DATA PROCESSING ADDENDUM

THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into as of the Addendum Effective Date by and between: (1) THORN, a California public benefit corporation with a business address at 222 N. Pacific Coast Highway, 10th Floor, El Segundo, CA 90245 (“Thorn”); and (2) the entity or other person who is a counterparty to the Agreement (as defined below) into which this DPA is incorporated and forms a part (“Company”).

1. INTERPRETATION

1.1 In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:

a. “Addendum Effective Date” means the effective date of the Agreement.

b. “Agreement” means the agreement between the parties, namely either: (i) the ‘Safer Products & Services Terms and Conditions’, being the agreement comprising an Order Form together with the Safer Products & Services Terms and Conditions set out at https://safer.io/safer-thorn-hosted-product-services/ or any successor page; or (ii) any other agreement entered into by the parties that provides that this DPA will be incorporated therein by reference.   

c. “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction directly applicable to Thorn’s Processing of Company Personal Data under the Agreement (including, as and where applicable, the GDPR and State Privacy Laws).   

d. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

e. “Company Personal Data” means any Personal Data Processed by Thorn or its Sub-Processor on behalf of Company in connection with Thorn's performance of the Services under the Agreement (including any Third-Party Technology Personal Data). 

f. “Data Subject” means the identified or identifiable natural person to whom Company Personal Data relates. 

g. “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Company Personal Data and the Processing thereof.

h. “GDPR” means, as and where applicable to the relevant Processing: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law (as amended from time to time) (“UK GDPR”). 

i. “Mission Furtherance Processing” has the meaning given in Section 3.

j. “Personal Data” means “personal data”, “personal information”, “personally identifiable information”, or similar term defined in Applicable Data Protection Laws.

k.  “Personal Data Breach” means a breach of Thorn’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data in Thorn’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Company Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).

l . “Personnel” means a person’s employees, agents, consultants, contractors or other staff.

m. “Process” and inflections thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

n. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

o. “Restricted Transfer” means the disclosure, grant of access or other transfer of Company Personal Data to any person located in: (i) within the context of the EU GDPR, any country or territory outside the European Economic Area (“EEA”) which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); and (ii) within the context of the UK GDPR, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.

p. “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.

q. “Services” means those services and activities to be supplied or carried out by or on behalf of Thorn for Company pursuant to the Agreement each as more particularly described in the Agreement and Annex 1 (Data Processing Details) to this DPA. 

r. “State Privacy Laws” means the California Consumer Privacy Act of 2018 (“CCPA”), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, in each case only if and to the extent applicable to Thorn’s Processing of Company Personal Data under the Agreement.

s. “Sub-Processor” means any third-party appointed by or on behalf of Thorn to Process Company Personal Data.

t. “Supervisory Authority”: (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office (“ICO”).

u. “Third-Party Technologies” means the third-party software supported by the Services, including: (i) certain software algorithm implementations provided by third-parties, such as Microsoft’s PhotoDNA software and Google’s CSAI Match software, and/or (ii) certain proprietary formats, such as High Efficiency Image File Format (HEIF) files or High Efficiency Image Container (HEIC) files, for which Customer is solely responsible for obtaining appropriate licenses and compatible software from the respective third-party licensor. Third-Party Technologies are not products of Thorn, and Thorn does not guarantee their function or interoperability with the Services.

v. “Thorn’s Privacy Policy” means the privacy policy displayed from time to time at https://www.thorn.org/privacy-policy/ or any successor page.

w. “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).

1.2 Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.

2. PROCESSING OF COMPANY PERSONAL DATA

2.1 Details and Roles. The parties acknowledge and agree that the details of Thorn’s Processing of Company Personal Data, including the respective roles of the parties relating to such Processing, are as described in Annex 1 (Data Processing Details) to this DPA. 

2.2 General. Thorn shall not Process Company Personal Data other than: (a) on Company’s instructions; (b) as authorized by Company under Section 3 as part of the Mission Furtherance Processing; or (c) as required by applicable laws so long as, in such circumstances, Thorn shall inform Company in advance of the relevant legal requirement requiring such Processing if and to the extent Thorn is: (i) required to do so by Applicable Data Protection Laws; and (ii) permitted to do so in the circumstances. Company instructs Thorn to Process Company Personal Data to provide the Services to Company and in accordance with the Agreement. The Agreement is a complete expression of such instructions, and Company’s additional instructions will be binding on Thorn only pursuant to a written amendment to this DPA signed by both parties. Where required by Applicable Data Protection Laws, if Thorn receives an instruction from Company that, in its reasonable opinion, infringes Applicable Data Protection Laws, Thorn shall notify Company.

