein, interpretations and defined terms set forth in the Main Agreement apply to the interpretation of this Agreement. In the case of conflict or ambiguity between any of the provisions of this Agreement and the provisions of the Main Agreement, the provisions of this Agreement will prevail. Any limitation of liability set forth in the Main Agreement will apply to this Agreement.

      
      

   3. This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

      
      

   4. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this Agreement or its subject matter or formation.