2.3 Third-Party Technologies. If the applicable Agreement is defined under Section 1.1(b) above then, where applicable under the Agreement, by its integration and use of any Third-Party Technologies as part of the Services, Company hereby instructs Thorn to Process any Personal Data contained within or included in any information sent to, or accessed via, any such Third-Party Technologies through any such use by Company (“Third-Party Technology Personal Data”) to the fullest extent required to enable Thorn to provide the Services. In respect of any such Third-Party Technology Personal Data and any Processing thereof, save with respect to the Mission Furtherance Processing, Company acknowledges and agrees that: (a) Thorn acts as a Processor on behalf of Company; (b) the relevant provider of the Third-Party Technology may act as a Controller in its own right or as a (sub-)Processor of Company; (c) neither Thorn nor the relevant provider of the Third-Party Technology acts as a (sub-)Processor of the other in respect of Thorn’s Processing of such Third-Party Technology Personal Data; and (d) as between Company and Thorn, Thorn has no obligation to agree or establish any terms, conditions or arrangements with the relevant provider of the Third-Party Technology in relation to: (i) Thorn’s Processing of Third-Party Technology Personal Data, nor (ii) any Restricted Transfer(s) initiated by Company to or from Thorn, from or to the provider of the relevant Third-Party Technology.

2.4 Consideration. The parties acknowledge that access to Personal Data does not form part of the consideration exchanged between the parties in respect of the Agreement or any other business dealings.

3. MISSION FURTHERANCE PROCESSING

3.1 Authorization. As and where permitted under the Agreement , Company authorizes Thorn to Process Company Personal Data to: (a) improve the Services; or (b) further the Mission, including any associated aggregation, anonymization, de-identification or pseudonymization (“Mission Furtherance Processing”). 

3.2 Thorn as Controller. Thorn acts as a separate and independent Controller in respect of any Mission Furtherance Processing, and shall: (a) comply with Applicable Data Protection Laws in respect of such Processing; (b) safeguard any outputs created or derived from that Processing with security measures that are no less protective than the Security Measures; and (c) not disclose any outputs created or derived from the Mission Furtherance Processing that identify Company and/or any relevant Data Subjects to any third parties (other than its Personnel, and service providers) unless and to the extent: (1) required in order to comply with judicial order or applicable laws; or (2) judged by Thorn to be necessary and proportionate to protect or safeguard the rights, freedoms or well-being of any individual.

3.3 Compatibility. For the purposes of the GDPR, having regard to the nature of the Services, Mission and the public interest and benefit therein, plus with the nature of the relevant Processing (including associated aggregation, anonymization, de-identification or pseudonymization), it is acknowledged that the Mission Furtherance Processing is ‘compatible’ with the purpose(s) for which the Company Personal Data was initially collected. 

3.4 Data Subject Awareness. Company shall take appropriate steps to ensure that all Data Subjects of the Company Personal Data are made aware of Thorn’s Mission Furtherance Processing (e.g., by providing such Data Subjects with a suitably prominent link to Thorn’s Privacy Policy).     

4. TECHNICAL AND ORGANIZATIONAL MEASURES; ASSISTANCE

4.1 Personnel. Thorn shall take commercially reasonable steps designed to ascertain the reliability of any Thorn Personnel who Process Company Personal Data and shall enter into written contractual confidentiality obligations with all Thorn Personnel who Process Company Personal Data that are not subject to professional or statutory obligations of confidentiality.

4.2 Security. Thorn shall implement and maintain technical and organizational measures in relation to Company Personal Data designed to protect Company Personal Data against Personal Data Breaches as described at https://trust.thorn.org/ or any successor page (the “Security Measures”). Thorn may update the Security Measures from time to time, if the updated measures do not materially decrease the overall protection of Company Personal Data.

4.3 Data Subject Rights. Thorn, taking into account the nature of the Processing of Company Personal Data, shall provide Company with such assistance as may be reasonably necessary and technically feasible to assist Company in fulfilling its obligations to respond to Data Subject Requests. If Thorn receives a Data Subject Request, Company will be responsible for responding to any such request. Thorn shall: (a) promptly notify Company if it receives a Data Subject Request; and (b) not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Company, except as required by Applicable Data Protection Laws. 

4.4 DPIAs and Consultations. If and to the extent the GDPR applies to the given Processing of Company Personal Data by Thorn as a Processor, Thorn shall, taking into account the nature of the Processing and the information available to Thorn, provide reasonable assistance to Company, at Company’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Company reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Company Personal Data by Thorn.

5. PERSONAL DATA BREACH

5.1 Notifications. Thorn shall notify Company without undue delay upon Thorn’s confirmation of a Personal Data Breach affecting Company Personal Data. Thorn shall provide Company with information (insofar as such information is within Thorn’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Thorn) to allow Company to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. Thorn’s notification of or response to a Personal Data Breach shall not be construed as Thorn’s acknowledgement of any fault or liability with respect to the Personal Data Breach. As between the parties, unless and to the extent such Personal Data Breach affects any Personal Data Processed as part of the Mission Furtherance Processing, Company is solely responsible for complying with applicable laws (including notification laws), and fulfilling any third-party notification obligations, related to any Personal Data Breaches affecting Company Personal Data.

5.2 Consultations with Thorn. If Company determines that a Personal Data Breach must be notified to any Supervisory Authority, any other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws or otherwise, to the extent such notice directly or indirectly refers to or identifies Thorn, where permitted by applicable laws, Company agrees to: (a) notify Thorn in advance; and (b) in good faith, consult with Thorn and consider any clarifications or corrections Thorn may reasonably recommend or request to any such notification, which: (i) relate to Thorn’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.

6. SUB-PROCESSING

6.1 General Authorization. Company generally authorizes Thorn to appoint Sub-Processors in accordance with this Section 6. Information about Thorn’s Sub-Processors, including their functions and locations is as shown in the Sub-Processor list set out in Annex 3 (Sub-Processors) (the “Sub-Processor List”). Without limitation, Company authorizes Thorn’s engagement of the Sub-Processors listed on the Sub-Processor List as of the Addendum Effective Date.

6.2 Notification. Thorn shall give Company prior written notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor, by providing Company with an updated copy of the Sub-Processor List (including via a ‘mailshot’ or similar bulk distribution mechanism sent to Company’s contact point set out in Annex 1 (Data Processing Details)). If, within 14 days of receipt of that notice, Company notifies Thorn in writing of any objections to the proposed appointment (made in good faith and supported by substantianted concerns that the use of that proposed Sub-Processor would cause Company to be in material and unavoidable breach of Applicable Data Protection Laws): (a) Thorn shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and (b) where: (i) such a change cannot be made within 14 days from Thorn’s receipt of Company’s notice; (ii) no commercially reasonable change is available; and/or (iii) Company declines to bear the cost of the proposed change, then either Party may terminate the Agreement by written notice to the other Party as its sole and exclusive remedy. If Company does not object to Thorn’s appointment of a Sub-Processor during the objection period referred to in this Section 6.2, Company shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.

6.3 Thorn Responsibilities. With respect to each Sub-Processor, Thorn shall maintain a written contract between Thorn and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Company Personal Data as those set out in this DPA (including the Security Measures). Thorn shall remain liable for any breach of this DPA caused by a Sub-Processor. 

7. DATA TRANSFERS

7.1 Entry into SCCs. In respect of any Restricted Transfer of Company Personal Data from Company to Thorn under this DPA: (a) that is an EEA Restricted Transfer, the parties hereby enter into and agree to comply with their respective obligations set out in the SCCs; and/or (b) that is a UK Restricted Transfer, the parties hereby enter into and agree to comply with their respective obligations set out in the SCCs as varied by the UK Transfer Addendum.  

7.2 Population of SCCs. In respect of any SCCs entered into pursuant to Section 7.1, the parties agree as follows: (a) each of the parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; (b) as applicable: (i) with respect to the Mission Furtherance Processing, Module One of the SCCs applies to the extent there is any EEA Restricted Transfer in this context involving Processing of Company Personal Data in respect of which the parties are separate and independent Controllers, (ii) Module Two of the SCCs applies to any relevant Restricted Transfer involving Processing of Company Personal Data in respect of which Company is a Controller in its own right; and (iii) Module Three of the SCCs applies to any relevant Restricted Transfer involving Processing of Company Personal Data in respect of which Company is itself a Processor; (c) as and where applicable to the relevant Module of the SCCs and the Clauses thereof: (i) in Clause 7, the ‘Docking Clause’ is not used; (ii) in Clause 9, ‘OPTION 2: GENERAL WRITTEN AUTHORISATION’ applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 6.2;  (iii) in Clause 11, the optional language is not used; (iv) in Clause 13, all square brackets are removed and all text therein is retained; (v) in Clause 17, ‘OPTION 1’ applies, and the parties agree that the SCCs shall be governed by the law of: (a) Ireland in relation to any EEA Restricted Transfer, and (b) England and Wales in relation to any UK Restricted Transfer; and (vi) in Clause 18(b): the parties agree that any dispute arising from the SCCs: (a) in relation to any EEA Restricted Transfer, shall be resolved by the courts of Ireland; and (b) in relation to any UK Restricted Transfer, shall be resolved by the courts of England and Wales; and (c) in respect of the Annexes to the Appendix to the SCCs: (i) Annex I is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to this DPA; and (ii) Annex II is populated with reference to the information contained in and determined by Section 4.2 of this DPA (including the Security Measures).

7.3 Population of UK Transfer Addendum. Where relevant in accordance with Section 7.1(b), the SCCs apply to any UK Restricted Transfers as varied by the UK Transfer Addendum in the following manner: (a) ’Part 1 to the UK Transfer Addendum’: (i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to this DPA and Section 7.2 of this DPA; and (ii) Table 4 to the UK Transfer Addendum is completed by the box labeled ‘Data Importer’ being deemed to have been ticked; and (b) ‘Part 2 to the UK Transfer Addendum’: the parties agree to be bound by the UK Mandatory Clauses and that the SCCs shall apply to any UK Restricted Transfers as varied in accordance with those Mandatory Clauses.

7.4 Operational Clarifications. In relation to any SCCs entered into pursuant to Section 7.1, the parties agree as follows: (a) when complying with its transparency obligations under Clause 8.3 of the SCCs, Company shall not provide or otherwise make available, and shall take all appropriate steps to protect, Thorn’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information; (b) where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Company acknowledges and agrees that there are no circumstances in which it would be appropriate for Thorn to notify any third-party Controller of any Data Subject Request and that any such notification shall be the sole responsibility of Company; (c) for the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the parties, Company agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required; (d) the terms and conditions of Section 6 apply in relation to Thorn’s appointment and use of Sub-Processors under the SCCs; (e) any approval by Company of Thorn’s appointment of a Sub-Processor that is given expressly or deemed given pursuant to Section 6 constitutes Company’s documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required under Clause 8.8 of the SCCs; (f) the audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 7; (g) certification of deletion of Company Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Company’s written request; (h) in relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in this DPA to the SCCs, shall be read as a reference to those SCCs as varied by Section 7.3; and (i) in respect of any given Restricted Transfer, if requested of Company by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request, accompanied by suitable supporting evidence of the relevant request – Thorn shall provide Company with an executed version of the relevant set(s) of SCCs responsive to the request made of Company (amended and populated in accordance with relevant provisions of this DPA in respect of the relevant Restricted Transfer) for countersignature by Company, onward provision to the relevant requestor, and/or storage to evidence Company’s compliance with Applicable Data Protection Laws. 

8. AUDITS 

8.1 Information Provision and Audits. Thorn shall make available to Company on reasonable request, such information as Thorn (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. Subject to Sections 8.1 to 8.3, in the event that Company (acting reasonably) is able to provide documentary evidence that such information is insufficient in the circumstances to demonstrate Thorn’s compliance with this DPA, Thorn shall allow for and contribute to audits by Company or an auditor mandated by Company in relation to the Processing of Company Personal Data by Thorn. Company shall give Thorn reasonable notice of any audit to be conducted under Section 8.1 (which shall in no event be less than 30 days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Thorn’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Thorn’s other customers or the availability of Thorn’s services to such other customers).

8.2 Audit Plans. Prior to conducting any audit, Company must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Thorn will review the proposed audit plan and provide Company with any feedback, concerns or questions (for example, any request for information that could compromise Thorn security, privacy, employment or other relevant policies, or that in Thorn’s judgment is overly broad). Thorn will work cooperatively with Company to agree on a final audit plan.  

8.3 Limitations. Thorn need not give access to its premises for the purposes of any audit under this Section 8: (a) where a third-party audit report or certification (e.g., SOC 2 Type 2, ISO 2700x, NIST or similar audit report or certification) is provided in lieu of such access (acceptance of which for this purpose not to be unreasonably withheld, delayed or conditioned by Company); (b) to any individual unless they produce reasonable evidence of their identity; (c) to any auditor whom Thorn has not approved in advance (acting reasonably); (d) to any individual who has not entered into a non-disclosure agreement with Thorn on terms acceptable to Thorn; (e) if Thorn has a physical office location where relevant documentation is maintained, then outside normal business hours at those premises; or (f) on more than one occasion in any calendar year during the term of the Agreement, except for any audits which Company is required to carry out under Applicable Data Protection Laws or by a Supervisory Authority. Nothing in this DPA shall require Thorn to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers. Nothing in this Section 8 shall be construed to obligate Thorn to breach any duty of confidentiality.

9. RETURN AND DELETION

9.1 General. Upon expiration or termination of the Agreement, Thorn shall delete or return (following which it shall promptly delete) all Company Personal Data in Thorn’s care, custody or control in accordance with Company’s instructions as to the post-termination return and deletion of Company Personal Data expressed in the Agreement. To the extent that deletion of any Company Personal Data contained in any back-ups maintained by or on behalf of Thorn is not technically feasible within the timeframe set out in Company’s instructions, Thorn shall (a) securely delete such Company Personal Data in accordance with any relevant scheduled back-up deletion routines (e.g., those contained within Thorn’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, disable access to such Company Personal Data.

9.2 Permitted Retention. Notwithstanding the foregoing, Thorn may retain: (a) Company Personal Data where required by applicable laws, if Thorn maintains the confidentiality of all such Company Personal Data and Processes the Company Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention; (b) any outputs created or derived from any Mission Furtherance Processing; and (c) to the extent consistent with the scope of the rights granted by Company to Thorn under the Agreement and Applicable Data Protection Laws, any Company Personal Data as used solely for the Mission Furtherance Processing and then subject always to Section 3 (which shall survive the expiration or termination of the Agreement). 

10. COMPANY’S RESPONSIBILITIES

10.1 Security. Company agrees that, without limiting Thorn’s obligations under Section 4.2 of this DPA, Company is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Company Personal Data; (b) securing the account authentication credentials, systems and devices that Company uses to access the Services; (c) securing Company’s systems and devices that Thorn uses to provide the Services, if any; and (d) backing up Company Personal Data.

10.2 Compliance. Company shall ensure that: (a) there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Thorn of Company Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Company from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and (b) all Data Subjects have: (i) been presented with all required notices and statements (including as required by Articles 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Thorn of Company Personal Data. Company agrees that the Services, the Security Measures, and Thorn’s commitments under this DPA are adequate to meet Company’s needs, including with respect to any security obligations of Company under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Company Personal Data.

10.3 Restricted Data. Company shall not provide or otherwise make available to Thorn any Company Personal Data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; (c) health insurance information; (d) passwords to any online accounts; (e) credentials to any financial accounts; (f) tax return data; (g) any payment card information subject to the Payment Card Industry Data Security Standard; or (h) any other information that falls within any special categories of personal data (as set out in Article 9(1) of the GDPR) and/or data relating to criminal convictions and offences or related security measures (together, “Restricted Data”).

11. VARIOUS

11.1 Incorporation and Application. This DPA shall be incorporated into and form part of the Agreement with effect on and from the Addendum Effective Date. This DPA: (a) except with respect to the Mission Furtherance Processing (and then only where expressly stated herein), applies only if and to the extent that Applicable Data Protection Laws govern Thorn’s Processing of Company Personal Data in performance of the Service(s) as a ‘processor’, ‘service provider’ or similar role defined under Applicable Data Protection Laws; and (b) does not apply to Thorn’s Processing of any Personal Data for its own business/customer relationship administration purposes, its own marketing or service analytics, its own information and systems security purposes supporting the operation of the Services, nor its own legal, regulatory or compliance purposes, nor the Mission Furtherance Processing save as stated herein by express reference to that Mission Furtherance Processing.

11.2 State Privacy Laws. Annex 2 (State Privacy Laws Annex) applies if and to the extent Thorn’s Processing of Company Personal Data on behalf of Company under the Agreement is subject to any of the State Privacy Laws. 

11.3 Costs. Except to the extent prohibited by Applicable Data Protection Laws, and beyond providing self-service features included as part of the Services, Company shall compensate Thorn at Thorn’s then-current professional services rates for, and reimburse any costs reasonably incurred by Thorn in the course of providing, cooperation, information, or assistance requested by Company in respect of this DPA (including pursuant to Section 4 and Section 8 of this DPA, but Thorn shall bear its own costs in the event that any audit or inspection conducted in accordance with that Section 8 reveals any material non-compliance by Thorn with this DPA and/or Applicable Data Protection Laws).

11.4 LIABILITY. THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY TOWARDS THE OTHER PARTY, HOWSOEVER ARISING, UNDER OR IN CONNECTION WITH THIS DPA AND THE SCCs (IF AND AS THEY APPLY) WILL UNDER NO CIRCUMSTANCES EXCEED ANY LIMITATIONS OR CAPS ON, AND SHALL BE SUBJECT TO ANY EXCLUSIONS OF, LIABILITY AND LOSS AGREED BY THE PARTIES IN THE AGREEMENT; BUT, NOTHING IN THIS SECTION 11 WILL AFFECT ANY PERSON’S LIABILITY TO DATA SUBJECTS UNDER RELEVANT THIRD-PARTY BENEFICIARY PROVISIONS OF THE SCCS (IF AND AS THEY APPLY). 

11.5 Variation. Thorn may on notice vary this DPA to the extent that it reasonably considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including to apply a new transfer mechanism or to comply with relevant changes in the Services and its Processing of Personal Data as part thereof.

11.6 Prevail. In the event of any conflict or inconsistency between: (a) this DPA and the Agreement, this DPA shall prevail; or (b) any SCCs entered into pursuant to Section 7 and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

ANNEXES

ANNEX 1

Data Processing Details
THORN / ‘DATA IMPORTER’ DETAILS

ANNEX 2

State Privacy Laws Annex

1. In this Annex 2, the terms “business,” “business purpose,” “commercial purpose,” “consumer,” “sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Company Personal Data that constitutes “personal information” as defined in and that is subject to the State Privacy Laws.

2. The business purposes and services for which Thorn is Processing personal information are for Thorn to provide the Services to and on behalf of Company as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details) to this DPA.

3. It is the parties’ intent that with respect to any personal information, Thorn is a service provider. Thorn (a) acknowledges that personal information is disclosed by Company only for limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State Privacy Laws; (c) agrees that Company has the right to take reasonable and appropriate steps under and subject to Section 8 (Audits) of this DPA to help ensure that Thorn’s use of personal information is consistent with Company’s obligations under the State Privacy Laws; (d) shall notify Company in writing of any determination made by Thorn that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Company has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.  

4. Thorn shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by State Privacy Laws; (c) retain, use or disclose the personal information outside of the direct business relationship between Thorn and Company; or (d) save with respect to the Mission Furtherance Processing, combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Thorn’s own interaction with any consumer to whom such personal information pertains except as and to the extent necessary as part of Thorn’s provision of the Services. 

5. Thorn shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Company, in accordance with Section 4.2 (Security) of this DPA.

6. When Thorn engages any Sub-Processor, Thorn shall notify Company of such Sub-Processor engagements in accordance with Section 6 (Sub-Processing) of this DPA and that such notice shall satisfy Thorn’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.

7. Thorn agrees that Company may conduct audits, in accordance with Section 8 (Audits) of this DPA, to help ensure that Thorn’s use of personal information is consistent with Thorn’s obligations under the State Privacy Laws.

8. The parties acknowledge that Thorn’s retention, use and disclosure of personal information by Company’s instructions documented in the Agreement and DPA are integral to Thorn’s provision of the Services and the business relationship between the parties.

9. The parties acknowledge that Thorn’s Processing of Company Personal Data authorized by Company under this DPA is integral to the Services and the business relationship between the parties.

ANNEX 3

Sub-Processors List